Link to home
Start Free TrialLog in
Avatar of Ciderspine
Ciderspine

asked on

PIX Nat

Hello,

I'm going to be adding a DMZ to our PIX in which will sit an external DNS and a web server. Currently have int/ext interfaces and am natting all traffic from internal int. My question is this - how should I configure NAT in order for the hosts in the DMZ to access the internet and hosts behind the int interface to access the DMZ? Could I NAT the DNS and WWW in the DMZ to their own current public addresses?
Avatar of batry_boy
batry_boy
Flag of United States of America image

>>Could I NAT the DNS and WWW in the DMZ to their own current public addresses?

Yes, and in fact, you'll have to do it this way if you want external hosts to be able to send traffic to them.   As an example, let's say you have 1.1.1.1 as your public IP address for the WWW server with 10.10.10.1 as its DMZ IP address; and 1.1.1.2 as the public address for the DNS server with 10.10.10.2 as its DMZ IP address; and that you wanted to have the internal network appear as the same network addressing to the DMZ network segment (we'll say the internal network is 192.168.1.0/24).  Here's how to do it:

global (outside) 1 interface
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 1.1.1.1 10.10.10.1 netmask 255.255.255.255
static (dmz,outside) 1.1.1.2 10.10.10.2 netmask 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Post back with questions...
Avatar of Ciderspine
Ciderspine

ASKER

Thanks for the resonse - very clear.

To NAT the dmz hosts, could I use the same global addresses I am using to NAT the internal hosts rather than using the interface address?

So, for the access lists I would need to permit inbound www and dns traffic on the Outside interface. Would I need an access list on the DMZ interface too?

>>static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 - would this result in the internal host addresses staying the same or would they be translated into an address from the range specified?

Thanks.

ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks.