Web Server access from one DMZ to other

Unanswered Question
Dec 6th, 2007
User Badges:

I have a pair of cisco PIX 525 with Pix version 6.3 (4), I am trying to configure the web server access from one dmz interface to other. I tried couple of scenario but could not workout.


The configuration I did is as follow

1. Create the static nat

static (PACS_DATA,EPCT) 192.168.217.13 10.150.61.68 netmask 255.255.255.255 0 0


2. Created the access list and nat to exempt from the nat

access-list EPCT_nat permit ip any 10.150.61.0 255.255.255.0

nat (EPCT) 0 access-list EPCT_nat


3. Created the access list to permit all the traffic to access web server

access-list EPCT_in permit tcp 192.168.216.0 255.255.254.0 host 192.168.217.13 eq www


My firewall configurations are as follow


nameif ethernet2 EPCT security9

nameif vlan486 PACS_DATA security16


global (EPCT) 1 interface

nat (EPCT) 1 192.168.216.0 255.255.254.0 outside 0 0


nat (PACS_DATA) 0 access-list PACS_DATA_NAT


any help will be highly appriciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
meesaw Thu, 12/06/2007 - 10:31
User Badges:

Sorry i foget to tell i am getting this error messge in logs

PIX-3-305006: regular translation creation failed for icmp src xxxx dst xxxx(type 8, code 0)



husycisco Tue, 12/11/2007 - 01:49
User Badges:
  • Gold, 750 points or more

Hi Waseem

Please tell me in which DMZ your webserver is located, its IP and from which interface you want to reach webserver from which IP


Regards

meesaw Tue, 12/11/2007 - 10:21
User Badges:

my webserver is in PACS Vlan DMZ and my clints are in EPCT DMZ. Webserver IP is 10.150.61.41 and my EPCT subnet is 192.168.216.0 /23. i want to configure the access of all EPCT to this webserver.

acomiskey Tue, 12/11/2007 - 10:35
User Badges:
  • Green, 3000 points or more

static (EPCT,PACS_DATA) 192.168.216.0 192.168.216.0 255.255.254.0


access-list EPCT_in permit tcp 192.168.216.0 255.255.254.0 host 192.168.217.13 eq www

access-group EPCT_in in interface EPCT

husycisco Tue, 12/11/2007 - 12:13
User Badges:
  • Gold, 750 points or more

Adam shouldnt it be as following since clients has to reach Web server?


static (EPCT,PACS_DATA) 10.150.61 41 10.150.61.41 netmask 255.255.255.255

access-list epct_access_in permit tcp 192.168.216.0 255.255.255.0 host 10.150.61.41 eq www

access-group epct_access_in in interface EPCT


(If you already have an ACL grouped to interface, add the ACL in it, dont use the ACL name above)


Regards

Actions

This Discussion