Solved

Cisco Pix DMZ without NAT, LAN with NAT

Posted on 2007-11-20
3
1,726 Views
Last Modified: 2011-04-14
Good evening all.
We have a CIsco Pix 515E with three interfaces, Inside (172.16.1.0), Outside and DMZ (192.168.1.0).  We have a public /29 IP range (10.1.1.185/255.255.255.248 for this example).  I am not sure if this is even possible but its worth a try.  The Pix is all setup and working no problem. Our LAN connects to the internet (shown IP 10.1.1.186) and DMZ without issues, our webmail (10.1.1.188) is published with the DNS extension to allow internal access without requiring an internal DNS entry etc.

We now need to run an application in the DMZ that must bind to the public IP Address (10.1.1.189) so we require the NAT to be disabled on the DMZ only.  I have had a play with the config but because for it all to route correctly the DMZ interface needs the IP Address 10.1.1.187 however this fails because it conflicts with the outside interface.

After thinking about this for a good while my feeling is that a second pix will need to come in and be placed in front of our existing Pix but run without NAT but still allow our machines to be firewalled.  Is there a way of running the DMZ purely on our public IP range rather than a private one NAT'd.  I have googled, gone through Cisco docs etc and can only find examples for running NAT or no-nat but not both.  If the only way is with a second Pix then fair enough but if it can be done without that would be a bonus.

Thanks

SF
0
Comment
Question by:Sword_Fish
  • 2
3 Comments
 

Accepted Solution

by:
Sword_Fish earned 0 total points
Comment Utility
Realised this morning that yes we will need a second pix to run

Leased Line router ---- transparent pix --- switch --- routed pix.  

The switch would also have the public IP'd interfaces of the servers.  The Cisco support docs also appear to support this
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
   Hi Sword_Fish
       "We now need to run an application in the DMZ that must bind to the public IP Address (10.1.1.189) so we require the NAT to be disabled on the DMZ only."
        For achieving this, you dont need a second pix and you dont need to disable NAT.
        If you want to address translate your all DMZ network to 10.1.1.189 in outside, you need following
       
        nat (DMZ) 2 192.168.1.0 255.255.255.0
        global (outside) 2 10.1.1.189 255.255.255.255
        access-list outside_access_in permit tcp any host 10.1.1.189 eq yourapplicationsport
 
        If the application runs on 1 Server/computer in DMZ (lets say that its ip is 192.168.1.9), do the following
        static (DMZ,outside) 10.1.1.189 192.168.1.9 netmask 255.255.255.255 0 0
        access-list outside_access_in permit tcp any host 10.1.1.189 eq yourapplicationsport

Regards
0
 

Author Comment

by:Sword_Fish
Comment Utility
Unfortunately the server in the DMZ has to be physically assigned in Windows the IP address 10.1.1.189.  We have got hold of a second pix to run purely in transparent mode and will mount a switch between pix1 and pix2, plugging the server into this switch.

Statics don't work (I tried) because the IP address of the windows server must be 10.1.1.189.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now