Solved

Cisco PIX Firewall: NAT / STATIC

Posted on 2007-03-19
8
601 Views
Last Modified: 2010-04-09
I have a Cisco PIX Firewall with ver 6.3.  I am always confused with the use of NAT and Static.  I am well aware that NAT is for access from higher security level to lower security level, whereas Static is for access from lower to higher security level.  Consider the following case:

PC1 ---------------------------- PIX Firewall ---------------------------Internet
                                                    |
                                                    |
                                         Web/FTP server

PIX Inside: 192.168.128.1/255.255.255.0
PC1: 192.168.128.100/255.255.255.0
PIX DMZ: 192.168.138.1/255.255.255.0
Web/FTP Server: 192.168.138.100/255.255.255.0

My question is how do I allow access from PC1 to Web/FTP server in the DMZ?
0
Comment
Question by:hoggiee
  • 4
  • 3
8 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 400 total points
ID: 18747390
Assuming the security level of the inside interface (where PC1 resides) is higher than the DMZ interface, then here are the commands that would allow access:

You can do either a static command that will translate the PC1 IP address back to itself when communicating with the DMZ interface:

static (inside,DMZ) 192.168.128.100 192.168.128.100 netmask 255.255.255.255

Or you can use a "nat" and "global" pair of commands that will perform PAT for all inside hosts when communicating between the two interfaces:

global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Now, as long as you don't have an ACL applied to the inside interface that will block traffic from the inside PC1 host to the web/ftp server in the DMZ, you're good to go.
0
 

Author Comment

by:hoggiee
ID: 18753412
I already have the following commands in my PIX, would it affect the nat/global that you mentioned in your comment?

global (outside) 10 interface
nat (inside) 10 192.168.128.0 255.255.255.0 0 0
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18753431
Yes, it would to an extent.  Since PC1 would be covered by the nat (inside) 10 statement (since it's in the 192.168.128.0/24 network), what you could do is add the following global to cover the translation from inside to DMZ:

global (DMZ) 10 interface

This would effectively translate any 192.168.128.0 address into 192.168.138.1 when going to a host on the DMZ interface.  This would be using PAT and it should get you the access you need from PC1 to the web/ftp server.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:hoggiee
ID: 18754075
In conclusion, from your experience and knowledge, which of the nat/global and static is better for access from lower to higher security level?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18754083
It would definitely be the static command since this assumes static IP addressing used in the translation.  This is what you want if you want hosts to access specific services on other hosts located on higher security level interfaces.
0
 

Author Comment

by:hoggiee
ID: 18756399
Opps sorry! My question was initially, which of the nat/global and static is better for access from higher to lower security level?  Sorry.........
0
 
LVL 28

Assisted Solution

by:batry_boy
batry_boy earned 400 total points
ID: 18756441
If you're not worried about inbound (lower to higher) access to a host, then the nat/global pair using dynamic NAT is more efficient at handling multiple translations for a group of inside hosts.  So, if you don't have a specific need to allow inbound access and you just want to configure outbound (higher to lower) access, then the nat/global pair will work fine.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
ID: 18760039
Agree with batry_boy here.
If transactions/sessions/connections will originate from lower security interface (i.e. DMZ www server to backend internal DB server, or DMZ email spam filter to internal email server), the  use a static.
If no connections will ever be initated from lower to higher, and all connections originate from the higher security inside interface using basic http://server, then a simple nat/global will provide dynamic xlates that are not permanent and so may be more secure. It is also simpler because you don't need corresponding access-lists to allow the traffic back in.
My $0.02
 
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Provisioning vcpu for VM (cisco virl) 4 94
Use packet tracer to verify anyconnect VPN 11 92
What Cisco IOS has CBAC support? 4 24
Cisco Anyconnect for Android 6 40
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question