1. Home
  2. Networking Firewalls
  3. Help with NAT definition

Help with NAT definition

Fidelio pounded out on the keyboard on or about 04-Jan-05 05:14:

Not a PIX expert but what you are trying to do really defeats the purpose of having a DMZ. If you open up the DMZ servers to allow them inside with unlimited access, you are opening your internal systems to possibly become compromised if one of your DMZ systems get compromised. The idea behind a DMZ is to allow them to be accessed by the public (internet) while maintaining integrity to your internal network. So you want to limit your DMZ server access to the inside (private) network to exactly what they need to talk to on the private side. So you should basically have groups of rules as in the following: private -> DMZ private -> internet DMZ -> private DMZ -> internet internet -> DMZ internet -> internal

With pair increasingly becoming more stringent to what it is allowed to access. I know this doesn't answer your question as I have only experience with Checkpoint's Firewall-1 product. Just felt that you should reconsider what you are doing. If you do not get the answer you need, let me know and I can certainly see what I can come up with. And I apologize if this is just a ramble on for you.

Jeff

Reply to
Jeff Lord
Loading thread data ...

I need help with NAT in a CISCO PIX 515E.

I have a dmz called dmzras with network address 192.168.102.0 and a inside network which belongs to 10.0.0.0 255.0.0.0. I want to give access from any dmzras ip to any inside ip but having NAT to the CISCO PIX inside address in order to avoid routing the network 192.168.102.0.

So I place this:

access-list inside_access_in permit ip 192.168.102.0 255.255.255.0 any

But I have no idea on how to configure the NAT rule to give all incoming traffic from dmzras to inside the ip address of the firewall at inside interface.

Thank you in advance. Fidelio

Reply to
Fidelio

If I remember correctly, the following *should* allow any 192.168.102/24 device to access any 10/8 device using one-to-many PAT.

make sure you have a route enabled from 192 to 10 network and vice versa access-list 1 permit ip 192.168.102.0 0.0.0.255 ip nat inside source list 1 interface overload enter interface mode for inside device (192.168) ip nat inside enter nat interface for external (10.0) interface ip nat outside

As to *why* you would want to undo a DMZ in this manner escapes me though. A DMZ is basically a group of hosts on your network which you don't trust enough to put in the main network. I can't think of a reason why you would want to allow a DMZ host to access what should be a protected network. The above will also quite likely break access from 10/8 to the 192 network.

What exactly are you trying to achieve?? E.

Reply to
E.

Thank you but the notation you are using is for CISCO IOS not for PIX.

Anyway thank you for answering.

"E." escribió en el mensaje news: snipped-for-privacy@> > I need help with NAT in a CISCO PIX 515E.

Reply to
Fidelio

I know... you are right.

I didn't tell the whole thing. At the dmzras there is a Microsoft RAS Server so assign each user an IP address of that network 192.168.102.0

Off course after the testing I will assign firewall rules for each IP address in 192.168.102.0 to the destinations allowed to each user. So... if I have a server at 10.10.10.1 and another at 10.10.10.2 and I got a user at RAS called user001 (with given IP address 192.168.102.5) which must be allowed to server 10.10.10.1 only I will place a rule like:

access-list inside_access_in permit ip 192.168.102.5 255.255.255.255

10.10.10.1 255.255.255.255

And off course I will remove the bigger rule I place in the sample.

So... you were right AND I'm not insane (I know how dmz goes)... eheheheheh

Thank you anyway.

P.D.: I hate CISCO PIX... it's a mess to configure compared with Firewall-1 or the one I use in other countries called ASTARO which provides a CheckPoint-like configuration interface.

"Jeff Lord" escribió en el mensaje news:-bGdnUCpl snipped-for-privacy@adelphia.com...

Reply to
Fidelio

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.