static nat and access-list

Discussion in 'Cisco' started by =?ISO-8859-1?Q?Edgar=AE_du_Midi=AE?=, Sep 7, 2005.

  1. Hello,

    I have a PIX 515 for testing purposes.

    The DMZ interface is a private subnet attached to it.

    On this DMZ, servers. Thore are having private ip addresses attached

    Using the static command, those servers have an Internet IP

    pix# sh global
    global (outside) 1 interface
    pix# sh static
    static (dmz-net,outside) 195.238.45.34 192.168.80.34 netmask
    255.255.255.255 0 0
    static (dmz-net,outside) 195.238.45.35 192.168.80.35 netmask
    255.255.255.255 0 0
    static (dmz-net,outside) 195.238.45.36 192.168.80.36 netmask
    255.255.255.255 0 0
    static (dmz-net,outside) 195.238.45.38 192.168.80.38 netmask
    255.255.255.255 0 0
    static (dmz-net,outside) 195.238.45.39 192.168.80.39 netmask
    255.255.255.255 0 0
    static (im-net,outside) 195.238.45.43 192.168.8.43 netmask
    255.255.255.255 0 0
    static (im-net,outside) 195.238.45.44 192.168.8.44 netmask
    255.255.255.255 0 0
    static (im-net,outside) 195.238.45.45 192.168.8.45 netmask
    255.255.255.255 0 0
    static (dmz-net,outside) 195.238.45.40 192.168.80.46 netmask
    255.255.255.255 0 0
    static (inside,dmz-net) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
    pix#

    On the access-list which is gonna be applied *IN* on the dmz-net
    interface, do I have to specify the ip private ip address or the
    internet IP address of the server?

    thank you very much,

    /Edgar
     
    =?ISO-8859-1?Q?Edgar=AE_du_Midi=AE?=, Sep 7, 2005
    #1
    1. Advertisements

  2. :I have a PIX 515 for testing purposes.

    :On the access-list which is gonna be applied *IN* on the dmz-net
    :interface, do I have to specify the ip private ip address or the
    :internet IP address of the server?

    For all interface ACLs, the rule is that for normal (non-VPN traffic),
    you use the IP addresses that would be seen "on the wire" --
    the destination IPs being the ones that the hosts "beyond" the
    interface would be sending to, and the source IPs being the ones
    that the hosts "beyond" the interface will expect to see.

    The rule is nearly the same for VPN traffic, but "on the wire"
    gets modified to "inside the encapsulated packet".
     
    Walter Roberson, Sep 7, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.