Cisco Pix DMZ without NAT, LAN with NAT
Posted on 2007-11-20
Good evening all.
We have a CIsco Pix 515E with three interfaces, Inside (172.16.1.0), Outside and DMZ (192.168.1.0). We have a public /29 IP range (10.1.1.185/255.255.255.248 for this example). I am not sure if this is even possible but its worth a try. The Pix is all setup and working no problem. Our LAN connects to the internet (shown IP 10.1.1.186) and DMZ without issues, our webmail (10.1.1.188) is published with the DNS extension to allow internal access without requiring an internal DNS entry etc.
We now need to run an application in the DMZ that must bind to the public IP Address (10.1.1.189) so we require the NAT to be disabled on the DMZ only. I have had a play with the config but because for it all to route correctly the DMZ interface needs the IP Address 10.1.1.187 however this fails because it conflicts with the outside interface.
After thinking about this for a good while my feeling is that a second pix will need to come in and be placed in front of our existing Pix but run without NAT but still allow our machines to be firewalled. Is there a way of running the DMZ purely on our public IP range rather than a private one NAT'd. I have googled, gone through Cisco docs etc and can only find examples for running NAT or no-nat but not both. If the only way is with a second Pix then fair enough but if it can be done without that would be a bonus.