NAT 0 Help 1

[rubbaninja]

We had a contractor in for a few months to help us out with all our HIPAA work. With 5 more DMZ's and 4 additional 2950's... I'm a bit confused about some things.

My biggest issue is with his NAT 0 statements.;

global (outside) 1 x.x.x.x netmask 255.255.255.128
nat (inside) 0 priv.ip.11 255.255.255.255 0 0
nat (inside) 0 priv.ip.12 255.255.255.255 0 0
nat (inside) 0 priv.ip.0.0 255.255.0.0 0 0
nat (inside) 0 priv.ip.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 200
nat (RemoteAccessDMZ) 0 0.0.0.0 0.0.0.0 0 0
nat (DoDDMZ) 0 0.0.0.0 0.0.0.0 0 0

As you can see this isn't very good for me. I can no longer PAT it seems unless I am confused as all heck.

This was working for me before. Here was the nat and global statements before our contractor came in. At this time we only had e0, e1 and e2

global (outside) 1 x.x.x.x netmask 255.255.255.128 (proxy server)
global (outside) 3 x.x.x.x netmask 255.255.255.128 (DNS)
global (outside) 2 x.x.x.x netmask 255.255.255.128 (Misc)
global (dmz) 1 priv.ip.25-priv.ip.175 netmask 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0 150 200
nat (inside) 1 priv.ip.5 255.255.255.255 0 0
nat (inside) 2 priv.ip.14 255.255.255.255 0 0
nat (inside) 3 priv.ip.57 255.255.255.255 0 200

The dmz hosts a web, the statements were to allow access from e1 to the dmz, this was per recommendation, not sure if that was the best way.
There are also static’s set up all over the place such as;
static (inside,doddmz) priv.ip.12 priv.ip.12 255.255.255.255 ((Look up to the first set of nat 0 statements, to me this seems to be an overlap).



What I need to be able to do is PAT inside subnets out to the internet without giving everyone and their brother a static and acl. I would love to not set up statics for everyone that needs external access through my pix.

I may be way off base though, maybe there is an easier way, and maybe the current config is workable and right, I don’t know. I’m kind of new to the PIX but have basic understanding and have configured the initial config and maintained it for over a year, but this new 12 page configuration has totally put me back in the newbie chair.

The only interface that needs nat 0 is the doddmz, not all 6 interfaces....

Thanks for the help in advance.
Please tell me if you need more information

 

[tbissett]

From what you have typed in, it looks like you should be doing PAT. The statements that tell me this are:
nat (inside) 1 0.0.0.0 0.0.0.0 0 200
global (outside) 1 x.x.x.x netmask 255.255.255.128

Notice that there is a "1" standing by itself in these two statements. This is the process ID. When you create a NAT statement, you "attach" a global command to a particular NAT statement by using the same process ID. In the two statements above, you're saying you want to NAT all address on the inside and use one address on the outside.

The NAT 0 statements are typically used if you're doing VPNs. Usually, you don't want to NAT traffic going through VPNs (though it can be done).

There is a better way to disable NAT than this person typed into your PIX. You would use access-lists and then match the access-list to the NAT 0 statement, like this:
access-list nonat permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
nat (inside) 0 access-list nonat

The only other thing that looks a little odd is the very low count of connections allowed out (the "200" at the end of your NAT statement). If you do not have many hosts, this is probably OK, but I could see it keeping some of your users from getting out.

At this point, it probably would be best if you posted the entire config so we can see all the globals, etc. to see what the contractor is trying to do.

 

[rubbaninja]

Thank you in advance and for the advice above. I have came to the same conclusion over the past week but really wanted to get advice from others before doing anything.

Below is the configuration for the PIX as it stands, edited for public viewing. It's very long, I included just about everything except "names". It is pretty messy and looks to me like most of the lines are entries not needed and/or used for configuration build reasons or testing reasons... but since the contractor is "done" I now have the pleasure of cleaning house. I think I am going to just have to write a brand new configuration from scratch after eliminating issues.

Prior to the contractor coming in I HAD nat and global statements working just as you suggested with no nat 0 statements at all. However, I only had the InternetDMZ configured at the time, all other interfaces had been disabled and our VPN device was located outside the firewall so there was no need for nat 0.

--

The contractor states that the nat 0 statements are for access to the DoDDMZ which holds a router with specific inbound to their router ACL's controlled by the DOD. I can contact the admin of this router for acl changes.

The RemoteAccessDMZ holds our Cisco VPN concentrator and contains subnet based acls to control access based on VPN groups which are assigned IP's based on access needs.

The InternetDMZ holds our publicly accessed websites.

The BPDMZ holds a couple of routers from biz partners, one is inbound vpn via router with VPN enabled. The other is outbound and is in development.


PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 RemoteAccessDMZ security50
nameif ethernet3 InternetDMZ security15
nameif ethernet4 DoDDMZ security20
nameif ethernet5 BPDMZ security25
clock timezone MST -7
fixup protocol ftp 21
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol skinny 2000
fixup protocol http 80
no fixup protocol h323 h225 1720
no fixup protocol smtp 25
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol rsh 514
fixup protocol sip 5060
no names

object-group network manage
description management group
network-object 10.72.2.230 255.255.255.255
object-group service resume tcp
description ISA Resume server web publishing
port-object eq www
object-group service WebAccess tcp
description Default web access, FTP, HTTP, HTTPS
port-object eq ftp
port-object eq https
port-object eq www
object-group network InternalDNSServers
network-object 192.24.254.14 255.255.255.255
network-object 192.24.254.12 255.255.255.255
object-group network WINSGroup
network-object 192.24.254.11 255.255.255.255
network-object 192.24.254.12 255.255.255.255
object-group network InternalDNSServers_ref
network-object 192.24.254.14 255.255.255.255
network-object 192.24.254.12 255.255.255.255
object-group service MS-Services udp
port-object eq netbios-ns
port-object eq nameserver
port-object eq netbios-dgm
object-group network InternalDNSServers_ref_1
network-object 192.24.254.14 255.255.255.255
network-object 192.24.254.12 255.255.255.255
object-group network ExchangeServers
network-object 192.24.254.42 255.255.255.255
network-object 192.24.254.53 255.255.255.255
object-group service ExchangePorts tcp
port-object eq 6202
port-object eq 6201
port-object eq 135
object-group service HTTPS-HTTP tcp
port-object eq www
port-object eq https
object-group network WPSAccess
network-object 192.24.254.15 255.255.255.255
network-object 192.24.254.54 255.255.255.255
object-group service WPSPorts tcp
port-object eq 137
port-object eq 135
port-object eq https
port-object eq www
port-object eq netbios-ssn
object-group network WPSAccess_ref
network-object 192.24.254.15 255.255.255.255
network-object 192.24.254.54 255.255.255.255
object-group service VoipAccess tcp
port-object eq pop3
port-object eq smtp
port-object eq www
port-object eq 1701
port-object eq 1863
object-group service VoipAccess2 udp
port-object eq domain
port-object eq isakmp
object-group service MicrosoftPorts tcp
port-object eq 135
port-object eq 445
port-object eq netbios-ssn
object-group network Inter-Intranet
network-object 192.24.254.5 255.255.255.255
network-object 192.24.254.52 255.255.255.255
network-object 192.24.254.50 255.255.255.255
object-group network Inter-Intranet_ref
network-object 192.24.254.5 255.255.255.255
network-object 192.24.254.52 255.255.255.255
network-object 192.24.254.50 255.255.255.255
object-group network PrintEmailNAS
network-object 192.24.254.31 255.255.255.255
network-object 192.24.254.53 255.255.255.255
network-object 192.24.254.15 255.255.255.255
object-group network PrintEmailNAS_ref
network-object 192.24.254.31 255.255.255.255
network-object 192.24.254.53 255.255.255.255
network-object 192.24.254.15 255.255.255.255
object-group network WINSGroup_ref
network-object 192.24.254.11 255.255.255.255
network-object 192.24.254.12 255.255.255.255
object-group network SyslogGroup
network-object 192.24.254.46 255.255.255.255
network-object 192.24.254.70 255.255.255.255
object-group network SyslogGroup_ref
network-object 192.24.254.46 255.255.255.255
network-object 192.24.254.70 255.255.255.255
object-group network SyslogGroup_ref_1
network-object 192.24.254.46 255.255.255.255
network-object 192.24.254.70 255.255.255.255
object-group service SNMP-Group udp
port-object eq snmp
port-object eq snmptrap
access-list acl-outside permit tcp any host x.x.x.142 object-group resume
access-list acl-outside permit tcp host x.x.x.x host x.x.x.254 eq www
access-list acl-outside permit tcp any host x.x.x.254 eq https
access-list acl-outside permit tcp any host x.x.x.132 eq smtp
access-list acl-outside permit tcp host 10.128.254.2 host 192.24.254.62 eq tacacs
access-list acl-outside permit tcp any host x.x.x.253 eq www
access-list acl-outside permit tcp any host x.x.x.253 eq https
access-list acl-outside deny ip any any
access-list acl-inside permit tcp host 192.24.254.57 host x.x.x.x eq 3101
access-list acl-inside permit ip host 192.24.254.200 any
access-list acl-inside permit ip host 192.24.254.202 any
access-list acl-inside permit ip any host x.x.x.x
access-list acl-inside permit udp host 192.24.254.14 any eq domain
access-list acl-inside permit udp host 192.24.254.12 any eq domain
access-list acl-inside permit tcp host 192.24.254.113 host x.x.x.x eq 1433
access-list acl-inside permit tcp host 192.24.254.23 host x.x.x.x eq 1433
access-list acl-inside permit tcp host 192.24.254.53 any eq smtp
access-list acl-inside permit tcp host 192.24.254.200 host 10.82.1.10 eq telnet
access-list acl-inside permit icmp any any
access-list acl-inside permit tcp any any eq sqlnet
access-list acl-inside permit tcp any any eq 3002
access-list acl-inside permit tcp any host 10.82.108.10 eq 3389
access-list acl-inside permit tcp any host 10.82.108.11 eq 3389
access-list acl-inside permit udp host 192.24.254.46 host 10.128.254.2 object-group SNMP-Group
access-list acl-inside permit udp host 192.24.254.46 host 10.128.254.1 object-group SNMP-Group
access-list acl-inside permit udp host 192.24.254.46 host 10.128.254.3 object-group SNMP-Group
access-list acl-inside permit udp host 192.24.254.46 host 10.128.254.4 object-group SNMP-Group
access-list acl-inside permit ip 192.24.0.0 255.255.0.0 host 10.82.64.5
access-list acl-inside permit tcp host 192.24.254.5 any eq www
access-list acl-inside permit tcp host 192.24.254.5 any eq ftp
access-list acl-inside permit tcp host 192.24.254.5 any eq https
access-list acl-inside permit tcp host 192.24.254.5 any eq 1433
access-list acl-inside deny ip any any
access-list dmz_access_in permit udp host 10.128.254.1 object-group SyslogGroup eq syslog
access-list dmz_access_in permit tcp host 10.128.254.1 host 192.24.254.62 eq tacacs
access-list dmz_access_in permit udp host 192.168.3.254 host 192.24.254.68 eq ntp
access-list dmz_access_in deny tcp host 10.82.104.10 any object-group WebAccess
access-list dmz_access_in deny ip host 10.82.104.10 host x.x.x.x
access-list dmz_access_in permit tcp host 10.82.108.10 host 192.24.254.23 eq 28495
access-list dmz_access_in permit tcp host 10.82.108.11 host 192.24.254.23 eq 28495
access-list dmz_access_in deny ip any any
access-list VPNDMZ_access_in permit udp host 10.82.64.5 object-group InternalDNSServers_ref eq domain
access-list VPNDMZ_access_in permit udp host 10.82.64.5 host 192.24.254.11 object-group MS-Services
access-list VPNDMZ_access_in permit tcp host 10.82.64.5 host 192.24.254.12 eq netbios-ssn
access-list VPNDMZ_access_in permit ip host 10.82.64.5 any
access-list VPNDMZ_access_in permit icmp any any
access-list VPNDMZ_access_in permit tcp 10.82.64.128 255.255.255.192 object-group WINSGroup_ref eq netbios-ssn
access-list VPNDMZ_access_in permit udp 10.82.64.128 255.255.255.192 object-group WINSGroup_ref eq netbios-dgm
access-list VPNDMZ_access_in permit tcp 10.82.64.128 255.255.255.192 object-group Inter-Intranet_ref object-group HTTPS-HTTP
access-list VPNDMZ_access_in permit tcp 10.82.64.128 255.255.255.192 object-group Inter-Intranet_ref eq 7001
access-list VPNDMZ_access_in permit tcp 10.82.64.128 255.255.255.192 host 192.24.254.53 gt 1024
access-list VPNDMZ_access_in permit tcp 10.82.64.128 255.255.255.192 object-group PrintEmailNAS_ref object-group MicrosoftPorts
access-list VPNDMZ_access_in permit udp 10.82.64.128 255.255.255.192 object-group InternalDNSServers_ref eq domain
access-list VPNDMZ_access_in deny ip 10.82.64.128 255.255.255.192 any
access-list VPNDMZ_access_in permit tcp 10.82.64.32 255.255.255.224 host 192.24.254.22 eq telnet
access-list VPNDMZ_access_in deny ip 10.82.64.32 255.255.255.224 any
access-list VPNDMZ_access_in permit icmp 10.82.64.240 255.255.255.240 any
access-list VPNDMZ_access_in permit tcp 10.82.64.240 255.255.255.240 host 192.24.254.22 eq telnet
access-list VPNDMZ_access_in permit tcp 10.82.64.240 255.255.255.240 host 192.24.254.52 object-group HTTPS-HTTP
access-list VPNDMZ_access_in permit udp 10.82.64.240 255.255.255.240 object-group WINSGroup_ref eq netbios-ns
access-list VPNDMZ_access_in permit udp 10.82.64.240 255.255.255.240 object-group InternalDNSServers_ref eq domain
access-list VPNDMZ_access_in permit tcp 10.82.64.240 255.255.255.240 host 192.24.254.5 object-group HTTPS-HTTP
access-list VPNDMZ_access_in permit ip 10.82.64.240 255.255.255.240 10.72.11.0 255.255.255.0
access-list VPNDMZ_access_in deny ip 10.82.64.240 255.255.255.240 any
access-list VPNDMZ_access_in permit ip 10.82.64.208 255.255.255.240 any
access-list VPNDMZ_access_in deny ip 10.82.64.208 255.255.255.240 any
access-list VPNDMZ_access_in permit ip 10.82.64.16 255.255.255.240 any
access-list VPNDMZ_access_in permit ip host 10.82.64.10 any
access-list VPNDMZ_access_in deny ip any any
access-list BPDMZ_access_in permit udp host 10.82.1.10 any object-group MS-Services
access-list BPDMZ_access_in permit tcp host 10.82.1.10 any eq netbios-ssn
access-list BPDMZ_access_in permit udp host 10.82.1.10 object-group InternalDNSServers_ref_1 eq domain
access-list BPDMZ_access_in permit icmp any any
access-list BPDMZ_access_in permit tcp 192.168.251.0 255.255.255.0 object-group WPSAccess_ref
access-list BPDMZ_access_in permit icmp 192.168.251.0 255.255.255.0 any
access-list BPDMZ_access_in permit udp host 10.82.1.5 any object-group VoipAccess2
access-list BPDMZ_access_in permit tcp host 10.82.1.5 any object-group VoipAccess
access-list BPDMZ_access_in permit udp host 10.82.1.10 object-group SyslogGroup_ref_1 eq syslog
access-list BPDMZ_access_in permit udp host 10.128.254.3 object-group SyslogGroup_ref_1 eq syslog
access-list BPDMZ_access_in permit udp host 10.82.1.3 host 192.24.254.68 eq ntp
access-list BPDMZ_access_in permit tcp host 10.128.254.3 host 192.24.254.62 eq tacacs
access-list BPDMZ_access_in deny ip any any
access-list DoDDMZ_access_in permit udp host 10.82.32.5 host 192.24.254.68 eq ntp
access-list DoDDMZ_access_in permit udp host 10.128.254.4 object-group SyslogGroup_ref eq syslog
access-list DoDDMZ_access_in permit tcp host 10.128.254.4 host 192.24.254.62 eq tacacs
access-list DoDDMZ_access_in permit icmp any any
access-list DoDDMZ_access_in permit ip any any
access-list DoDDMZ_access_in deny ip any any
access-list inside_accounting_RADIUS permit tcp any any
pager lines 24
logging on
logging timestamp
logging standby
logging monitor emergencies
logging buffered critical
logging trap debugging
logging history critical
logging facility 23
logging queue 1024
logging host inside 192.24.254.70
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 100full
icmp deny any echo-reply outside
icmp permit any unreachable outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
mtu RemoteAccessDMZ 1500
mtu InternetDMZ 1500
mtu DoDDMZ 1500
mtu BPDMZ 1500
ip address outside x.x.x.130 255.255.255.128
ip address inside 10.72.1.1 255.255.255.0
ip address RemoteAccessDMZ 10.82.64.1 255.255.255.240
ip address InternetDMZ 10.82.96.1 255.255.255.0
ip address DoDDMZ 10.82.32.1 255.255.255.0
ip address BPDMZ 10.82.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface RemoteAccessDMZ
ip verify reverse-path interface InternetDMZ
ip verify reverse-path interface DoDDMZ
ip verify reverse-path interface BPDMZ
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:01:00
failover poll 15
failover ip address outside x.x.x.140
failover ip address inside 10.72.1.2
failover ip address RemoteAccessDMZ 10.82.64.2
failover ip address InternetDMZ 10.82.96.2
failover ip address DoDDMZ 10.82.32.2
failover ip address BPDMZ 10.82.1.2
pdm location 192.24.254.5 255.255.255.255 inside
pdm location 192.24.254.214 255.255.255.255 inside
pdm location 192.24.254.46 255.255.255.255 inside
pdm location 10.72.2.20 255.255.255.255 inside
pdm location 192.24.254.14 255.255.255.255 inside
pdm location 192.24.254.57 255.255.255.255 inside
pdm location 192.24.254.169 255.255.255.255 inside
pdm location 192.24.254.200 255.255.255.255 inside
pdm location 192.24.254.202 255.255.255.255 inside
pdm location x.x.x.0 255.255.0.0 outside
pdm location 192.24.254.218 255.255.255.255 inside
pdm location x.x.x.x 255.255.255.255 outside
pdm location 192.24.254.21 255.255.255.255 inside
pdm location x.x.x.220 255.255.255.255 outside
pdm location 192.24.253.234 255.255.255.255 inside
pdm location 10.72.2.177 255.255.255.255 inside
pdm location 192.24.254.23 255.255.255.255 inside
pdm location 192.24.254.112 255.255.255.255 inside
pdm location 10.72.2.230 255.255.255.255 inside
pdm location 10.82.64.5 255.255.255.255 RemoteAccessDMZ
pdm location 10.82.64.5 255.255.255.255 inside
pdm location 10.82.64.5 255.255.255.255 BPDMZ
pdm location 10.82.64.5 255.255.255.255 InternetDMZ
pdm location 10.82.64.10 255.255.255.255 RemoteAccessDMZ
pdm location 10.82.1.10 255.255.255.255 BPDMZ
pdm location 192.24.254.11 255.255.255.255 inside
pdm location 192.24.254.12 255.255.255.255 inside
pdm location x.x.x.201 255.255.255.255 outside
pdm location 192.24.254.50 255.255.255.255 inside
pdm location x.x.x.152 255.255.255.255 outside
pdm location 192.24.254.42 255.255.255.255 inside
pdm location 192.24.254.53 255.255.255.255 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 192.24.0.0 255.255.0.0 inside
pdm location 10.82.64.0 255.255.255.0 RemoteAccessDMZ
pdm location 10.82.64.128 255.255.255.128 RemoteAccessDMZ
pdm location 10.72.0.0 255.255.0.0 inside
pdm location 192.24.254.15 255.255.255.255 inside
pdm location 192.24.254.54 255.255.255.255 inside
pdm location x.x.x.36 255.255.255.255 outside
pdm location 192.168.251.0 255.255.255.0 BPDMZ
pdm location x.x.x.254 255.255.255.255 inside
pdm location 10.82.32.20 255.255.255.255 DoDDMZ
pdm location 192.24.254.22 255.255.255.255 inside
pdm location x.x.x.73 255.255.255.255 inside
pdm location 10.82.1.5 255.255.255.255 BPDMZ
pdm location 192.24.254.70 255.255.255.255 inside
pdm location 10.82.64.16 255.255.255.240 RemoteAccessDMZ
pdm location 10.82.64.32 255.255.255.224 RemoteAccessDMZ
pdm location 10.82.64.64 255.255.255.192 RemoteAccessDMZ
pdm location x.x.x.0 255.255.255.0 inside
pdm location x.x.x.0 255.255.255.0 DoDDMZ
pdm location z.z.11.0 255.255.255.0 DoDDMZ
pdm location x.x.193.0 255.255.255.0 DoDDMZ
pdm location x.x.118.0 255.255.255.0 DoDDMZ
pdm location x.x.119.0 255.255.255.0 DoDDMZ
pdm location 10.82.56.0 255.255.255.0 DoDDMZ
pdm location 10.128.254.4 255.255.255.255 DoDDMZ
pdm location 192.24.254.68 255.255.255.255 inside
pdm location 10.82.32.5 255.255.255.255 DoDDMZ
pdm location 10.82.56.10 255.255.255.255 DoDDMZ
pdm location 10.82.56.10 255.255.255.255 inside
pdm location 10.72.0.0 255.255.255.255 inside
pdm location 192.24.0.0 255.255.255.255 inside
pdm location 10.72.11.0 255.255.255.0 inside
pdm location 10.82.64.240 255.255.255.240 RemoteAccessDMZ
pdm location 192.24.254.113 255.255.255.255 inside
pdm location 10.82.64.128 255.255.255.192 RemoteAccessDMZ
pdm location x.x.x.39 255.255.255.255 outside
pdm location 192.24.254.52 255.255.255.255 inside
pdm location 192.24.254.31 255.255.255.255 inside
pdm location 192.24.48.3 255.255.255.255 inside
pdm location 10.82.64.208 255.255.255.240 RemoteAccessDMZ
pdm location 192.24.254.62 255.255.255.255 inside
pdm location x.x.228.0 255.255.255.0 outside
pdm location x.x.228.0 255.255.255.255 outside
pdm location 10.128.254.2 255.255.255.255 outside
pdm location 10.82.1.3 255.255.255.255 BPDMZ
pdm location 10.128.254.3 255.255.255.255 BPDMZ
pdm location 10.128.254.1 255.255.255.255 InternetDMZ
pdm location 192.168.3.254 255.255.255.255 InternetDMZ
pdm location x.x.28.205 255.255.255.255 outside
pdm location x.x.28.0 255.255.255.0 outside
pdm location 10.82.104.10 255.255.255.255 InternetDMZ
pdm location x.x.x.253 255.255.255.255 inside
pdm location 10.82.108.10 255.255.255.255 InternetDMZ
pdm location 10.82.108.0 255.255.255.0 InternetDMZ
pdm location 10.82.104.0 255.255.255.0 InternetDMZ
pdm location 10.82.108.11 255.255.255.255 InternetDMZ
pdm group manage inside
pdm group InternalDNSServers inside
pdm group WINSGroup inside
pdm group InternalDNSServers_ref RemoteAccessDMZ reference InternalDNSServers
pdm group InternalDNSServers_ref_1 BPDMZ reference InternalDNSServers
pdm group ExchangeServers inside
pdm group WPSAccess inside
pdm group WPSAccess_ref BPDMZ reference WPSAccess
pdm group Inter-Intranet inside
pdm group Inter-Intranet_ref RemoteAccessDMZ reference Inter-Intranet
pdm group PrintEmailNAS inside
pdm group PrintEmailNAS_ref RemoteAccessDMZ reference PrintEmailNAS
pdm group WINSGroup_ref RemoteAccessDMZ reference WINSGroup
pdm group SyslogGroup inside
pdm group SyslogGroup_ref DoDDMZ reference SyslogGroup
pdm group SyslogGroup_ref_1 BPDMZ reference SyslogGroup
pdm logging errors 100
pdm history enable
arp timeout 7200
global (outside) 1 x.x.x.131 netmask 255.255.255.128
nat (inside) 1 192.24.254.5 255.255.255.255 0 0
nat (inside) 0 192.24.254.11 255.255.255.255 0 0
nat (inside) 0 192.24.254.12 255.255.255.255 0 0
nat (inside) 0 10.72.0.0 255.255.0.0 0 0
nat (inside) 0 192.24.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 200
nat (RemoteAccessDMZ) 0 0.0.0.0 0.0.0.0 0 0
nat (DoDDMZ) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.143 192.24.254.218 netmask 255.255.255.255 300 200
static (inside,outside) x.x.x.144 192.24.254.169 netmask 255.255.255.255 100 200
static (inside,outside) x.x.x.145 192.24.254.23 netmask 255.255.255.255 100 200
static (RemoteAccessDMZ,BPDMZ) 10.82.64.5 10.82.64.5 netmask 255.255.255.255 0 0
static (RemoteAccessDMZ,DoDDMZ) 10.82.64.5 10.82.64.5 netmask 255.255.255.255 0 0
static (RemoteAccessDMZ,InternetDMZ) 10.82.64.5 10.82.64.5 netmask 255.255.255.255 0 0
static (RemoteAccessDMZ,outside) 10.82.64.5 10.82.64.5 netmask 255.255.255.255 0 0
static (RemoteAccessDMZ,inside) 10.82.64.5 10.82.64.5 netmask 255.255.255.255 0 0
static (BPDMZ,inside) 10.82.1.10 10.82.1.10 netmask 255.255.255.255 0 0
static (inside,RemoteAccessDMZ) 192.24.254.14 192.24.254.14 netmask 255.255.255.255 0 0
static (inside,RemoteAccessDMZ) 192.24.254.12 192.24.254.12 netmask 255.255.255.255 0 0
static (inside,RemoteAccessDMZ) 192.24.254.11 192.24.254.11 netmask 255.255.255.255 0 0
static (inside,BPDMZ) 192.24.254.14 192.24.254.14 netmask 255.255.255.255 0 0
static (inside,BPDMZ) 192.24.254.12 192.24.254.12 netmask 255.255.255.255 0 0
static (inside,RemoteAccessDMZ) 192.24.254.42 192.24.254.42 netmask 255.255.255.255 0 0
static (inside,RemoteAccessDMZ) 192.24.254.53 192.24.254.53 netmask 255.255.255.255 0 0
static (inside,outside) 192.24.254.11 192.24.254.11 netmask 255.255.255.255 0 0
static (inside,RemoteAccessDMZ) 192.24.254.200 192.24.254.200 netmask 255.255.255.255 0 0
static (inside,BPDMZ) 192.24.254.200 192.24.254.200 netmask 255.255.255.255 0 0
static (inside,RemoteAccessDMZ) 192.24.0.0 192.24.0.0 netmask 255.255.0.0 0 0
static (inside,BPDMZ) 192.24.0.0 192.24.0.0 netmask 255.255.0.0 0 0
static (inside,RemoteAccessDMZ) 10.72.0.0 10.72.0.0 netmask 255.255.0.0 0 0
static (inside,BPDMZ) 10.72.0.0 10.72.0.0 netmask 255.255.0.0 0 0
static (inside,outside) x.x.x.132 192.24.254.53 netmask 255.255.255.255 0 300
static (DoDDMZ,outside) x.x.x.156 10.82.32.20 netmask 255.255.255.255 0 0
static (BPDMZ,outside) x.x.x.252 10.82.1.5 netmask 255.255.255.255 0 0
static (inside,DoDDMZ) 192.24.254.68 192.24.254.68 netmask 255.255.255.255 0 0
static (inside,DoDDMZ) 192.24.254.70 192.24.254.70 netmask 255.255.255.255 0 0
static (inside,DoDDMZ) 10.82.56.10 10.82.56.10 netmask 255.255.255.255 0 0
static (inside,DoDDMZ) 192.24.0.0 192.24.0.0 netmask 255.255.255.255 0 0
static (inside,DoDDMZ) 10.72.0.0 10.72.0.0 netmask 255.255.255.255 0 0
static (inside,DoDDMZ) 192.24.254.46 192.24.254.46 netmask 255.255.255.255 0 0
static (inside,DoDDMZ) 192.24.254.62 192.24.254.62 netmask 255.255.255.255 0 0
static (inside,InternetDMZ) 192.24.254.68 192.24.254.68 netmask 255.255.255.255 0 0
