Solved

Cisco PIX Firewall: NAT / STATIC

Posted on 2007-03-19
8
604 Views
Last Modified: 2010-04-09
I have a Cisco PIX Firewall with ver 6.3.  I am always confused with the use of NAT and Static.  I am well aware that NAT is for access from higher security level to lower security level, whereas Static is for access from lower to higher security level.  Consider the following case:

PC1 ---------------------------- PIX Firewall ---------------------------Internet
                                                    |
                                                    |
                                         Web/FTP server

PIX Inside: 192.168.128.1/255.255.255.0
PC1: 192.168.128.100/255.255.255.0
PIX DMZ: 192.168.138.1/255.255.255.0
Web/FTP Server: 192.168.138.100/255.255.255.0

My question is how do I allow access from PC1 to Web/FTP server in the DMZ?
0
Comment
Question by:hoggiee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 400 total points
ID: 18747390
Assuming the security level of the inside interface (where PC1 resides) is higher than the DMZ interface, then here are the commands that would allow access:

You can do either a static command that will translate the PC1 IP address back to itself when communicating with the DMZ interface:

static (inside,DMZ) 192.168.128.100 192.168.128.100 netmask 255.255.255.255

Or you can use a "nat" and "global" pair of commands that will perform PAT for all inside hosts when communicating between the two interfaces:

global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Now, as long as you don't have an ACL applied to the inside interface that will block traffic from the inside PC1 host to the web/ftp server in the DMZ, you're good to go.
0
 

Author Comment

by:hoggiee
ID: 18753412
I already have the following commands in my PIX, would it affect the nat/global that you mentioned in your comment?

global (outside) 10 interface
nat (inside) 10 192.168.128.0 255.255.255.0 0 0
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18753431
Yes, it would to an extent.  Since PC1 would be covered by the nat (inside) 10 statement (since it's in the 192.168.128.0/24 network), what you could do is add the following global to cover the translation from inside to DMZ:

global (DMZ) 10 interface

This would effectively translate any 192.168.128.0 address into 192.168.138.1 when going to a host on the DMZ interface.  This would be using PAT and it should get you the access you need from PC1 to the web/ftp server.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:hoggiee
ID: 18754075
In conclusion, from your experience and knowledge, which of the nat/global and static is better for access from lower to higher security level?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18754083
It would definitely be the static command since this assumes static IP addressing used in the translation.  This is what you want if you want hosts to access specific services on other hosts located on higher security level interfaces.
0
 

Author Comment

by:hoggiee
ID: 18756399
Opps sorry! My question was initially, which of the nat/global and static is better for access from higher to lower security level?  Sorry.........
0
 
LVL 28

Assisted Solution

by:batry_boy
batry_boy earned 400 total points
ID: 18756441
If you're not worried about inbound (lower to higher) access to a host, then the nat/global pair using dynamic NAT is more efficient at handling multiple translations for a group of inside hosts.  So, if you don't have a specific need to allow inbound access and you just want to configure outbound (higher to lower) access, then the nat/global pair will work fine.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
ID: 18760039
Agree with batry_boy here.
If transactions/sessions/connections will originate from lower security interface (i.e. DMZ www server to backend internal DB server, or DMZ email spam filter to internal email server), the  use a static.
If no connections will ever be initated from lower to higher, and all connections originate from the higher security inside interface using basic http://server, then a simple nat/global will provide dynamic xlates that are not permanent and so may be more secure. It is also simpler because you don't need corresponding access-lists to allow the traffic back in.
My $0.02
 
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month11 days, 13 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question