05-11-2007 01:39 AM - edited 03-11-2019 03:12 AM
Hi all. I have small problem I need help to figure out
I have a Global statement:
global (outside) 2 1.1.1.10 netmask 255.255.255.240
And my nat statement is:
nat (dmz2) 2 0.0.0.0 0.0.0.0 0 0
Now, I have a host inside DMZ2 that wants to talk to my PIX's outside interface which is: 1.1.1.3
So the traffic goes from insidehost -> gets PAT/NAT with 1.1.1.10 (global interface) and then trying to contact the real outside interface 1.1.1.3. But it dont work
In my DMZ2 ACL i have the rule "permit ip any any" just to be on the safe side.
My insidehost can contact other sites outside my PIX. (I Have 2 other pix with other ip-ranges that the inside host can contact without problems.)
So, is it possible for the global interface to contact the outside interface or is that denied somehow intentionaly`?
Or do i need to add a rule in the outside ACL that permits the outside interface to communicate with the global interface?
Regards
Anders
05-11-2007 02:41 AM
This wont work. But why exactly do you need a DMZ host to communicate with PIX's outside interface IP address? If you can tell the requirement like a webserver on inside using PIX's outside interface IP address, we may be able to help.
Regards,
Vibhor.
05-11-2007 03:03 AM
hi
might have figured something out, gonna test and come back later
brb
05-12-2007 04:04 PM
It is recommended to use static nat translation for servers within a DMZ, for example.
static (dmz,outside) 66.44.44.33 192.168.1.1 netmask 255.255.255.255
If 192.168.1.1 (real address) is a webserver, then do:
access-l outside_in permit tcp any host 66.44.44.33 eq 80
access-group outside_in in interface OUTSIDE
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: