Book Excerpt: Cisco Secure Internet Security Solutions - part 4 - Page 6
Additional Single-DMZ Configuration Considerations
The remaining changes to this configuration involve commands that were previously examined in this chapter. You added a new nat statement with the interface set as public to allow for translation of the public DMZ to global addresses. This eliminates the chance that anyone from the outside will see any traffic on the inside network. You can use NAT on all of the public hosts and add them to the common global pool. The command used is as follows:
nat (public) 1 192.168.2.1 255.255.255.0 0 0Next, you change the static NAT for the Web, FTP, and e-mail servers from the inside interface to the public interface. The new lines read:
static (public, outside) 192.168.1.30 192.168.2.30 static (public, outside) 192.168.1.35 192.168.2.35 static (public, outside) 192.168.1.49 192.168.2.49If you were using the previous configuration, you would have needed to remove the old static translations using the no form of the static command. You also added a new conduit statement. This statement allows any Oracle database traffic from the Web server on the public interface to enter into your inside LAN. The PIX Firewall uses port 1521 for SQL*Net. This is also the default port used by Oracle for SQL*Net, despite the fact that this value does not agree with Internet Assigned Numbers Authority (IANA) port assignments.
Because the Web server has a database running in the background, you need to allow traffic from this Web server to enter into the LAN and talk to the Oracle database servers. These tasks are accomplished with the following lines:
conduit permit tcp host 192.168.1.30 eq http any conduit permit tcp host 192.168.1.35 eq ftp any conduit permit tcp host 192.168.1.49 eq smtp any conduit permit tcp any eq sqlnet host 192.168.1.30You also added a few new route statements. You added routes for both the Seattle and Manchester networks as well as the public network. Finally, you made sure that the NAT changes would occur by issuing a clear xlate command and then writing the configuration.