static (inside,InternetDMZ) 192.24.254.62 192.24.254.62 netmask 255.255.255.255 0 0
static (inside,InternetDMZ) 192.24.254.70 192.24.254.70 netmask 255.255.255.255 0 0
static (inside,InternetDMZ) 192.24.254.46 192.24.254.46 netmask 255.255.255.255 0 0
static (inside,BPDMZ) 192.24.254.68 192.24.254.68 netmask 255.255.255.255 0 0
static (inside,BPDMZ) 192.24.254.62 192.24.254.62 netmask 255.255.255.255 0 0
static (inside,BPDMZ) 192.24.254.70 192.24.254.70 netmask 255.255.255.255 0 0
static (inside,BPDMZ) 192.24.254.46 192.24.254.46 netmask 255.255.255.255 0 0
static (inside,outside) 192.24.254.62 192.24.254.62 netmask 255.255.255.255 0 0
static (inside,outside) 192.24.254.70 192.24.254.70 netmask 255.255.255.255 0 0
static (inside,outside) 192.24.254.46 192.24.254.46 netmask 255.255.255.255 0 0
static (InternetDMZ,outside) x.x.x.142 10.82.104.10 netmask 255.255.255.255 0 0
static (InternetDMZ,outside) x.x.x.254 10.82.108.10 netmask 255.255.255.255 0 0
static (inside,InternetDMZ) 10.82.108.10 x.x.x.254 netmask 255.255.255.255 0 0
static (inside,InternetDMZ) 10.82.108.11 x.x.x.253 netmask 255.255.255.255 0 0
static (InternetDMZ,outside) x.x.x.253 10.82.108.11 netmask 255.255.255.255 0 0
static (inside,InternetDMZ) 192.24.254.23 192.24.254.23 netmask 255.255.255.255 0 0
access-group acl-outside in interface outside
access-group acl-inside in interface inside
access-group VPNDMZ_access_in in interface RemoteAccessDMZ
access-group dmz_access_in in interface InternetDMZ
access-group DoDDMZ_access_in in interface DoDDMZ
access-group BPDMZ_access_in in interface BPDMZ
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1
route inside 10.72.0.0 255.255.0.0 10.72.1.3 1
route DoDDMZ 10.82.56.0 255.255.255.0 10.82.32.5 1
route RemoteAccessDMZ 10.82.64.16 255.255.255.240 10.82.64.5 1
route RemoteAccessDMZ 10.82.64.32 255.255.255.224 10.82.64.5 1
route RemoteAccessDMZ 10.82.64.64 255.255.255.192 10.82.64.5 1
route RemoteAccessDMZ 10.82.64.128 255.255.255.128 10.82.64.5 1
route InternetDMZ 10.82.104.0 255.255.255.0 10.82.96.3 1
route InternetDMZ 10.82.108.0 255.255.255.0 10.82.96.3 1
route InternetDMZ 10.128.254.1 255.255.255.255 10.82.96.3 1
route outside 10.128.254.2 255.255.255.255 x.x.x.129 1
route BPDMZ 10.128.254.3 255.255.255.255 10.82.1.3 1
route DoDDMZ 10.128.254.4 255.255.255.255 10.82.32.5 1
route outside x.x.0.0 255.255.0.0 x.x.197.1 1
route inside 192.24.0.0 255.255.0.0 10.72.1.3 1
route BPDMZ 192.168.251.0 255.255.255.0 10.82.1.10 1
route DoDDMZ z.z.11.0 255.255.255.0 10.82.32.5 1
route DoDDMZ x.x.193.0 255.255.255.0 10.82.32.5 1
route DoDDMZ x.x.117.0 255.255.255.0 10.82.32.5 1
route DoDDMZ x.x.118.0 255.255.255.0 10.82.32.5 1
route DoDDMZ x.x.119.0 255.255.255.0 10.82.32.5 1
timeout xlate 0:30:00
timeout conn 0:15:00 half-closed 0:05:00 udp 0:02:00 rpc 0:05:00 h323 0:05:00 sip 0:05:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute uauth 0:01:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 192.24.254.62 -- timeout 20
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.24.254.62 -- timeout 5
aaa-server LOCAL protocol local
aaa authentication http console TACACS+
aaa authentication serial console TACACS+
aaa authentication ssh console TACACS+
aaa authentication telnet console TACACS+
aaa accounting match inside_accounting_RADIUS inside RADIUS
ntp server 192.24.254.68 source inside prefer
http server enable
http 192.24.254.214 255.255.255.255 inside
http 10.82.64.10 255.255.255.255 RemoteAccessDMZ
http 10.82.64.208 255.255.255.240 RemoteAccessDMZ
snmp-server host inside 192.24.254.46
no snmp-server location
snmp-server community ---
snmp-server enable traps
floodguard enable
sysopt security fragguard
no sysopt route dnat
telnet 192.24.254.200 255.255.255.255 inside
telnet 192.24.254.214 255.255.255.255 inside
telnet 10.82.64.10 255.255.255.255 RemoteAccessDMZ
telnet 10.82.104.10 255.255.255.255 InternetDMZ
telnet timeout 10
ssh 192.24.254.214 255.255.255.255 inside
ssh timeout 5
terminal width 80
: end
[OK]


