Nat from DMZ to inside on PIX 515

Archived from groups: comp.security.firewalls (More info?)

Hello,

I have a classical PIX 515 with 3 interfaces.

Outside is, for example, 195.238.10.10/28
Inside is 10.10.10.0/25
DMZ is 192.168.25.0/27

..1 is always the ip of the ethernet adapter facing those networks.

In the DMZ, I have an FTP server. I know it is ad but that server
needs to send data to a machine located in the inside network.

I should do "static" to achieve so. But, I do not want the ftp server
to know the real IP address of the inside server (NFS)

If that internal server is 10.10.10.10, how do add make sure it is
192.168.30.30 for the ftp server? I have to do such a reverse NAT?
What's up with the routing?

Many thanks,

MAXIMUS
1 answer Last reply
More about inside
  1. Archived from groups: comp.security.firewalls (More info?)

    I would try to make sure that the the spoofed IP address is on the same subnet as
    your dmz. You stated that your DMZ is 192.168.25.0/27 which has a mask of
    255.255.255.224 allowing for 8 subnets and 30 hosts per. The first subnet would be
    192.168.25.0 with .1 being the first, 30 being the last, and 31 being your
    broadcast. I know you didn't ask for a subnetting response but I wanted to assure
    that you understand where I'm coming from. If you simply have the ftp server use an
    IP assigned to the dmz all should work well as follows:

    static (inside,dmz) 192.168.25.30 10.10.10.10 netmask 255.255.255.255
    access-list dmz_out permit tcp 192.168.25.0 255.255.255.224 host 192.168.25.30
    range XXX XXX
    access-group dmz_out in interface dmz

    Also, you may have to tweak the systems' hosts files.


    jya-c9@iximail.com (MAXIMUS) wrote in news:8c80ad15.0404270652.4ad43676
    @posting.google.com:

    > Hello,
    >
    > I have a classical PIX 515 with 3 interfaces.
    >
    > Outside is, for example, 195.238.10.10/28
    > Inside is 10.10.10.0/25
    > DMZ is 192.168.25.0/27
    >
    > .1 is always the ip of the ethernet adapter facing those networks.
    >
    > In the DMZ, I have an FTP server. I know it is ad but that server
    > needs to send data to a machine located in the inside network.
    >
    > I should do "static" to achieve so. But, I do not want the ftp server
    > to know the real IP address of the inside server (NFS)
    >
    > If that internal server is 10.10.10.10, how do add make sure it is
    > 192.168.30.30 for the ftp server? I have to do such a reverse NAT?
    > What's up with the routing?
    >
    > Many thanks,
    >
    > MAXIMUS
    >
Ask a new question

Read More

Firewalls FTP DMZ Servers Networking