Solved

Cisco PIX Firewall: NAT / STATIC

Posted on 2007-03-19
8
600 Views
Last Modified: 2010-04-09
I have a Cisco PIX Firewall with ver 6.3.  I am always confused with the use of NAT and Static.  I am well aware that NAT is for access from higher security level to lower security level, whereas Static is for access from lower to higher security level.  Consider the following case:

PC1 ---------------------------- PIX Firewall ---------------------------Internet
                                                    |
                                                    |
                                         Web/FTP server

PIX Inside: 192.168.128.1/255.255.255.0
PC1: 192.168.128.100/255.255.255.0
PIX DMZ: 192.168.138.1/255.255.255.0
Web/FTP Server: 192.168.138.100/255.255.255.0

My question is how do I allow access from PC1 to Web/FTP server in the DMZ?
0
Comment
Question by:hoggiee
  • 4
  • 3
8 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 400 total points
ID: 18747390
Assuming the security level of the inside interface (where PC1 resides) is higher than the DMZ interface, then here are the commands that would allow access:

You can do either a static command that will translate the PC1 IP address back to itself when communicating with the DMZ interface:

static (inside,DMZ) 192.168.128.100 192.168.128.100 netmask 255.255.255.255

Or you can use a "nat" and "global" pair of commands that will perform PAT for all inside hosts when communicating between the two interfaces:

global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Now, as long as you don't have an ACL applied to the inside interface that will block traffic from the inside PC1 host to the web/ftp server in the DMZ, you're good to go.
0
 

Author Comment

by:hoggiee
ID: 18753412
I already have the following commands in my PIX, would it affect the nat/global that you mentioned in your comment?

global (outside) 10 interface
nat (inside) 10 192.168.128.0 255.255.255.0 0 0
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18753431
Yes, it would to an extent.  Since PC1 would be covered by the nat (inside) 10 statement (since it's in the 192.168.128.0/24 network), what you could do is add the following global to cover the translation from inside to DMZ:

global (DMZ) 10 interface

This would effectively translate any 192.168.128.0 address into 192.168.138.1 when going to a host on the DMZ interface.  This would be using PAT and it should get you the access you need from PC1 to the web/ftp server.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:hoggiee
ID: 18754075
In conclusion, from your experience and knowledge, which of the nat/global and static is better for access from lower to higher security level?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18754083
It would definitely be the static command since this assumes static IP addressing used in the translation.  This is what you want if you want hosts to access specific services on other hosts located on higher security level interfaces.
0
 

Author Comment

by:hoggiee
ID: 18756399
Opps sorry! My question was initially, which of the nat/global and static is better for access from higher to lower security level?  Sorry.........
0
 
LVL 28

Assisted Solution

by:batry_boy
batry_boy earned 400 total points
ID: 18756441
If you're not worried about inbound (lower to higher) access to a host, then the nat/global pair using dynamic NAT is more efficient at handling multiple translations for a group of inside hosts.  So, if you don't have a specific need to allow inbound access and you just want to configure outbound (higher to lower) access, then the nat/global pair will work fine.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
ID: 18760039
Agree with batry_boy here.
If transactions/sessions/connections will originate from lower security interface (i.e. DMZ www server to backend internal DB server, or DMZ email spam filter to internal email server), the  use a static.
If no connections will ever be initated from lower to higher, and all connections originate from the higher security inside interface using basic http://server, then a simple nat/global will provide dynamic xlates that are not permanent and so may be more secure. It is also simpler because you don't need corresponding access-lists to allow the traffic back in.
My $0.02
 
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question