Solved

DMZ and Internet connection

Posted on 2009-04-01
11
237 Views
Last Modified: 2012-05-06
Hi,
my question is simple !
I have a pix firewall on which there are some DMZ servers and there is an outside interface of the pix...Outside interface and all DMZ servers have public I.P ... Do i still need a
static (dmz,out) out I.P in I.P  command to have communication between DMZ servers & somebody from internet or can i just remove it ?
0
Comment
Question by:nabeel92
  • 5
  • 4
  • 2
11 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 24045497
while you may have PNAT's or NAT's for each DMZ server to allow incoming requests, outgoing requests also require a NAT to map other ports to an outgoing IP.

So, yes...
0
 

Author Comment

by:nabeel92
ID: 24045513
sorry am confused ;) ... So do i need the static command or not ?
at the moment, static command is configured like this
static (dmz, out) dmzI.P dmzI.P (previously i mistyped it) .... this to me looks like that if any outside public I.P who wants to talk to DMZ gets translated into DMZ's own public I.P and then talks to it ? is it so ?
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24045599
If you map a whole IP address externally, it should still be able to surf etc..

But I usually only map whatever service ports into my DMZ, so it remains there to service ports, not utilize them..

By having a outbound nat for that segment, your basically allow them to be clients of the internet.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24045719
It depends on if you have "nat-control" enabled or not.

If doing nat-control (verify with a "show run nat-control"), you need a static statement even if the DMZ hosts have public IP's since NAT is required for connections through the Firewall.  If "no nat-control", you don't need the static statement.
0
 

Author Comment

by:nabeel92
ID: 24045776
firewall1/failovergroup2# sh running-config nat-control
nat-control

So i'll let the static statement stay there then !
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24045783
Yes, correct.  With "nat-control", the static statement is required.
0
 

Author Comment

by:nabeel92
ID: 24045785
but what i also wanted to make sure was that if the below statement is correct for dmz and internet access.

static (dmz, out) dmzI.P dmzI.P
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24045814
Yes. That statement is correct if the dmzIP is the real/public IP of the server.

The static provides both inbound and outbound translation.
0
 

Author Closing Comment

by:nabeel92
ID: 31565593
excellent
0
 

Author Comment

by:nabeel92
ID: 24045822
Ok, that helps !

If I may ask that why would we need translation since both are public I.P's or is it because we're going from 0 security level (outside) to 50 security level (dmz) ??? that's my last only confusion left in this part !
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24045860
It's simply the architecture of the nat-control version of the PIX/ASA.  Every connection from any interface to any other interface needs NAT.  Doesn't matter if the IP is being translated to a different IP or not.  With newer versions of code, that requirement has been removed (no nat-control) which is now the default functionality (only NAT when you need to).
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco IP NAT Translation not working 9 26
Getting locked out and can't access Cisco via the web 18 39
Cisco Prime and Maps 3 36
Cisco ASA version 8.2 NAT to version 9 NAT 3 29
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now