PIX 515 Inside -> Outside

Discussion in 'Cisco' started by Guido Bakker, Oct 30, 2003.

  1. Guido Bakker

    Guido Bakker Guest

    Hello,

    I have the following situation:

    A PIX running with inside, dmz & outside. The dmz has a few servers
    in it which will grow. Now i'm trying to nat a single machine from the
    inside to the outside. Internet works fine, but not when i try to reach
    a server in the dmz via the outside address.

    When i run a tcpdump i see a packet arrive at the dmz server and a return
    packet to the outside interface of the PIX, but it seems to end there.

    Any help would be appreciated.

    Regards,
    Guido Bakker

    p.s.

    : Saved
    : Written by enable_15 at 16:11:54.577 CEST Thu Oct 30 2003
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password ******** encrypted
    passwd ******** encrypted
    hostname netdmfw1
    domain-name sogeti.nl
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 172.17.2.9 frankenstein
    name 10.17.2.3 sales
    name 10.17.2.2 hudson
    name 10.17.2.1 fraser
    name 194.151.67.131 heisenberg2
    name 194.151.67.130 rutherford
    name 172.17.2.21 magelhaen
    name 10.17.0.0 dmz_diemen
    name 172.17.0.0 inside_diemen
    name 194.151.67.0 outside_diemen
    name 10.17.2.4 webmail
    name 172.17.1.137 metropolis
    name 10.17.2.5 testmail
    name 10.17.5.20 mail
    name 172.17.5.20 mstdmxb1
    name 172.17.5.23 mstdmxb2
    name 10.17.5.22 mstdmxf2
    name 10.17.5.21 mstdmxf1
    name 172.17.5.10 mstdmdc2s
    name 172.17.5.9 mstdmdc1s
    name 172.17.1.102 aragorn
    object-group network webservers
    network-object fraser 255.255.255.255
    network-object hudson 255.255.255.255
    network-object sales 255.255.255.255
    network-object webmail 255.255.255.255
    network-object testmail 255.255.255.255
    object-group service webservices tcp
    port-object eq www
    port-object eq https
    object-group network proxyservers
    network-object rutherford 255.255.255.255
    network-object heisenberg2 255.255.255.255
    object-group service mailservices tcp
    port-object eq pop3
    port-object eq imap4
    port-object eq smtp
    object-group network mailfrontends
    network-object mstdmxf1 255.255.255.255
    network-object mstdmxf2 255.255.255.255
    object-group network mailbackends
    network-object mstdmxb1 255.255.255.255
    network-object mstdmxb2 255.255.255.255
    object-group network dcservers
    network-object mstdmdc1s 255.255.255.255
    network-object mstdmdc2s 255.255.255.255
    object-group network webservers_ref_1
    network-object 194.151.67.17 255.255.255.255
    network-object 194.151.67.18 255.255.255.255
    network-object 194.151.67.19 255.255.255.255
    network-object 194.151.67.20 255.255.255.255
    network-object 194.151.67.21 255.255.255.255
    access-list outside_access_in permit tcp any object-group webservers_ref_1 object-group webservices
    access-list outside_access_in permit tcp object-group proxyservers 194.151.0.0 255.255.0.0 eq ssh
    access-list dmz_access_in permit ip dmz_diemen 255.255.0.0 outside_diemen 255.255.255.0
    access-list dmz_access_in permit tcp object-group webservers host magelhaen eq sqlnet
    access-list dmz_access_in permit tcp dmz_diemen 255.255.0.0 host frankenstein eq ftp
    access-list dmz_access_in permit icmp dmz_diemen 255.255.0.0 inside_diemen 255.255.0.0
    access-list inside_access_in permit ip host aragorn any
    access-list inside_access_in permit ip host metropolis dmz_diemen 255.255.0.0
    access-list inside_access_in permit ip host frankenstein dmz_diemen 255.255.0.0
    pager lines 24
    logging on
    logging trap warnings
    logging host inside frankenstein format emblem
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside 194.151.67.11 255.255.255.248
    ip address inside 172.17.0.252 255.255.240.0
    ip address dmz 10.17.0.1 255.255.0.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location frankenstein 255.255.255.255 inside
    pdm location fraser 255.255.255.255 dmz
    pdm location hudson 255.255.255.255 dmz
    pdm location sales 255.255.255.255 dmz
    pdm location rutherford 255.255.255.255 outside
    pdm location heisenberg2 255.255.255.255 outside
    pdm location magelhaen 255.255.255.255 inside
    pdm location outside_diemen 255.255.255.0 outside
    pdm location webmail 255.255.255.255 dmz
    pdm location 172.16.0.0 255.240.0.0 inside
    pdm location inside_diemen 255.255.0.0 inside
    pdm location metropolis 255.255.255.255 inside
    pdm location testmail 255.255.255.255 dmz
    pdm location mail 255.255.255.255 dmz
    pdm location mstdmxb1 255.255.255.255 inside
    pdm location mstdmxb2 255.255.255.255 inside
    pdm location mstdmxf1 255.255.255.255 dmz
    pdm location mstdmxf2 255.255.255.255 dmz
    pdm location mstdmdc1s 255.255.255.255 inside
    pdm location mstdmdc2s 255.255.255.255 inside
    pdm location aragorn 255.255.255.255 inside
    pdm location 194.151.67.16 255.255.255.240 outside
    pdm group webservers dmz
    pdm group proxyservers outside
    pdm group mailfrontends dmz
    pdm group mailbackends inside
    pdm group dcservers inside
    pdm group webservers_ref_1 outside reference webservers
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 aragorn 255.255.255.255 0 0
    static (dmz,outside) 194.151.67.17 fraser netmask 255.255.255.255 0 0
    static (dmz,outside) 194.151.67.18 hudson netmask 255.255.255.255 0 0
    static (dmz,outside) 194.151.67.19 sales netmask 255.255.255.255 0 0
    static (inside,dmz) frankenstein frankenstein netmask 255.255.255.255 0 0
    static (inside,dmz) magelhaen magelhaen netmask 255.255.255.255 0 0
    static (dmz,outside) 194.151.67.20 webmail netmask 255.255.255.255 0 0
    static (inside,dmz) metropolis metropolis netmask 255.255.255.255 0 0
    static (dmz,outside) 194.151.67.21 testmail netmask 255.255.255.255 0 0
    static (dmz,outside) 194.151.67.5 mail netmask 255.255.255.255 0 0
    static (inside,dmz) mstdmxb1 mstdmxb1 netmask 255.255.255.255 0 0
    static (inside,dmz) mstdmxb2 mstdmxb2 netmask 255.255.255.255 0 0
    static (inside,dmz) mstdmdc1s mstdmdc1s netmask 255.255.255.255 0 0
    static (inside,dmz) mstdmdc2s mstdmdc2s netmask 255.255.255.255 0 0
    static (inside,dmz) aragorn aragorn netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group dmz_access_in in interface dmz
    route outside 0.0.0.0 0.0.0.0 194.151.67.9 1
    route inside 172.16.0.0 255.240.0.0 172.17.0.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server frankenstein source inside prefer
    http server enable
    http inside_diemen 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection timewait
    service resetinbound
    telnet timeout 5
    ssh inside_diemen 255.255.0.0 inside
    ssh timeout 60
    console timeout 0
    terminal width 80
    Cryptochecksum:********
    : end
    Guido Bakker, Oct 30, 2003
    #1
    1. Advertising

  2. In article <>,
    Guido Bakker <> wrote:
    :A PIX running with inside, dmz & outside. The dmz has a few servers
    :in it which will grow. Now i'm trying to nat a single machine from the
    :inside to the outside. Internet works fine, but not when i try to reach
    :a server in the dmz via the outside address.


    :pIX Version 6.3(3)
    :ip address outside 194.151.67.11 255.255.255.248
    :ip address inside 172.17.0.252 255.255.240.0
    :ip address dmz 10.17.0.1 255.255.0.0
    :global (outside) 1 interface
    :nat (inside) 1 aragorn 255.255.255.255 0 0
    :static (dmz,outside) 194.151.67.17 fraser netmask 255.255.255.255 0 0
    :static (dmz,outside) 194.151.67.18 hudson netmask 255.255.255.255 0 0
    :static (dmz,outside) 194.151.67.19 sales netmask 255.255.255.255 0 0

    194.151.67.17, 194.151.67.18, 194.151.67.19 are not in the same
    subnet range as the outside address, which as a mask of 255.255.255.248.
    This situation is okay provided that you are *routing* those
    addresses to the PIX outside address.


    Which dmz address are you trying to reach from where?
    What you wrote was ambiguous: are you trying to reach (say) 'sales'
    from the outside using its 194.151.67.19 address, or are you
    trying to reach (say) 'sales' from the inside using its 194.151.67.19
    address?

    If you are trying to reach it from the inside using its
    outside address, then you will have trouble doing so, but the
    'alias' command might help in that case.

    If you are trying to reach it from the outside, then I do not
    immediately see a problem with the configuration, but I will
    go back and re-check a detail that's now off of my screen.
    --
    Rome was built one paycheck at a time. -- Walter Roberson
    Walter Roberson, Oct 30, 2003
    #2
    1. Advertising

  3. In article <>,
    Guido Bakker <> wrote:
    :pIX Version 6.3(3)

    :name 10.17.0.0 dmz_diemen
    :name 172.17.0.0 inside_diemen
    :name 194.151.67.0 outside_diemen

    :access-list dmz_access_in permit ip dmz_diemen 255.255.0.0 outside_diemen 255.255.255.0
    :access-list dmz_access_in permit tcp object-group webservers host magelhaen eq sqlnet
    :access-list dmz_access_in permit tcp dmz_diemen 255.255.0.0 host frankenstein eq ftp
    :access-list dmz_access_in permit icmp dmz_diemen 255.255.0.0 inside_diemen 255.255.0.0

    :global (outside) 1 interface
    :nat (inside) 1 aragorn 255.255.255.255 0 0
    :static (dmz,outside) 194.151.67.17 fraser netmask 255.255.255.255 0 0
    :static (dmz,outside) 194.151.67.18 hudson netmask 255.255.255.255 0 0
    :static (dmz,outside) 194.151.67.19 sales netmask 255.255.255.255 0 0

    :static (dmz,outside) 194.151.67.20 webmail netmask 255.255.255.255 0 0

    :static (dmz,outside) 194.151.67.21 testmail netmask 255.255.255.255 0 0
    :static (dmz,outside) 194.151.67.5 mail netmask 255.255.255.255 0 0

    :access-group dmz_access_in in interface dmz

    I notice that you have not explicit UDP access for dmz_access_in .
    Are your DNS servers in the outside_diemen ?

    I also notice that you permit all of dmz_diemen/16 to go out to
    outside_diemen, but that you have only static'd those 6 hosts.
    If there are any other hosts in dmz_diemen/16 then you need to
    add a 'nat' statement, such as

    nat (dmz) 1 dmz_diemen 255.255.0.0

    If there are no other hosts in the dmz, then I would suggest that
    it would be a little better to code

    access-list dmz_access_in permit ip object-group webservers outside_diemen 255.255.255.0

    instead of the current line permitting all of dmz_diemen to go out.
    [But this won't solve your problem: it is just something I noticed.]
    --
    Everyone has a "Good Cause" for which they are prepared to Spam.
    -- Roberson's Law of the Internet
    Walter Roberson, Oct 30, 2003
    #3
  4. Guido Bakker

    Guido Bakker Guest

    On Thu, 30 Oct 2003 16:26:58 +0000, Walter Roberson wrote:

    > In article <>,
    > Guido Bakker <> wrote:
    > :A PIX running with inside, dmz & outside. The dmz has a few servers
    > :in it which will grow. Now i'm trying to nat a single machine from the
    > :inside to the outside. Internet works fine, but not when i try to reach
    > :a server in the dmz via the outside address.
    >
    >
    > :pIX Version 6.3(3)
    > :ip address outside 194.151.67.11 255.255.255.248
    > :ip address inside 172.17.0.252 255.255.240.0
    > :ip address dmz 10.17.0.1 255.255.0.0
    > :global (outside) 1 interface
    > :nat (inside) 1 aragorn 255.255.255.255 0 0
    > :static (dmz,outside) 194.151.67.17 fraser netmask 255.255.255.255 0 0
    > :static (dmz,outside) 194.151.67.18 hudson netmask 255.255.255.255 0 0
    > :static (dmz,outside) 194.151.67.19 sales netmask 255.255.255.255 0 0
    >
    > 194.151.67.17, 194.151.67.18, 194.151.67.19 are not in the same
    > subnet range as the outside address, which as a mask of 255.255.255.248.
    > This situation is okay provided that you are *routing* those
    > addresses to the PIX outside address.


