Web Server access from one DMZ to other

Unanswered Question
Dec 6th, 2007
User Badges:

I have a pair of cisco PIX 525 with Pix version 6.3 (4), I am trying to configure the web server access from one dmz interface to other. I tried couple of scenario but could not workout.

The configuration I did is as follow

1. Create the static nat

static (PACS_DATA,EPCT) netmask 0 0

2. Created the access list and nat to exempt from the nat

access-list EPCT_nat permit ip any

nat (EPCT) 0 access-list EPCT_nat

3. Created the access list to permit all the traffic to access web server

access-list EPCT_in permit tcp host eq www

My firewall configurations are as follow

nameif ethernet2 EPCT security9

nameif vlan486 PACS_DATA security16

global (EPCT) 1 interface

nat (EPCT) 1 outside 0 0

nat (PACS_DATA) 0 access-list PACS_DATA_NAT

any help will be highly appriciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
meesaw Thu, 12/06/2007 - 10:31
User Badges:

Sorry i foget to tell i am getting this error messge in logs

PIX-3-305006: regular translation creation failed for icmp src xxxx dst xxxx(type 8, code 0)

husycisco Tue, 12/11/2007 - 01:49
User Badges:
  • Gold, 750 points or more

Hi Waseem

Please tell me in which DMZ your webserver is located, its IP and from which interface you want to reach webserver from which IP


meesaw Tue, 12/11/2007 - 10:21
User Badges:

my webserver is in PACS Vlan DMZ and my clints are in EPCT DMZ. Webserver IP is and my EPCT subnet is /23. i want to configure the access of all EPCT to this webserver.

acomiskey Tue, 12/11/2007 - 10:35
User Badges:
  • Green, 3000 points or more


access-list EPCT_in permit tcp host eq www

access-group EPCT_in in interface EPCT

husycisco Tue, 12/11/2007 - 12:13
User Badges:
  • Gold, 750 points or more

Adam shouldnt it be as following since clients has to reach Web server?

static (EPCT,PACS_DATA) 10.150.61 41 netmask

access-list epct_access_in permit tcp host eq www

access-group epct_access_in in interface EPCT

(If you already have an ACL grouped to interface, add the ACL in it, dont use the ACL name above)



This Discussion