As a side note on our internal network:
We are in the process of changing our internal network from static ip address's to DHCP with department based VLAN's. Using the modified config above, for example: IT is 10.72.2.x Human Resources is 10.72.3.x and so on. Access needs to any DMZ can and probably will come from any internal device.
Static devices are on subnet 192.24.x.x. Only internal servers, routers, switches and printers will be on this subnet when our VLAN project is completed.


Thanks again,
A

 

[tbissett]

OK, it looks like two different methods of disabling NAT are being used. First, you have the NAT 0 statements:
nat (inside) 0 192.24.254.11 255.255.255.255 0 0
nat (inside) 0 192.24.254.12 255.255.255.255 0 0
nat (inside) 0 10.72.0.0 255.255.0.0 0 0
nat (inside) 0 192.24.0.0 255.255.0.0 0 0

...and then you also have some static statements that do somewhat the same thing:
static (inside,DoDDMZ) 192.24.254.68 192.24.254.68 netmask 255.255.255.255 0 0
static (inside,DoDDMZ) 192.24.254.70 192.24.254.70 netmask 255.255.255.255 0 0
static (inside,DoDDMZ) 10.82.56.10 10.82.56.10 netmask 255.255.255.255 0 0
static (inside,DoDDMZ) 192.24.0.0 192.24.0.0 netmask 255.255.255.255 0 0
static (inside,DoDDMZ) 10.72.0.0 10.72.0.0 netmask 255.255.255.255 0 0
static (inside,DoDDMZ) 192.24.254.46 192.24.254.46 netmask 255.255.255.255 0 0
static (inside,DoDDMZ) 192.24.254.62 192.24.254.62 netmask 255.255.255.255 0 0

Of the above statements, the two most interesting are:
static (inside,DoDDMZ) 192.24.0.0 192.24.0.0 netmask 255.255.255.255 0 0
static (inside,DoDDMZ) 10.72.0.0 10.72.0.0 netmask 255.255.255.255 0 0

Those rules sort of say all hosts on the 192.24 and 10.72 networks should not be translated when they go out the DoDMZ segment. I say "sort of" because the netmask is a host-only netmask. It should be (according to the Cisco manual) a network subnet mask (255.255.0.0). If that is what you wanted, then those two static statements would take care of all hosts on these networks. You should then be able to eliminate the NAT 0 statements altogether.

 

[tbissett]

Two additional notes:

1) Be sure to do a "clear xlate" after changing NAT/Global/Static statements.

2) You could do NAT 0 instead of statics if you wanted. No matter what, I would do them all one way or the other.

 

[rubbaninja]

Thank you for your help in this matter. I will be doing major overhaul work on the config. The incorrect masks probably came from using PDM

I will post my results!

-A