    I added the following on our atm router:

    ip route 194.151.67.16 255.255.255.240 FastEthernet0/0

    The FastEthernet0/0 is connected to the same switch as the pix.

    > Which dmz address are you trying to reach from where? What you wrote was
    > ambiguous: are you trying to reach (say) 'sales' from the outside using
    > its 194.151.67.19 address, or are you trying to reach (say) 'sales' from
    > the inside using its 194.151.67.19 address?


    I'm trying to reach "sales" from the inside, everything from the internet
    works fine. One execption on that though, there seems to be a slow down on
    loading of images sometimes.

    So, i'm at aragorn, pointing my default route to 172.17.0.252 and trying
    to reach sales (194.151.67.19).

    > If you are trying to reach it from the inside using its outside address,
    > then you will have trouble doing so, but the 'alias' command might help
    > in that case.


    What's the reason for this? And are there other possibilities then alias?

    > If you are trying to reach it from the outside, then I do not
    > immediately see a problem with the configuration, but I will go back and
    > re-check a detail that's now off of my screen.


    Reaching from the outside works fine except for that slow down sometimes.
    But a double-check on the configuration would be great, i'm only just
    starting to learn the PIX.

    Regards and thanks for your help so far,
    Guido Bakker
    Guido Bakker, Oct 30, 2003
    #4
  5. Guido Bakker

    Guido Bakker Guest

    On Thu, 30 Oct 2003 16:40:01 +0000, Walter Roberson wrote:

    > In article <>,
    > Guido Bakker <> wrote:
    > :pIX Version 6.3(3)
    >
    > :name 10.17.0.0 dmz_diemen
    > :name 172.17.0.0 inside_diemen
    > :name 194.151.67.0 outside_diemen
    >
    > :access-list dmz_access_in permit ip dmz_diemen 255.255.0.0 outside_diemen 255.255.255.0
    > :access-list dmz_access_in permit tcp object-group webservers host magelhaen eq sqlnet
    > :access-list dmz_access_in permit tcp dmz_diemen 255.255.0.0 host frankenstein eq ftp
    > :access-list dmz_access_in permit icmp dmz_diemen 255.255.0.0 inside_diemen 255.255.0.0
    >
    > :global (outside) 1 interface
    > :nat (inside) 1 aragorn 255.255.255.255 0 0
    > :static (dmz,outside) 194.151.67.17 fraser netmask 255.255.255.255 0 0
    > :static (dmz,outside) 194.151.67.18 hudson netmask 255.255.255.255 0 0
    > :static (dmz,outside) 194.151.67.19 sales netmask 255.255.255.255 0 0
    >
    > :static (dmz,outside) 194.151.67.20 webmail netmask 255.255.255.255 0 0
    >
    > :static (dmz,outside) 194.151.67.21 testmail netmask 255.255.255.255 0 0
    > :static (dmz,outside) 194.151.67.5 mail netmask 255.255.255.255 0 0
    >
    > :access-group dmz_access_in in interface dmz
    >
    > I notice that you have not explicit UDP access for dmz_access_in .
    > Are your DNS servers in the outside_diemen ?


    Yes, at the moment they are. I'm building a newer dmz and slowly moving
    everything into new subnets.

    > I also notice that you permit all of dmz_diemen/16 to go out to
    > outside_diemen, but that you have only static'd those 6 hosts. If there
    > are any other hosts in dmz_diemen/16 then you need to add a 'nat'
    > statement, such as
    > nat (dmz) 1 dmz_diemen 255.255.0.0


    There will be more in the dmz_diemen, such as a frontends for the mail
    cluster, cvs server, smtps, dns and customer projects. All depending on
    the PIX performance. I'm planning to static every host atm.

    > If there are no other hosts in the dmz, then I would suggest that it
    > would be a little better to code
    >
    > access-list dmz_access_in permit ip object-group webservers
    > outside_diemen 255.255.255.0


    > instead of the current line permitting all of dmz_diemen to go out. [But
    > this won't solve your problem: it is just something I noticed.]


