Jase_x
asked on
Cisco Pix 515E (Ver 6.3) DMZ > Inside (NAT Question)
Hi there,
Hopefully a quick question regarding NAT and a lower security interface.
As I understand it (assuming you have to run NAT, which I do as I am running version 6.3 of the PIX OS) you need a static translation beetween a lower security interface and a higher one.
What I am trying to do is use dynamic translation (Using the NAT/Global commands) on the lower security interface. The end result being that I can access all machines on the inside interface from the DMZ interface without having to do static translations.
I am aware of the security implications but this is in a test environment so please humour me if you would.
My interfaces are as follows:
Inside: 192.168.1.0/24
Outside: 192.168.10.0/24
DMZ: 192.168.3.0/24
I have enabled 3 nat statements:
nat (inside) 1 0 0
nat (outside) 1 0 0
nat (dmz) 1 0 0
And the associated global statements
global (inside) 192.168.1.10-192.168.1.20
global (outside) 192.168.10.10-192.168.10.2
global (dmz) 192.168.3.10-192.168.3.20
Also a couple of access lists which allow everything in every direction.
Now the translation works from the high security interface to the lower but not the other way round. Is there anyway to make this work without upgrading the OS to version 7.0 to allow me to use the nat-control command.
I have tried nat 0 on the dmz interface (and associated access list rules) but this does not work either.
Many thanks in advance for your time,
Hopefully a quick question regarding NAT and a lower security interface.
As I understand it (assuming you have to run NAT, which I do as I am running version 6.3 of the PIX OS) you need a static translation beetween a lower security interface and a higher one.
What I am trying to do is use dynamic translation (Using the NAT/Global commands) on the lower security interface. The end result being that I can access all machines on the inside interface from the DMZ interface without having to do static translations.
I am aware of the security implications but this is in a test environment so please humour me if you would.
My interfaces are as follows:
Inside: 192.168.1.0/24
Outside: 192.168.10.0/24
DMZ: 192.168.3.0/24
I have enabled 3 nat statements:
nat (inside) 1 0 0
nat (outside) 1 0 0
nat (dmz) 1 0 0
And the associated global statements
global (inside) 192.168.1.10-192.168.1.20
global (outside) 192.168.10.10-192.168.10.2
global (dmz) 192.168.3.10-192.168.3.20
Also a couple of access lists which allow everything in every direction.
Now the translation works from the high security interface to the lower but not the other way round. Is there anyway to make this work without upgrading the OS to version 7.0 to allow me to use the nat-control command.
I have tried nat 0 on the dmz interface (and associated access list rules) but this does not work either.
Many thanks in advance for your time,
ASKER
Thats the problem, Nat 0 is enabled on the lower security interface but it does not work. It is as if the statement is ignored.
ASKER
And even if it wasn't the dynamic translation should work in the same way it does for the inside interface do you agree?
could you show me the whole config?
ASKER
Unfortunately I don't have it to upload at the moment, the config is pretty much the base config except with the interfaces configured and enabled (IP'd as stated), the nat/global commands above setup and an access-list acl_out tcp any any which is bound via an access-group to the dmz interface.
please show us....
ASKER
Code as specified:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 dmz security10
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname test-fw
domain-name test.internal
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.3.21 webserver
access-list dmz_access_in remark DMZ > Inside (ALL ALLOWED)
access-list dmz_access_in permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu dmz 1500
ip address outside 192.168.10.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
ip address dmz 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address dmz
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.3.2 255.255.255.255 dmz
pdm location webserver 255.255.255.255 inside
pdm location webserver 255.255.255.255 dmz
pdm location 192.192.3.2 255.255.255.255 dmz
pdm location 192.168.1.21 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 192.168.10.10-192.168.10.20 netmask 255.255.255.0
global (inside) 1 192.168.1.10-192.168.1.20 netmask 255.255.255.0
global (dmz) 1 192.168.3.10-192.168.3.20 netmask 255.255.255.0
nat (outside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8405d4b1cb5346d770f39d445d6aa380
: end
test-fw#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellant answer, I didn't think of doing it that way ! Thank's you've really filled in a blank there!
if you use nat 0 on lower security interface, and enable this traffic on booth leg it is working....