01-02-2008 02:15 AM - edited 03-12-2019 05:56 PM
I have a subnet 172.28.85.x on my pix dmz interface.
below mention subnets are on my inside interface.
172.28.64.x
172.28.78.x
172.28.32.x
172.28.92.x
I want my Inside to access the dmz and dmz to inside at the same time.
High to low and low to high any side can initiate the connection.
my inside 100 secuirty level
my dmz 90 secuirty level
From low to high access can be enable my doing static and acl on dmz interface.
access-list edn_acl extended permit ip any any
static (inside,edn) 172.28.64.4 172.28.64.4 netmask 255.255.255.255
static (inside,edn) 172.28.64.6 172.28.64.6 netmask 255.255.255.255
static (inside,edn) 172.28.64.5 172.28.64.5 netmask 255.255.255.255
static (inside,edn) 172.28.64.102 172.28.64.102 netmask 255.255.255.255
static (inside,edn) 172.28.32.23 172.28.32.23 netmask 255.255.255.255
static (inside,edn) 172.28.78.0 172.28.78.0 netmask 255.255.255.255
Inside Interface configuration
nat (inside) 3 172.28.32.0 255.255.255.0
nat (inside) 4 172.28.33.0 255.255.255.0
nat (inside) 5 172.28.80.0 255.255.255.0
nat (inside) 1 172.28.90.0 255.255.255.0
nat (inside) 2 172.28.92.0 255.255.255.0
global (edn) 3 172.28.95.11 netmask 255.255.255.0
global (edn) 4 172.28.95.12 netmask 255.255.255.255
global (edn) 5 172.28.95.13 netmask 255.255.255.0
global (edn) 2 172.28.95.10 netmask 255.255.255.255
but i m not able to communicate in either way. untill or unless i am not allow my inside subets in inside acl that is applied on inside interface.
access-list inside_acl extended permit ip host 172.28.80.11 any
access-list inside_acl extended permit ip host 172.28.80.10 any
access-list inside_acl extended permit ip 172.28.93.0 255.255.255.0 any
access-list inside_acl extended permit ip host 172.28.32.23 any
access-list inside_acl extended permit ip host 172.28.32.11 any
access-list inside_acl extended permit ip host 172.28.32.25 any
access-list inside_acl extended permit ip host 172.28.32.14 any
access-list inside_acl extended permit ip host 172.28.32.10 any
access-list inside_acl extended permit ip host 172.28.32.24 any
access-list inside_acl extended permit ip host 172.28.64.6 any
access-list inside_acl extended permit ip host 172.28.64.4 any
access-list inside_acl extended permit ip host 172.28.64.5 any
access-list inside_acl extended permit ip host 172.28.64.102 any
access-list inside_acl extended permit ip host 172.28.32.13 any
access-list inside_acl extended permit ip 172.28.78.0 255.255.255.0 172.28.85.0 255.255.255.0
why it is behaving like this. Y i have to allow the inside subnet on inside access list for commuincation.
Can u please tell me what is wrong with my configuration.
High to low nat and global.
Low to high access-list plus static.
This is general practice.
I m tottally unable to understand this.
waiting for reply.
01-02-2008 02:27 AM
Hi,
When u r using static it is bidirectional.
So u can replace the nat and global statements u wud need
static inside and dmz access lists with access groups only .
When u add an inside access list there is an implicit deny .
So if u do not explicitly permit there is no communication.
If u r not using access list on the inside then it should work with nat and global only
Raj
01-02-2008 03:34 AM
Thanks for the immediate reply,
I cant remove anything, because it is live enviroment and critical servers are up and running.
so now can i say High to Low Nat and Global is enough for both side Commuication.
From Low to High static will work bidirectional. Only Lower secuirty interface has permit acl entry.
I have put remark in my access-list now i am not able to see the hitcount on my acl.
Can u tell me how i can see the hitcount on acl as i could see before putting remark in my acl.
I have nat my inside subet 172.28.92.0 while accessing dmz into 172.28.95.10
nat (inside) 2 172.28.92.0 255.255.255.0
global (edn) 2 172.28.95.10 netmask 255.255.255.255
while i access my dmz i cant see the translation in SHOW XLATE.
Also SHOW CONN command is not working.
Can you please tell me how can i see the translation that is occuring while accessing dmz from inside.
and hitcount on acl after adding remark in acl
01-02-2008 04:13 AM
Hi,
Please try this :
sh xl | i 172.28.92.x
and sh conn | in 172.28.92.x
If u r going from high to low and u have a static then that takes preferenace over nat and global.
Plz check for access lists hits that should give u an idea.
In 7.0 version it may work with and without xlates but u should see conn .
Raj
01-02-2008 05:58 AM
Hi,
If from inside to dmz i m going via static.
static (inside,edn) 172.28.92.0 172.28.92.0 netmask 255.255.255.0
not with nat
nat (inside) 2 172.28.92.0 255.255.255.0
global (edn) 2 172.28.95.10 netmask 255.255.255.255
Interestingly i have another firewall in dmz which only permit 172.28.95.x as source.
If i m going there as static how come 2nd firewall letting me in even though i am not in translating myself in 172.28.95.x.
Please tell me how to see hitcount in access-list after adding remark statement.
Normally i can see the hitcount in access-list, but now i have modify my acl by adding some notes(remark) in it, now it is not showing me hitcount.
01-04-2008 07:08 AM
I have made an acess-list
access-list edn_acl line 20 remark RA_ACL extended permit ip 172.28.37.0 255.255.255.0 172.28.64.0 255.255.255.0
now i cant see hitcount on this ACL. Though this acl is working fine.
Can you tell me how to the hitcount on access-list that has remark statement.
access-list edn_acl line 1 extended permit ip host 192.168.249.133 any (hitcnt=6)
This type of acl is showing the hitcnt but not the above mention acl.
please tell me how to check hitcnt.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: