Cisco Pix 515E (Ver 6.3) DMZ > Inside (NAT Question)
Posted on 2010-01-10
Hopefully a quick question regarding NAT and a lower security interface.
As I understand it (assuming you have to run NAT, which I do as I am running version 6.3 of the PIX OS) you need a static translation beetween a lower security interface and a higher one.
What I am trying to do is use dynamic translation (Using the NAT/Global commands) on the lower security interface. The end result being that I can access all machines on the inside interface from the DMZ interface without having to do static translations.
I am aware of the security implications but this is in a test environment so please humour me if you would.
My interfaces are as follows:
I have enabled 3 nat statements:
nat (inside) 1 0 0
nat (outside) 1 0 0
nat (dmz) 1 0 0
And the associated global statements
global (inside) 192.168.1.10-192.168.1.20
global (outside) 192.168.10.10-192.168.10.20
global (dmz) 192.168.3.10-192.168.3.20
Also a couple of access lists which allow everything in every direction.
Now the translation works from the high security interface to the lower but not the other way round. Is there anyway to make this work without upgrading the OS to version 7.0 to allow me to use the nat-control command.
I have tried nat 0 on the dmz interface (and associated access list rules) but this does not work either.
Many thanks in advance for your time,