cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
542
Views
8
Helpful
6
Replies

PIX 520 DMZ to INSIDE

milanod
Level 1
Level 1

Silly question here, but I give up and am cold stuck.

If I have a web app running on port 8080 on a DMZ'd web server and I want to give my users on the inside as well as the public on the outside access to this web app, what woul the acl look like?

Would I need a static trans?

For example:

User on inside - 192.168.1.0-192.168.5.0

PIX DMZ int.: 192.168.100.1

Web Srv on DMZ int. IP: 192.168.100.2

Thanks to All whom can solve this mystery!

6 Replies 6

acomiskey
Level 10
Level 10

For outside users you need static and acl.

static (DMZ,outside) 192.168.100.2 netmask 255.255.255.255

access-list permit tcp any host eq 8080

access-group in interface outside

For inside users try...

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

cratejockey
Level 1
Level 1

Users on the inside should by default be able to access the application as far as ACL's are concerned. Because your INSIDE interface is more trusted the traffic will flow to a less trusted interface ie. your DMZ. Concerning NAT you may have to do a nat 0 for traffic to flow back to inside correctly but it really depends on your config.

If your have ACL's written already for your INSIDE interface you will need to update them with something like this:

access-list INSIDE permit TCP 192.168.1.0 255.255.255.0 host 192.168.100.2 eq 8080

Hope this helps. Good luck.

I think you meant

access-list INSIDE permit TCP 192.168.1.0 255.255.255.0 host 192.168.100.2 eq 8080

Thanks for the heads up your right. I edited my post with the correct ACL. Sorry about that.

milanod
Level 1
Level 1

I was able to get the outside access working just fine, then I went to set the static for the inside users access to the DMZ. I did this according to acomiskey first post. It worked enough to get access to the DMZ from the inside, but..

I had many people telling me their internet connections and local resource connections were dropping randomly. I checked this to be true, so I removed the static. I assume this is because of an existing NAT statement? and the pix is just looping??

cratejockey's post about depending on my config might shed some light here. Do you have a recommendation?

Here is some more info to help:

MD-Pix# sho nat

nat (inside) 0 access-list 102 (VPN Clients)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Thx

So local resource connections are through pix?

Anyway, not sure what the issue is, so communication between inside and dmz worked, but it messed everything else up? Try

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

If that works ok, then add one for each 192.168.x network.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: