Solved

Cisco PIX Firewall: NAT / STATIC

Posted on 2007-03-19
8
595 Views
Last Modified: 2010-04-09
I have a Cisco PIX Firewall with ver 6.3.  I am always confused with the use of NAT and Static.  I am well aware that NAT is for access from higher security level to lower security level, whereas Static is for access from lower to higher security level.  Consider the following case:

PC1 ---------------------------- PIX Firewall ---------------------------Internet
                                                    |
                                                    |
                                         Web/FTP server

PIX Inside: 192.168.128.1/255.255.255.0
PC1: 192.168.128.100/255.255.255.0
PIX DMZ: 192.168.138.1/255.255.255.0
Web/FTP Server: 192.168.138.100/255.255.255.0

My question is how do I allow access from PC1 to Web/FTP server in the DMZ?
0
Comment
Question by:hoggiee
  • 4
  • 3
8 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 400 total points
ID: 18747390
Assuming the security level of the inside interface (where PC1 resides) is higher than the DMZ interface, then here are the commands that would allow access:

You can do either a static command that will translate the PC1 IP address back to itself when communicating with the DMZ interface:

static (inside,DMZ) 192.168.128.100 192.168.128.100 netmask 255.255.255.255

Or you can use a "nat" and "global" pair of commands that will perform PAT for all inside hosts when communicating between the two interfaces:

global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Now, as long as you don't have an ACL applied to the inside interface that will block traffic from the inside PC1 host to the web/ftp server in the DMZ, you're good to go.
0
 

Author Comment

by:hoggiee
ID: 18753412
I already have the following commands in my PIX, would it affect the nat/global that you mentioned in your comment?

global (outside) 10 interface
nat (inside) 10 192.168.128.0 255.255.255.0 0 0
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18753431
Yes, it would to an extent.  Since PC1 would be covered by the nat (inside) 10 statement (since it's in the 192.168.128.0/24 network), what you could do is add the following global to cover the translation from inside to DMZ:

global (DMZ) 10 interface

This would effectively translate any 192.168.128.0 address into 192.168.138.1 when going to a host on the DMZ interface.  This would be using PAT and it should get you the access you need from PC1 to the web/ftp server.
0
 

Author Comment

by:hoggiee
ID: 18754075
In conclusion, from your experience and knowledge, which of the nat/global and static is better for access from lower to higher security level?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 28

Expert Comment

by:batry_boy
ID: 18754083
It would definitely be the static command since this assumes static IP addressing used in the translation.  This is what you want if you want hosts to access specific services on other hosts located on higher security level interfaces.
0
 

Author Comment

by:hoggiee
ID: 18756399
Opps sorry! My question was initially, which of the nat/global and static is better for access from higher to lower security level?  Sorry.........
0
 
LVL 28

Assisted Solution

by:batry_boy
batry_boy earned 400 total points
ID: 18756441
If you're not worried about inbound (lower to higher) access to a host, then the nat/global pair using dynamic NAT is more efficient at handling multiple translations for a group of inside hosts.  So, if you don't have a specific need to allow inbound access and you just want to configure outbound (higher to lower) access, then the nat/global pair will work fine.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
ID: 18760039
Agree with batry_boy here.
If transactions/sessions/connections will originate from lower security interface (i.e. DMZ www server to backend internal DB server, or DMZ email spam filter to internal email server), the  use a static.
If no connections will ever be initated from lower to higher, and all connections originate from the higher security inside interface using basic http://server, then a simple nat/global will provide dynamic xlates that are not permanent and so may be more secure. It is also simpler because you don't need corresponding access-lists to allow the traffic back in.
My $0.02
 
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now