    Every pointer is greatly appreciated. :)

    Regards,
    Guido Bakker
    Guido Bakker, Oct 30, 2003
    #5
  6. In article <>,
    Guido Bakker <> wrote:
    :I'm trying to reach "sales" from the inside, everything from the internet
    :works fine. One execption on that though, there seems to be a slow down on
    :loading of images sometimes.

    :So, i'm at aragorn, pointing my default route to 172.17.0.252 and trying
    :to reach sales (194.151.67.19).

    :> If you are trying to reach it from the inside using its outside address,
    :> then you will have trouble doing so, but the 'alias' command might help
    :> in that case.

    :What's the reason for this? And are there other possibilities then alias?

    You have defined the correspondance between 'sales' (10.17.2.3)
    and 194.151.67.19 by means of a static (dmz,outside) command.
    That correspondance is only in effect when packets arrive at
    the outside interface. By the time the packet gets "inside" the PIX,
    it has been re-written to use the inside IP address 10.17.2.3.

    When you try to send from the inside to 194.151.67.19, the
    packet will reach the inside interface, and then the PIX is going to
    look for a route to the destination. There is no specific route for
    194.151.67.16/28 as you have not created one and none of the
    interfaces is numbered in that range. The route that is going to
    apply is thus the default route, 0.0.0.0 0.0.0.0, which is going
    to send the packet out the outside interface. As it goes out,
    NAT is going to leave the -destination- address the same, but is
    going to re-write the source address according to your nat/global
    pair. The packet is then going to reach your router, which is going
    to send it back to the PIX unchanged (a 'redirect'), but the PIX is
    going to recognize that it sent the packet out itself and is
    going to drop the packet.

    If what you need to do is send from 'aragorn' to 'sales'
    *by IP address*, then you are going to need to use the
    'aiias' command or else you are going to need to use horrible hacks
    [such as a loopback interface on the router that nat's the packet
    before sending it back to the PIX.]

    If what you need to do is send from 'aragorn' to 'sales'
    *by hostname*, then there are some DNS manipulations you can use.
    The 'alias' command can be used for some of those DNS manipulations.
    See also the new 'dns' parameter to the 'static' command; it is not
    very well documented in the Command Reference, though.
    --
    Perposterous!! Where would all the calculators go?!
    Walter Roberson, Oct 30, 2003
    #6
  7. In article <>,
    Guido Bakker <> wrote:
    :On Thu, 30 Oct 2003 16:40:01 +0000, Walter Roberson wrote:
    :> If there are no other hosts in the dmz, then I would suggest that it
    :> would be a little better to code

    :Every pointer is greatly appreciated. :)

    As a general principle, it is better to structure your PIX configuration
    to use layers of security. For example, instead of allowing
    everything inside to be nat'd via a nat (inside) 1 0 0 statement,
    only nat the hosts that actually exist and are allowed to go
    out: that way, if someone adds a system on to the network without
    telling you, or if a virus gets in and starts forging IP addresses,
    then those addresses will not get out no matter what the access list
    say.

    The next layer of security would be to set your access-lists to only
    permit traffic from hosts that exist and are allowed out -- or at least
    to specifically deny traffic to hosts that are not known to be
    allowed out. This way, if your 'nat' is accidently more general
    than is needed, the hosts will be stopped by the access-list.

    These are principles; in practice, if you have a lot of hosts, then
    keeping the configuration up-to-date naming all those hosts is
    going to be error-prone, and the resulting configuration may be
    too big to be easily understood :( object-group's help a lot in
    making the configuration understandable, I find.
    --
    And the wind keeps blowing the angel / Backwards into the future /
    And this wind, this wind / Is called / Progress.
    -- Laurie Anderson
    Walter Roberson, Oct 30, 2003
    #7
  8. Guido Bakker

