Cisco Pix 515E (Ver 6.3) DMZ > Inside (NAT Question)

Posted on 2010-01-10
Medium Priority
Last Modified: 2012-05-08
Hi there,

Hopefully a quick question regarding NAT and a lower security interface.

As I understand it (assuming you have to run NAT, which I do as I am running version 6.3 of the PIX OS) you need a static translation beetween a lower security interface and a higher one.  

What I am trying to do is use dynamic translation (Using the NAT/Global commands) on the lower security interface.  The end result being that I can access all machines on the inside interface from the DMZ interface without having to do static translations.

I am aware of the security implications but this is in a test environment so please humour me if you would.

My interfaces are as follows:


I have enabled 3 nat statements:

nat (inside) 1 0 0
nat (outside) 1 0 0
nat (dmz) 1 0 0

And the associated global statements

global (inside)
global (outside)
global (dmz)

Also a couple of access lists which allow everything in every direction.

Now the translation works from the high security interface to the lower but not the other way round.  Is there anyway to make this work without upgrading the OS to version 7.0 to allow me to use the nat-control command.

I have tried nat 0 on the dmz interface (and associated access list rules) but this does not work either.

Many thanks in advance for your time,
Question by:Jase_x
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26277887

if you use nat 0 on lower security interface, and enable this traffic on booth leg it is working....

Author Comment

ID: 26277919
Thats the problem, Nat 0 is enabled on the lower security interface but it does not work.  It is as if the statement is ignored.

Author Comment

ID: 26277924
And even if it wasn't the dynamic translation should work in the same way it does for the inside interface do you agree?
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26277932
could you show me the whole config?

Author Comment

ID: 26278118
Unfortunately I don't have it to upload at the moment, the config is pretty much the base config except with the interfaces configured and enabled (IP'd as stated), the nat/global commands above setup and an access-list acl_out tcp any any which is bound via an access-group to the dmz interface.

LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26278168
please show us....

Author Comment

ID: 26278304
Code as specified:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 dmz security10
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname test-fw
domain-name test.internal
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
name webserver
access-list dmz_access_in remark DMZ > Inside (ALL ALLOWED)
access-list dmz_access_in permit ip
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu dmz 1500
ip address outside
ip address inside
no ip address intf2
no ip address intf3
no ip address intf4
ip address dmz
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address dmz
pdm location inside
pdm location dmz
pdm location webserver inside
pdm location webserver dmz
pdm location dmz
pdm location inside
pdm location inside
pdm history enable
arp timeout 14400
global (outside) 1 netmask
global (inside) 1 netmask
global (dmz) 1 netmask
nat (outside) 1 0 0
nat (inside) 1 0 0
nat (dmz) 1 0 0
access-group dmz_access_in in interface dmz
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end

Open in new window


Accepted Solution

Texas_Billy earned 1000 total points
ID: 26284055
You're going to need NAT 0 for this to work.  The only way you can do what you want is to create a static NAT statement telling the PIX that the DMZ subnet should be allowed to see the inside subnet using it's actual address.  

static (inside,dmz)
nat (dmz) 0 access-list dmz_access_in

This way, the dmz subnet sees the inside subnet using it's real IP address scheme, the PIX will route across thost disparate interfaces for you instead of natting across them, and the PIX will know which traffic needs this treatment based on the access-list / nat 0 combination.  --TX

Author Comment

ID: 26286217
Excellant answer, I didn't think of doing it that way ! Thank's you've really filled in a blank there!

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question