Cisco PIX Firewall: NAT / STATIC

I have a Cisco PIX Firewall with ver 6.3.  I am always confused with the use of NAT and Static.  I am well aware that NAT is for access from higher security level to lower security level, whereas Static is for access from lower to higher security level.  Consider the following case:

PC1 ---------------------------- PIX Firewall ---------------------------Internet
                                                    |
                                                    |
                                         Web/FTP server

PIX Inside: 192.168.128.1/255.255.255.0
PC1: 192.168.128.100/255.255.255.0
PIX DMZ: 192.168.138.1/255.255.255.0
Web/FTP Server: 192.168.138.100/255.255.255.0

My question is how do I allow access from PC1 to Web/FTP server in the DMZ?
hoggieeAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
batry_boyConnect With a Mentor Commented:
Assuming the security level of the inside interface (where PC1 resides) is higher than the DMZ interface, then here are the commands that would allow access:

You can do either a static command that will translate the PC1 IP address back to itself when communicating with the DMZ interface:

static (inside,DMZ) 192.168.128.100 192.168.128.100 netmask 255.255.255.255

Or you can use a "nat" and "global" pair of commands that will perform PAT for all inside hosts when communicating between the two interfaces:

global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Now, as long as you don't have an ACL applied to the inside interface that will block traffic from the inside PC1 host to the web/ftp server in the DMZ, you're good to go.
0
 
hoggieeAuthor Commented:
I already have the following commands in my PIX, would it affect the nat/global that you mentioned in your comment?

global (outside) 10 interface
nat (inside) 10 192.168.128.0 255.255.255.0 0 0
0
 
batry_boyCommented:
Yes, it would to an extent.  Since PC1 would be covered by the nat (inside) 10 statement (since it's in the 192.168.128.0/24 network), what you could do is add the following global to cover the translation from inside to DMZ:

global (DMZ) 10 interface

This would effectively translate any 192.168.128.0 address into 192.168.138.1 when going to a host on the DMZ interface.  This would be using PAT and it should get you the access you need from PC1 to the web/ftp server.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
hoggieeAuthor Commented:
In conclusion, from your experience and knowledge, which of the nat/global and static is better for access from lower to higher security level?
0
 
batry_boyCommented:
It would definitely be the static command since this assumes static IP addressing used in the translation.  This is what you want if you want hosts to access specific services on other hosts located on higher security level interfaces.
0
 
hoggieeAuthor Commented:
Opps sorry! My question was initially, which of the nat/global and static is better for access from higher to lower security level?  Sorry.........
0
 
batry_boyConnect With a Mentor Commented:
If you're not worried about inbound (lower to higher) access to a host, then the nat/global pair using dynamic NAT is more efficient at handling multiple translations for a group of inside hosts.  So, if you don't have a specific need to allow inbound access and you just want to configure outbound (higher to lower) access, then the nat/global pair will work fine.
0
 
lrmooreConnect With a Mentor Commented:
Agree with batry_boy here.
If transactions/sessions/connections will originate from lower security interface (i.e. DMZ www server to backend internal DB server, or DMZ email spam filter to internal email server), the  use a static.
If no connections will ever be initated from lower to higher, and all connections originate from the higher security inside interface using basic http://server, then a simple nat/global will provide dynamic xlates that are not permanent and so may be more secure. It is also simpler because you don't need corresponding access-lists to allow the traffic back in.
My $0.02
 
0
All Courses

From novice to tech pro — start learning today.