Global IP communications problems with outside interface

anders.lindback · ‎05-11-2007

Hi all. I have small problem I need help to figure out

I have a Global statement:

global (outside) 2 1.1.1.10 netmask 255.255.255.240

And my nat statement is:

nat (dmz2) 2 0.0.0.0 0.0.0.0 0 0

Now, I have a host inside DMZ2 that wants to talk to my PIX's outside interface which is: 1.1.1.3

So the traffic goes from insidehost -> gets PAT/NAT with 1.1.1.10 (global interface) and then trying to contact the real outside interface 1.1.1.3. But it dont work

In my DMZ2 ACL i have the rule "permit ip any any" just to be on the safe side.

My insidehost can contact other sites outside my PIX. (I Have 2 other pix with other ip-ranges that the inside host can contact without problems.)

So, is it possible for the global interface to contact the outside interface or is that denied somehow intentionaly`?

Or do i need to add a rule in the outside ACL that permits the outside interface to communicate with the global interface?

Regards

Anders

vitripat · ‎05-11-2007

This wont work. But why exactly do you need a DMZ host to communicate with PIX's outside interface IP address? If you can tell the requirement like a webserver on inside using PIX's outside interface IP address, we may be able to help.

Regards,

Vibhor.

anders.lindback · ‎05-11-2007

hi

might have figured something out, gonna test and come back later

brb

joshua.walton · ‎05-12-2007

It is recommended to use static nat translation for servers within a DMZ, for example.

static (dmz,outside) 66.44.44.33 192.168.1.1 netmask 255.255.255.255

If 192.168.1.1 (real address) is a webserver, then do:

access-l outside_in permit tcp any host 66.44.44.33 eq 80

access-group outside_in in interface OUTSIDE