1. Home
  2. Cisco Systems
  3. Multiple NATs PIX 515

Multiple NATs PIX 515

In article , Richard Isaac wrote: :I have a PIX with the following Networks :Outside Inside DMZ

:1. I currently have a static NAT which allows an outside address direct :access to the servers in the DMZ.

:2. There is a NAT which allows inside traffic to the dmz - keeping the :source address.

:I need to add a translation which allows servers in the DMZ access to hosts :on the inside - keeping their original addresses.

If you want the inside and DMZ hosts to retain their original addresses when talking to each other, then create a new ACL permitting traffic with a source of your inside network and a destination of your dmz network, and then

nat (inside) 0 access-list TheNewACL

(Note: you are only allowed one nat 0 access-list per interface, so if you already have one, merge the new entry into the old acl.)

The above has an important security side effect: it allows the DMZ hosts to initiate connections to inside hosts whenever the access-group applied to the DMZ allows the traffic, even if there is no 'static' statement for that inside host.

Alternately,

static (inside,dmz) INSIDEIP INSIDEMASK INSIDEIP INSIDEMASK

Although this only talks about the inside IPs, your requirement #2 that DMZ to inside retains the DMZ source IPs, happens automatically because unless you configure specifically otherwise, traffic from a lower-security interface to a higher-security interface retains the source IP address.

Reply to
Walter Roberson
Loading thread data ...

Hi,

I have a PIX with the following Networks

Outside Inside DMZ

  1. I currently have a static NAT which allows an outside address direct access to the servers in the DMZ.

  1. There is a NAT which allows inside traffic to the dmz - keeping the source address.

I need to add a translation which allows servers in the DMZ access to hosts on the inside - keeping their original addresses.

I have created the access rule to allow the relevent ports from the DMZ to the inside. When I try to add a rule to translate DMZ to Inside, Dynamic, same address, it pops up warning me that the security rule that allows (2 - above) will be broken..

I get syslog errors saying "No translation group found for tcp src dmz dst inside...."

Any help anyone could offer would be great - even if it's only to tell me that I'm trying to do something that the pix can't do!

Cheers

Richard

Reply to
Richard Isaac

Hi Walter,

Thanks for replying..

I tried adding the nat command but it gave me an error about it not being an IP address.

I also had a nat (inside) 0 0.0.0.0 0.0.0.0 00 which I've removed because the inside interface has no need to reach the outside.

The inside subnet is 10.250.2.0 The dmz subnet is 10.25.250.0

The dmz is trying to reach an address of 10.250.30.30. The pix has a route to this of route inside 10.250.30.0 255.255.255.0 10.250.25.1 1

If I do a sh nat, i now get: nat (inside) 0 10.250.30.0 255.255.255.0 0 0, which looks like it's nearly correct, but I'm still getting errors about no xlate.

The access groups are called:

dmz_access_in - allows outgoing dmz requests acl_out - incoming traffic from the outside inside_access_in - allows dmz traffic to the inside

Unfortunately most of the config was created via the PDM.

Regards

Richard

Reply to
Richard Isaac

In article , Richard Isaac wrote: :The inside subnet is 10.250.2.0 :The dmz subnet is 10.25.250.0

:The dmz is trying to reach an address of 10.250.30.30. The pix has a route :to this of route inside 10.250.30.0 255.255.255.0 10.250.25.1 1

That implies you have an inside router.

:If I do a sh nat, i now get: nat (inside) 0 10.250.30.0 255.255.255.0 0 0, :which looks like it's nearly correct, but I'm still getting errors about no :xlate.

nat 0 *without* an access-list parameter is one-directional: outgoing traffic will have it's IP address left alone, but incoming traffic will be blocked unless there is some other nat or static with higher precidence.

Remove that nat and replace it with one of the following two:

static (inside,dmz) 10.250.30.0 10.250.30.0 netmask 255.255.255.0

OR

access-list inside_dmz_nonat permit ip 10.250.30.0 255.255.255.0 10.25.250.0

255.255.255.0 nat (inside) 0 access-list inside_dmz_nonat

The effect is very nearly the same for both choices.

There are cases that require more complexity, if you want port translation to be happening while IP addresses are left alone: that case would use the nat 0 -without- an access-list, combined with some static statements (or else combined with a nat 0 -with- an access-list.) The two choices I gave above are for the case where you want IPs -and- ports to be untouched in going between the two interfaces.

Reply to
Walter Roberson

That fixed it !

I still don't understand the logic of how the nat works, it seems a bit backward. But the customer is now happy so I can worry about that later!

Thanks again for replying.

Regards

Richard

Reply to
Richard Isaac

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.