    Guido Bakker Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bnrhsc$6ni$>...
    > In article <>,
    > Guido Bakker <> wrote:
    > :I'm trying to reach "sales" from the inside, everything from the internet
    > :works fine. One execption on that though, there seems to be a slow down on
    > :loading of images sometimes.
    >
    > :So, i'm at aragorn, pointing my default route to 172.17.0.252 and trying
    > :to reach sales (194.151.67.19).
    >
    > :> If you are trying to reach it from the inside using its outside address,
    > :> then you will have trouble doing so, but the 'alias' command might help
    > :> in that case.
    >
    > :What's the reason for this? And are there other possibilities then alias?
    >
    > If what you need to do is send from 'aragorn' to 'sales'
    > *by IP address*, then you are going to need to use the
    > 'aiias' command or else you are going to need to use horrible hacks
    > [such as a loopback interface on the router that nat's the packet
    > before sending it back to the PIX.]
    >
    > If what you need to do is send from 'aragorn' to 'sales'
    > *by hostname*, then there are some DNS manipulations you can use.
    > The 'alias' command can be used for some of those DNS manipulations.
    > See also the new 'dns' parameter to the 'static' command; it is not
    > very well documented in the Command Reference, though.


    I was very happy the following worked:

    alias (inside) 194.151.67.19 sales 255.255.255.255

    But when i reloaded PDM it complained alias is deprecated and that i
    need to use bi-directional or outside nat. And that this can replace
    alias. But i have struggled with this and could not convert the above
    alias command. What's the way to do this? Or do i miss something else?

    Regards,
    Guido Bakker
    Guido Bakker, Oct 31, 2003
    #8
  9. In article <>,
    Guido Bakker <> wrote:
    :I was very happy the following worked:

    :alias (inside) 194.151.67.19 sales 255.255.255.255

    :But when i reloaded PDM it complained alias is deprecated and that i
    :need to use bi-directional or outside nat. And that this can replace
    :alias. But i have struggled with this and could not convert the above
    :alias command. What's the way to do this? Or do i miss something else?

    Ah, yes, outside nat should work for that case. I believe
    you would configure that this way:

    global (inside) 2 194.151.67.19
    nat (dmz) 2 sales 255.255.255.255 outside


    However, I think that in the long term you might be happier with

    static (dmz, inside) 194.151.67.19 sales netmask 255.255.255.255

    Notice that I have reversed the order of the interfaces compared
    to a regular 'static' command. Normally, static lists the higher
    security interface and then the lower security one within the (),
    but I have given the lower security interface first here. That
    has been supported since 6.2 [but sometimes the documentation
    of it has gotten broken; I had them fix it a couple of months ago.]
    --
    Cannot open .signature: Permission denied
    Walter Roberson, Oct 31, 2003
    #9
  10. Guido Bakker

    Guido Bakker Guest

    On Fri, 31 Oct 2003 11:34:40 +0000, Walter Roberson wrote:

    > In article <>,
    > Guido Bakker <> wrote:
    > :I was very happy the following worked:
    >
    > :alias (inside) 194.151.67.19 sales 255.255.255.255
    >
    > :But when i reloaded PDM it complained alias is deprecated and that i
    > :need to use bi-directional or outside nat. And that this can replace
    > :alias. But i have struggled with this and could not convert the above
    > :alias command. What's the way to do this? Or do i miss something else?
    >
    > Ah, yes, outside nat should work for that case. I believe
    > you would configure that this way:
    >
    > global (inside) 2 194.151.67.19
    > nat (dmz) 2 sales 255.255.255.255 outside
    >
    >
    > However, I think that in the long term you might be happier with
    >
    > static (dmz, inside) 194.151.67.19 sales netmask 255.255.255.255
    >
    > Notice that I have reversed the order of the interfaces compared
    > to a regular 'static' command. Normally, static lists the higher
    > security interface and then the lower security one within the (),
    > but I have given the lower security interface first here. That
    > has been supported since 6.2 [but sometimes the documentation
    > of it has gotten broken; I had them fix it a couple of months ago.]


    Yes, the static works great. I tried the same, but from outside to dmz.
    Thanks for your help again, i'm most greatful. Are there any limitations
    on this implementation?

    Regards,
    Guido Bakker
    Guido Bakker, Oct 31, 2003
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. gregg
    Replies:
    3
    Views:
    4,674
    Walter Roberson
    Dec 5, 2003
  2. Guest
    Replies:
    5
    Views:
    1,760
    Romme
    Jun 15, 2004
  3. Bill Adams
    Replies:
    4
    Views:
    4,611
    Martin Bilgrav
    Sep 25, 2004
  4. Dan Rice
    Replies:
    9
    Views:
    924
    Dan Rice
    Feb 4, 2005
  5. Jack
    Replies:
    0
    Views:
    675
Loading...

Share This Page