Newbie question on NAT

[str8flush]

Hi all

We are moving from Checkpoint Firewall-1 to a Cisco PIX 515e and this is my first configuration so any help is appreciated.

We have 3 interfaces.

Network A 222.222.222.0/24 (Outside)
Network B 192.168.0.0/24 (Inside)
Network C 10.0.0.0/8 (Dmz)

I have NAT configured as follows

global (outside) 1 222.222.222.254
global (dmz) 1 222.222.222.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

Questions:

1. Does this seem right if I want all hosts in either the DMZ or the Inside network to be dynamically translated to 222.222.222.254 unless statically assigned? (In checkpoint we have all hosts not explicitly translated using this type of PAT so I wanted to keep it as close to that as possible)

2. Does this mean that the hosts in the Dmz and the Inside are translated to 222.222.222.254 when the communication is just between a host in the dmz and a host in the inside? Or does this only apply when the hosts leave the outside interface?

2. Access-Lists aside, if I want a host on the DMZ subnet to initiate a connection to a host on the Inside subnet, does the host on the Inside subnet need a Static translation (222.222.222.x) or can I use it's "real" ip address (10.0.0.x)

We have tons of configurations that rely on settings based on real-ip to real-ip...

Thanks in advance for any help!

 

[dopehead]

Well, one thing that you misunderstood is the global statement, it defines what to translate to for that group ("1" in this case) so any interface that has a nat 1 statement will be translated to 222.222.222.254 when going out the outside interface.

Point: Remove the global from the DMZ, not needed, won't work.

Also, if this is all you have configured then the Security level on the interfaces will deny any traffic from a lower interface to a higher, i.e from outside to inside and to dmz and from dmz to inside.

Traffic from inside to dmz will be permitted, but you have no translation (either nonat or otherwise) so it will not work. For comm. between these two the easiest thing would be nat (inside) 0 access-list nonat, where nonat defines from the inside to the dmz ips.

Also, any traffic from a lower to a higher intf. must pe permitted by an acl, except for return traffic from a lower to a higher.

Hope this helps, and doesn't make you more confused.
Jan


Network Systems Engineer
CCNA/CQS

 

[yizhar]

HI.

> Point: Remove the global from the DMZ, not needed, won't work.
That's correct.
But if you need to allow traffic from inside workstations to DMZ host, then add:

global (dmz) 1 10.0.0.X

Where X = an unused IP address in the DMZ subnet.

"nat (inside) 0 access-list nonat" can also work but I would go with "global (dmz) 1 ..." which is more secure (using hide nat to protect internal network from dmz) and more "straight forward" following the pix "way" of doing things.

> 2. Access-Lists aside, if I want a host on the DMZ subnet
> to initiate a connection to a host on the Inside subnet ...
There are several options.
My suggestion is to use static in either of the following methods:
static (inside,dmz) 10.0.0.X 192.168.0.X
static (inside,dmz) 192.168.0.X 192.168.0.X

More specific info here:
Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX

http://www.cisco.com/warp/public/707/28.html

And some other links:

http://teachers.sivan.co.il/yizhar/files/pixlinks.htm

Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar