Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Cisco Pix 515E (Ver 6.3) DMZ > Inside (NAT Question)

Posted on 2010-01-10
Medium Priority
Last Modified: 2012-05-08
Hi there,

Hopefully a quick question regarding NAT and a lower security interface.

As I understand it (assuming you have to run NAT, which I do as I am running version 6.3 of the PIX OS) you need a static translation beetween a lower security interface and a higher one.  

What I am trying to do is use dynamic translation (Using the NAT/Global commands) on the lower security interface.  The end result being that I can access all machines on the inside interface from the DMZ interface without having to do static translations.

I am aware of the security implications but this is in a test environment so please humour me if you would.

My interfaces are as follows:


I have enabled 3 nat statements:

nat (inside) 1 0 0
nat (outside) 1 0 0
nat (dmz) 1 0 0

And the associated global statements

global (inside)
global (outside)
global (dmz)

Also a couple of access lists which allow everything in every direction.

Now the translation works from the high security interface to the lower but not the other way round.  Is there anyway to make this work without upgrading the OS to version 7.0 to allow me to use the nat-control command.

I have tried nat 0 on the dmz interface (and associated access list rules) but this does not work either.

Many thanks in advance for your time,
Question by:Jase_x
  • 5
  • 3
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26277887

if you use nat 0 on lower security interface, and enable this traffic on booth leg it is working....

Author Comment

ID: 26277919
Thats the problem, Nat 0 is enabled on the lower security interface but it does not work.  It is as if the statement is ignored.

Author Comment

ID: 26277924
And even if it wasn't the dynamic translation should work in the same way it does for the inside interface do you agree?
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26277932
could you show me the whole config?

Author Comment

ID: 26278118
Unfortunately I don't have it to upload at the moment, the config is pretty much the base config except with the interfaces configured and enabled (IP'd as stated), the nat/global commands above setup and an access-list acl_out tcp any any which is bound via an access-group to the dmz interface.

LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26278168
please show us....

Author Comment

ID: 26278304
Code as specified:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 dmz security10
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname test-fw
domain-name test.internal
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
name webserver
access-list dmz_access_in remark DMZ > Inside (ALL ALLOWED)
access-list dmz_access_in permit ip
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu dmz 1500
ip address outside
ip address inside
no ip address intf2
no ip address intf3
no ip address intf4
ip address dmz
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address dmz
pdm location inside
pdm location dmz
pdm location webserver inside
pdm location webserver dmz
pdm location dmz
pdm location inside
pdm location inside
pdm history enable
arp timeout 14400
global (outside) 1 netmask
global (inside) 1 netmask
global (dmz) 1 netmask
nat (outside) 1 0 0
nat (inside) 1 0 0
nat (dmz) 1 0 0
access-group dmz_access_in in interface dmz
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end

Open in new window


Accepted Solution

Texas_Billy earned 1000 total points
ID: 26284055
You're going to need NAT 0 for this to work.  The only way you can do what you want is to create a static NAT statement telling the PIX that the DMZ subnet should be allowed to see the inside subnet using it's actual address.  

static (inside,dmz)
nat (dmz) 0 access-list dmz_access_in

This way, the dmz subnet sees the inside subnet using it's real IP address scheme, the PIX will route across thost disparate interfaces for you instead of natting across them, and the PIX will know which traffic needs this treatment based on the access-list / nat 0 combination.  --TX

Author Comment

ID: 26286217
Excellant answer, I didn't think of doing it that way ! Thank's you've really filled in a blank there!

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question