• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 252
  • Last Modified:

DMZ and Internet connection

Hi,
my question is simple !
I have a pix firewall on which there are some DMZ servers and there is an outside interface of the pix...Outside interface and all DMZ servers have public I.P ... Do i still need a
static (dmz,out) out I.P in I.P  command to have communication between DMZ servers & somebody from internet or can i just remove it ?
0
nabeel92
Asked:
nabeel92
  • 5
  • 4
  • 2
1 Solution
 
debuggerauCommented:
while you may have PNAT's or NAT's for each DMZ server to allow incoming requests, outgoing requests also require a NAT to map other ports to an outgoing IP.

So, yes...
0
 
nabeel92Author Commented:
sorry am confused ;) ... So do i need the static command or not ?
at the moment, static command is configured like this
static (dmz, out) dmzI.P dmzI.P (previously i mistyped it) .... this to me looks like that if any outside public I.P who wants to talk to DMZ gets translated into DMZ's own public I.P and then talks to it ? is it so ?
0
 
debuggerauCommented:
If you map a whole IP address externally, it should still be able to surf etc..

But I usually only map whatever service ports into my DMZ, so it remains there to service ports, not utilize them..

By having a outbound nat for that segment, your basically allow them to be clients of the internet.
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
JFrederick29Commented:
It depends on if you have "nat-control" enabled or not.

If doing nat-control (verify with a "show run nat-control"), you need a static statement even if the DMZ hosts have public IP's since NAT is required for connections through the Firewall.  If "no nat-control", you don't need the static statement.
0
 
nabeel92Author Commented:
firewall1/failovergroup2# sh running-config nat-control
nat-control

So i'll let the static statement stay there then !
0
 
JFrederick29Commented:
Yes, correct.  With "nat-control", the static statement is required.
0
 
nabeel92Author Commented:
but what i also wanted to make sure was that if the below statement is correct for dmz and internet access.

static (dmz, out) dmzI.P dmzI.P
0
 
JFrederick29Commented:
Yes. That statement is correct if the dmzIP is the real/public IP of the server.

The static provides both inbound and outbound translation.
0
 
nabeel92Author Commented:
excellent
0
 
nabeel92Author Commented:
Ok, that helps !

If I may ask that why would we need translation since both are public I.P's or is it because we're going from 0 security level (outside) to 50 security level (dmz) ??? that's my last only confusion left in this part !
0
 
JFrederick29Commented:
It's simply the architecture of the nat-control version of the PIX/ASA.  Every connection from any interface to any other interface needs NAT.  Doesn't matter if the IP is being translated to a different IP or not.  With newer versions of code, that requirement has been removed (no nat-control) which is now the default functionality (only NAT when you need to).
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now