Using Interface IP for incomig traffic 1

[yanks2112]

We recently moved from Syamatec firewall to a Cisco PIX 515 Version 7.0(4) Symantec translated incoming ip address with the interface ip that was being used. For example if someone ftp'd to a server on our dmz, it would look something like this:

ftp client <public_ip> ----> Syamntec Firewall ---> DMZ Interface <Interface_ip> --->DMZ FTP server.

The FTP server logs would show all traffic incoming from the DMZ interface. This occured on all interfaces.

What is happening now is the public ips are not being translated which I like because it is better for troubleshooting issues coming in from the inside interface.

The problem is there are a lot of web servers in the dmz that I do not control, so I would like to be able to go back to the original configuration (symantec's) where the interface ip is used on incoming traffic from the outside interface. Or, if this can not be done I would like to confirm this before I contact the webmasters to make necessary changes. Is there a way to do this?

These are my static statements for my dmz which I think is causing the problem:
static (DMZ,outside) tcp 192.16.0.1

http://www 10.10.10.1

http://www netmask

255.255.255.255
static (DMZ,outside) tcp 192.168.0.1 ftp 10.10.10.1 ftp netmask 255.255.255.255
static (DMZ,outside) tcp 192.168.0.2

http://www 10.10.10.2

http://www netmask

255.255.255.255
static (DMZ,outside) tcp 192.168.0.2 ftp 10.10.10.2 ftp netmask 255.255.255.255

Thanks for your help

 

[NetworkGhost]

Not sure whats your going for exactly. You want external hosts accessing the DMZ to be translated to the DMZ interface? If so try this.

access-list 150 permit ip any host DMZSERVERIP
nat (outside) 3 access-list 150
global (dmz) 4 interface

If maybe you can explain a little more I think we can fix it.

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[yanks2112]

Hi NetworkGhost

Thanks for the reply. Yes, I basically want to translate external hosts to the DMZ interface. The reason why is there is one (out of many) web servers blocking access from all ip's except the DMZ interface. I dont have access to the server. I've notified the person in charge of the web site (non-technical) and explained to him that he needs to make the change on his end. However if that cant be done I'd like to try to accomodate him if possible.

Stupid (newbie) question: if I nat (outside) 3 will this disrupt my current inetrnet connection, and the Nat (inside) 3 and gloabl (dmz) 4 do not match, is that correct? I thought they needed to match up (the 3 and 4 that is) to make a global pair.

Also, this is my current Nat'ing config if it helps:

global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 1 10.10.0.0 255.255.0.0

Thanks again for your help.

 

[NetworkGhost]

So this should basically you need to do thi:

access-list 150 permit ip any host DMZSERVERIP
nat (outside) 3 access-list 150
global (dmz) 3 interface

I had a typo the first time!

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[NetworkGhost]

So this should basically you need to do thi:"
So this should basically work:


Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[yanks2112]

That did it! Thanks very much NetworkGhost