Sign in with
Sign up | Sign in
Your question

Nat from DMZ to inside on PIX 515

Last response: in Networking
Share
April 27, 2004 11:52:14 AM

Archived from groups: comp.security.firewalls (More info?)

Hello,

I have a classical PIX 515 with 3 interfaces.

Outside is, for example, 195.238.10.10/28
Inside is 10.10.10.0/25
DMZ is 192.168.25.0/27

..1 is always the ip of the ethernet adapter facing those networks.

In the DMZ, I have an FTP server. I know it is ad but that server
needs to send data to a machine located in the inside network.

I should do "static" to achieve so. But, I do not want the ftp server
to know the real IP address of the inside server (NFS)

If that internal server is 10.10.10.10, how do add make sure it is
192.168.30.30 for the ftp server? I have to do such a reverse NAT?
What's up with the routing?

Many thanks,

MAXIMUS

More about : nat dmz inside pix 515

Anonymous
April 28, 2004 6:52:28 AM

Archived from groups: comp.security.firewalls (More info?)

I would try to make sure that the the spoofed IP address is on the same subnet as
your dmz. You stated that your DMZ is 192.168.25.0/27 which has a mask of
255.255.255.224 allowing for 8 subnets and 30 hosts per. The first subnet would be
192.168.25.0 with .1 being the first, 30 being the last, and 31 being your
broadcast. I know you didn't ask for a subnetting response but I wanted to assure
that you understand where I'm coming from. If you simply have the ftp server use an
IP assigned to the dmz all should work well as follows:

static (inside,dmz) 192.168.25.30 10.10.10.10 netmask 255.255.255.255
access-list dmz_out permit tcp 192.168.25.0 255.255.255.224 host 192.168.25.30
range XXX XXX
access-group dmz_out in interface dmz

Also, you may have to tweak the systems' hosts files.



jya-c9@iximail.com (MAXIMUS) wrote in news:8c80ad15.0404270652.4ad43676
@posting.google.com:

> Hello,
>
> I have a classical PIX 515 with 3 interfaces.
>
> Outside is, for example, 195.238.10.10/28
> Inside is 10.10.10.0/25
> DMZ is 192.168.25.0/27
>
> .1 is always the ip of the ethernet adapter facing those networks.
>
> In the DMZ, I have an FTP server. I know it is ad but that server
> needs to send data to a machine located in the inside network.
>
> I should do "static" to achieve so. But, I do not want the ftp server
> to know the real IP address of the inside server (NFS)
>
> If that internal server is 10.10.10.10, how do add make sure it is
> 192.168.30.30 for the ftp server? I have to do such a reverse NAT?
> What's up with the routing?
>
> Many thanks,
>
> MAXIMUS
>
!