Web Server access from one DMZ to other

Unanswered Question
Dec 6th, 2007

I have a pair of cisco PIX 525 with Pix version 6.3 (4), I am trying to configure the web server access from one dmz interface to other. I tried couple of scenario but could not workout.

The configuration I did is as follow

1. Create the static nat

static (PACS_DATA,EPCT) netmask 0 0

2. Created the access list and nat to exempt from the nat

access-list EPCT_nat permit ip any

nat (EPCT) 0 access-list EPCT_nat

3. Created the access list to permit all the traffic to access web server

access-list EPCT_in permit tcp host eq www

My firewall configurations are as follow

nameif ethernet2 EPCT security9

nameif vlan486 PACS_DATA security16

global (EPCT) 1 interface

nat (EPCT) 1 outside 0 0

nat (PACS_DATA) 0 access-list PACS_DATA_NAT

any help will be highly appriciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
meesaw Thu, 12/06/2007 - 10:31

Sorry i foget to tell i am getting this error messge in logs

PIX-3-305006: regular translation creation failed for icmp src xxxx dst xxxx(type 8, code 0)

husycisco Tue, 12/11/2007 - 01:49

Hi Waseem

Please tell me in which DMZ your webserver is located, its IP and from which interface you want to reach webserver from which IP


meesaw Tue, 12/11/2007 - 10:21

my webserver is in PACS Vlan DMZ and my clints are in EPCT DMZ. Webserver IP is and my EPCT subnet is /23. i want to configure the access of all EPCT to this webserver.

acomiskey Tue, 12/11/2007 - 10:35


access-list EPCT_in permit tcp host eq www

access-group EPCT_in in interface EPCT

husycisco Tue, 12/11/2007 - 12:13

Adam shouldnt it be as following since clients has to reach Web server?

static (EPCT,PACS_DATA) 10.150.61 41 netmask

access-list epct_access_in permit tcp host eq www

access-group epct_access_in in interface EPCT

(If you already have an ACL grouped to interface, add the ACL in it, dont use the ACL name above)



This Discussion