Configuring DMZ on PIX 515

flopez · ‎11-06-2007

Hey guys/gals:

I want to put a web server on my DMZ. I set up the IP address on the PIX's DMZ. How can get my web server access to my inside network and vice versa? I don't know what to do next.

I already created a VLAN in my network for this network 172.16.0.0. This network is in the same network as the DMZ's IP.

Muchas Gracias

acomiskey · ‎11-06-2007

So if you have something like

ip address dmz 172.16.0.1 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

To get the inside and dmz to talk you could add..

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

To initiate communication from the dmz to the inside you will also need to create an acl on the dmz. For instance, to get the dmz network to hit the inside network on port 80 and 443 it would look like this...

access-list dmz permit tcp 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80

access-list dmz permit tcp 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 443

access-list dmz deny ip any 192.168.1.0 255.255.255.0

access-list dmz permit ip any any

access-group dmz in interface dmz

Please rate helpful posts.

flopez · ‎11-06-2007

Is this line correct? Or do these two networks need to be different?

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I don't understand this command. Thanks

acomiskey · ‎11-06-2007

It's correct. It is so no nat will take place between inside and dmz.

thebrom · ‎11-15-2007

you also need to setup the devices on the DMZ with the default gateway to match that of the FW DMZ interface.

gomeso · ‎11-16-2007

Hello,

I'm just curious about this command "access-list dmz permit ip any any"...is it really necessary?