Re: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices

From: Luca Berra (bluca@comedia.it)
Date: 12/22/02


From: Luca Berra <bluca@comedia.it>
To: Eye Am <eyeam@optonline.net>
Date: Sun Dec 22 07:51:00 2002

Eye Am wrote:
> Thanks Brian!
>
> We did use NAT, static xlate from DMZ to inside, and access-lists to limit
> port/machine access from DMZ to inside. Cisco finally helped me figure out
> why I was confused and why it wasn't working as desired. Interestingly they
> had me create static xlates very different than any of the "rules" state on
> any CCO documents I read.
>
> Normally a static statement xlates two different IP addies but they had me
> NAT the same IP address inside and DMZ. Never saw that done and haven't
> found anything on CCO discussing the practice.

this is correct, pix is based on having security level on interfaces,
the idea seems to be based on its use as device dividing a small lan
from the internet. The rules it always enforces are:

1) traffic is permitted from more secure to less secure interfaces
unless denied esplicitly with outbound/apply commands.
2) traffic is blocked from less secure to more secure interface unless
permitted in a counduit or acl.
3) ip addresses residing on a more secure network are not visible from a
less secured network unless manually exposed (via static or dynamic nat)
4) ip address on a less secure network are directly visible from a more
secure network.

you use the nat and global commands to configure dynamic nat
and you use the static command to configure static nat

to allow a device on a secure network to communicate with another in a
less secure one you must:

DYNAMIC NAT
        a) define with 'global (external_interface) a_number ip_or_range' the
address pool used for external (global) ip address(es)
        b) associate one or more internal ip with a global pool with the 'nat
(internal interface) a_number ip_address mask' command
        if a_number is 0 for the nat command it disables nat on the interface
(does not nat stuff coming from this interface)
STATIC NAT
        you use the command 'static (internal_if,external_if) nat_address
real_address'
        if nat_address and real_address are the same you are not actually
natting, but you are explicitly exposing the ip address to an outside
interface (thus satisfying point 3).
if you also need to start a communication from the outside you should
add a conduit or acl to satisfy point 2.

hope this clears some confusion on this issue,
regards,
L.

-- 
Luca Berra -- bluca@comedia.it
  /"\
  \ /     ASCII RIBBON CAMPAIGN
   X        AGAINST HTML MAIL
  / \


Relevant Pages

  • RE: [fw-wiz] help...
    ... You want to employ a technique called "Identity NAT" (Search Cisco for ... as Nat 0. ... If your DMZ network was 192.168.225.0 255.255.255.0 then the command ... it will work just fine when passing traffic from the outside interface ...
    (Firewall-Wizards)
  • Re: PIX & Global Address Pools
    ... thru to a Proxy server in the DMZ for Internet access. ... NAT on the inside interfaces ... so you have both NAT/ PAT configured, once the NAT address are used it ... If you have inside users talking to a proxy on the DMZ and lack of addresses, PAT the IP's to a single IP address = the DMZ interface when traffic flows through the inside of the firewall onto the DMZ. ...
    (comp.dcom.sys.cisco)
  • Re: Is there a simpler way of stopping NAT for specific interfaces on an ASA5505?
    ... Currently I have a DMZ interface, and a LAN interface which is on ... I have the following command in the firewall to allow traffic to flow ... observe the no NAT with those as well for traffic on the DMZ. ...
    (comp.dcom.sys.cisco)
  • Re: Multiple NATs PIX 515
    ... the inside interface has no need to reach the outside. ... The dmz is trying to reach an address of 10.250.30.30. ... I currently have a static NAT which allows an outside address direct ... > If you want the inside and DMZ hosts to retain their original addresses ...
    (comp.dcom.sys.cisco)
  • VPN with NAT on PIX
    ... I must create a site-to-site VPN with a customer X that has in its ... internal network the same ip range of my *inside* interface. ... X provides me the subnet it's going to use to NAT its PCs when they ... The overlapping is for inside and DMZ ...
    (comp.dcom.sys.cisco)