PIX 501 DMZ to Internal Hosts Ports
Posted on 2006-05-06
My current setup is a router performing NAT to servers on a DMZ. It looks like this: router>switch>DMZ Hosts (192.168.88.X). The router has an internal interface ip address of 192.168.88.1 I just put in a 501 PIX coming off the switch with E0 192.168.88.2 and E1 192.168.100.1 and a route statement of 0 0 192.168.88.1. I want to move most of my serves into the 192.168.100.X subnet behind the PIX leaving only a few servers in the DMZ, hosts 192.168.88.26, 192.168.88.30, 192.168.88.37, and 192.168.88.39 respectively. I need to have these DMZ hosts to talk to specific internal hosts through certain ports. A few questions:
1.) First question should I disable NAT on the PIX since the router is already NATing?
2.) Second, will I be using port forwarding or simple static xlation statements with access lists? (I really don't understand the difference)
Here is a sample of what I would like to do:
Protocol TCP Source 192.168.88.26 Destination 192.168.1.23 Port 7815
static (inside,outside) 192.168.1.23 192.168.1.23 netmask 255.255.255.255
access-list DMZ permit tcp host 192.168.88.26 host 192.168.1.23 eq 7815
access-group dmz in interface outside
Will this work?
Much help is appreciated since I need to configure this by today. Thanks