Configuring DMZ on PIX 515

Unanswered Question

Hey guys/gals:


I want to put a web server on my DMZ. I set up the IP address on the PIX's DMZ. How can get my web server access to my inside network and vice versa? I don't know what to do next.


I already created a VLAN in my network for this network 172.16.0.0. This network is in the same network as the DMZ's IP.


Muchas Gracias

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
acomiskey Tue, 11/06/2007 - 10:15
User Badges:
  • Green, 3000 points or more

So if you have something like


ip address dmz 172.16.0.1 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0


To get the inside and dmz to talk you could add..


static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0


To initiate communication from the dmz to the inside you will also need to create an acl on the dmz. For instance, to get the dmz network to hit the inside network on port 80 and 443 it would look like this...


access-list dmz permit tcp 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80

access-list dmz permit tcp 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 443

access-list dmz deny ip any 192.168.1.0 255.255.255.0

access-list dmz permit ip any any

access-group dmz in interface dmz


Please rate helpful posts.

acomiskey Tue, 11/06/2007 - 10:50
User Badges:
  • Green, 3000 points or more

It's correct. It is so no nat will take place between inside and dmz.

thebrom Thu, 11/15/2007 - 13:02
User Badges:

you also need to setup the devices on the DMZ with the default gateway to match that of the FW DMZ interface.

gomeso Fri, 11/16/2007 - 19:45
User Badges:

Hello,


I'm just curious about this command "access-list dmz permit ip any any"...is it really necessary?

Actions

This Discussion