hoggiee
asked on
Cisco PIX Firewall: NAT / STATIC
I have a Cisco PIX Firewall with ver 6.3. I am always confused with the use of NAT and Static. I am well aware that NAT is for access from higher security level to lower security level, whereas Static is for access from lower to higher security level. Consider the following case:
PC1 -------------------------- -- PIX Firewall -------------------------- -Internet
|
|
Web/FTP server
PIX Inside: 192.168.128.1/255.255.255. 0
PC1: 192.168.128.100/255.255.25 5.0
PIX DMZ: 192.168.138.1/255.255.255. 0
Web/FTP Server: 192.168.138.100/255.255.25 5.0
My question is how do I allow access from PC1 to Web/FTP server in the DMZ?
PC1 --------------------------
|
|
Web/FTP server
PIX Inside: 192.168.128.1/255.255.255.
PC1: 192.168.128.100/255.255.25
PIX DMZ: 192.168.138.1/255.255.255.
Web/FTP Server: 192.168.138.100/255.255.25
My question is how do I allow access from PC1 to Web/FTP server in the DMZ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, it would to an extent. Since PC1 would be covered by the nat (inside) 10 statement (since it's in the 192.168.128.0/24 network), what you could do is add the following global to cover the translation from inside to DMZ:
global (DMZ) 10 interface
This would effectively translate any 192.168.128.0 address into 192.168.138.1 when going to a host on the DMZ interface. This would be using PAT and it should get you the access you need from PC1 to the web/ftp server.
global (DMZ) 10 interface
This would effectively translate any 192.168.128.0 address into 192.168.138.1 when going to a host on the DMZ interface. This would be using PAT and it should get you the access you need from PC1 to the web/ftp server.
ASKER
In conclusion, from your experience and knowledge, which of the nat/global and static is better for access from lower to higher security level?
It would definitely be the static command since this assumes static IP addressing used in the translation. This is what you want if you want hosts to access specific services on other hosts located on higher security level interfaces.
ASKER
Opps sorry! My question was initially, which of the nat/global and static is better for access from higher to lower security level? Sorry.........
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
global (outside) 10 interface
nat (inside) 10 192.168.128.0 255.255.255.0 0 0