Global IP communications problems with outside interface

Unanswered Question
May 11th, 2007
User Badges:

Hi all. I have small problem I need help to figure out


I have a Global statement:

global (outside) 2 1.1.1.10 netmask 255.255.255.240

And my nat statement is:

nat (dmz2) 2 0.0.0.0 0.0.0.0 0 0


Now, I have a host inside DMZ2 that wants to talk to my PIX's outside interface which is: 1.1.1.3


So the traffic goes from insidehost -> gets PAT/NAT with 1.1.1.10 (global interface) and then trying to contact the real outside interface 1.1.1.3. But it dont work


In my DMZ2 ACL i have the rule "permit ip any any" just to be on the safe side.

My insidehost can contact other sites outside my PIX. (I Have 2 other pix with other ip-ranges that the inside host can contact without problems.)


So, is it possible for the global interface to contact the outside interface or is that denied somehow intentionaly`?


Or do i need to add a rule in the outside ACL that permits the outside interface to communicate with the global interface?

Regards

Anders

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vitripat Fri, 05/11/2007 - 02:41
User Badges:
  • Gold, 750 points or more

This wont work. But why exactly do you need a DMZ host to communicate with PIX's outside interface IP address? If you can tell the requirement like a webserver on inside using PIX's outside interface IP address, we may be able to help.


Regards,

Vibhor.

It is recommended to use static nat translation for servers within a DMZ, for example.


static (dmz,outside) 66.44.44.33 192.168.1.1 netmask 255.255.255.255


If 192.168.1.1 (real address) is a webserver, then do:


access-l outside_in permit tcp any host 66.44.44.33 eq 80


access-group outside_in in interface OUTSIDE

Actions

This Discussion