PIX 520 DMZ to INSIDE

Unanswered Question
Feb 13th, 2007

Silly question here, but I give up and am cold stuck.

If I have a web app running on port 8080 on a DMZ'd web server and I want to give my users on the inside as well as the public on the outside access to this web app, what woul the acl look like?

Would I need a static trans?

For example:

User on inside - 192.168.1.0-192.168.5.0

PIX DMZ int.: 192.168.100.1

Web Srv on DMZ int. IP: 192.168.100.2

Thanks to All whom can solve this mystery!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
acomiskey Tue, 02/13/2007 - 08:53

For outside users you need static and acl.

static (DMZ,outside) 192.168.100.2 netmask 255.255.255.255

access-list permit tcp any host eq 8080

access-group in interface outside

For inside users try...

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

cratejockey Tue, 02/13/2007 - 09:00

Users on the inside should by default be able to access the application as far as ACL's are concerned. Because your INSIDE interface is more trusted the traffic will flow to a less trusted interface ie. your DMZ. Concerning NAT you may have to do a nat 0 for traffic to flow back to inside correctly but it really depends on your config.

If your have ACL's written already for your INSIDE interface you will need to update them with something like this:

access-list INSIDE permit TCP 192.168.1.0 255.255.255.0 host 192.168.100.2 eq 8080

Hope this helps. Good luck.

acomiskey Tue, 02/13/2007 - 09:05

I think you meant

access-list INSIDE permit TCP 192.168.1.0 255.255.255.0 host 192.168.100.2 eq 8080

cratejockey Tue, 02/13/2007 - 09:18

Thanks for the heads up your right. I edited my post with the correct ACL. Sorry about that.

milanod Tue, 02/13/2007 - 13:13

I was able to get the outside access working just fine, then I went to set the static for the inside users access to the DMZ. I did this according to acomiskey first post. It worked enough to get access to the DMZ from the inside, but..

I had many people telling me their internet connections and local resource connections were dropping randomly. I checked this to be true, so I removed the static. I assume this is because of an existing NAT statement? and the pix is just looping??

cratejockey's post about depending on my config might shed some light here. Do you have a recommendation?

Here is some more info to help:

MD-Pix# sho nat

nat (inside) 0 access-list 102 (VPN Clients)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Thx

acomiskey Tue, 02/13/2007 - 14:09

So local resource connections are through pix?

Anyway, not sure what the issue is, so communication between inside and dmz worked, but it messed everything else up? Try

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

If that works ok, then add one for each 192.168.x network.

Actions

This Discussion