Solved

PIX NAT Explanation

Posted on 2011-02-28
4
365 Views
Last Modified: 2012-05-11
Static (dmz,inside) 10.10.10.1 172.16.15.1
Correct me if I am wrong.
This translation means when someone from inside to DMZ will target 10.10.10.1 that will be translated to 172.16.15.1.
Does that mean also that when someone from DMZ with the ip address of 172.16.15.1 ll be translated to 10.10.10.1.
Or its other way around please explain.
0
Comment
Question by:tech2010
4 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 400 total points
ID: 34997815
>>This translation means when someone from inside to DMZ will target 10.10.10.1 that will be translated to 172.16.15.1

Yep spot on!

>>Does that mean also that when someone from DMZ with the ip address of 172.16.15.1 ll be translated to 10.10.10.1.

Yes again

Remember this just translates the IP you would still need an access-list to allow traffic see my website here http://www.petenetlive.com/KB/Article/0000316.htm


Pete
0
 
LVL 17

Assisted Solution

by:Kvistofta
Kvistofta earned 100 total points
ID: 34997939
Just to clarify:

For traffic from inside to dmz, the DESTINATION ip will be translated, and for traffic from dmz to inside, the SOURCE ip will be translated.

/Kvistofta
0
 

Expert Comment

by:sebatdot
ID: 34998095
Hi,

Obviously, you should write : static (inside,dmz) 10.10.10.1 172.16.15.1
(note the PIX automatically adds a netmask of 255.255.255.255).

This means that coming from inside network with 10.10.10.1 will translate to 172.16.15.1.
That does not mean the reverse (172.16.15.1 => 10.10.10.1).

Acces from DMZ to LAN is prevented as far as your interfaces must have different security-level.

Hope this helps.

S.
0
 

Author Closing Comment

by:tech2010
ID: 35070136
Thanks to all who answered.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now