Multiple NATs PIX 515

Discussion in 'Cisco' started by Richard Isaac, Aug 23, 2005.

  1. Hi,

    I have a PIX with the following Networks

    Outside
    Inside
    DMZ

    1. I currently have a static NAT which allows an outside address direct
    access to the servers in the DMZ.

    2. There is a NAT which allows inside traffic to the dmz - keeping the
    source address.

    I need to add a translation which allows servers in the DMZ access to hosts
    on the inside - keeping their original addresses.

    I have created the access rule to allow the relevent ports from the DMZ to
    the inside. When I try to add a rule to translate DMZ to Inside, Dynamic,
    same address, it pops up warning me that the security rule that allows (2 -
    above) will be broken..

    I get syslog errors saying "No translation group found for tcp src dmz dst
    inside...."

    Any help anyone could offer would be great - even if it's only to tell me
    that I'm trying to do something that the pix can't do!

    Cheers

    Richard
     
    Richard Isaac, Aug 23, 2005
    #1
    1. Advertisements

  2. :I have a PIX with the following Networks
    :Outside Inside DMZ

    :1. I currently have a static NAT which allows an outside address direct
    :access to the servers in the DMZ.

    :2. There is a NAT which allows inside traffic to the dmz - keeping the
    :source address.

    :I need to add a translation which allows servers in the DMZ access to hosts
    :eek:n the inside - keeping their original addresses.

    If you want the inside and DMZ hosts to retain their original addresses
    when talking to each other, then create a new ACL permitting traffic
    with a source of your inside network and a destination of your dmz
    network, and then

    nat (inside) 0 access-list TheNewACL

    (Note: you are only allowed one nat 0 access-list per interface,
    so if you already have one, merge the new entry into the old acl.)

    The above has an important security side effect: it allows the DMZ
    hosts to initiate connections to inside hosts whenever the
    access-group applied to the DMZ allows the traffic, even if there
    is no 'static' statement for that inside host.


    Alternately,

    static (inside,dmz) INSIDEIP INSIDEMASK INSIDEIP INSIDEMASK

    Although this only talks about the inside IPs, your requirement #2
    that DMZ to inside retains the DMZ source IPs, happens automatically
    because unless you configure specifically otherwise, traffic from
    a lower-security interface to a higher-security interface retains
    the source IP address.
     
    Walter Roberson, Aug 23, 2005
    #2
    1. Advertisements

  3. Hi Walter,

    Thanks for replying..

    I tried adding the nat command but it gave me an error about it not being an
    IP address.

    I also had a nat (inside) 0 0.0.0.0 0.0.0.0 00 which I've removed because
    the inside interface has no need to reach the outside.

    The inside subnet is 10.250.2.0
    The dmz subnet is 10.25.250.0

    The dmz is trying to reach an address of 10.250.30.30. The pix has a route
    to this of route inside 10.250.30.0 255.255.255.0 10.250.25.1 1

    If I do a sh nat, i now get: nat (inside) 0 10.250.30.0 255.255.255.0 0 0,
    which looks like it's nearly correct, but I'm still getting errors about no
    xlate.

    The access groups are called:

    dmz_access_in - allows outgoing dmz requests
    acl_out - incoming traffic from the outside
    inside_access_in - allows dmz traffic to the inside

    Unfortunately most of the config was created via the PDM.

    Regards

    Richard
     
    Richard Isaac, Aug 23, 2005
    #3
  4. :The inside subnet is 10.250.2.0
    :The dmz subnet is 10.25.250.0

    :The dmz is trying to reach an address of 10.250.30.30. The pix has a route
    :to this of route inside 10.250.30.0 255.255.255.0 10.250.25.1 1

    That implies you have an inside router.

    :If I do a sh nat, i now get: nat (inside) 0 10.250.30.0 255.255.255.0 0 0,
    :which looks like it's nearly correct, but I'm still getting errors about no
    :xlate.

    nat 0 *without* an access-list parameter is one-directional: outgoing
    traffic will have it's IP address left alone, but incoming traffic will
    be blocked unless there is some other nat or static with higher precidence.

    Remove that nat and replace it with one of the following two:

    static (inside,dmz) 10.250.30.0 10.250.30.0 netmask 255.255.255.0

    OR

    access-list inside_dmz_nonat permit ip 10.250.30.0 255.255.255.0 10.25.250.0 255.255.255.0
    nat (inside) 0 access-list inside_dmz_nonat

    The effect is very nearly the same for both choices.


    There are cases that require more complexity, if you want port
    translation to be happening while IP addresses are left alone:
    that case would use the nat 0 -without- an access-list, combined with
    some static statements (or else combined with a nat 0 -with- an
    access-list.) The two choices I gave above are for the case where you
    want IPs -and- ports to be untouched in going between the two interfaces.
     
    Walter Roberson, Aug 23, 2005
    #4
  5. That fixed it !

    I still don't understand the logic of how the nat works, it seems a bit
    backward. But the customer is now happy so I can worry about that later!

    Thanks again for replying.

    Regards

    Richard
     
    Richard Isaac, Aug 24, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.