03-06-2008 10:36 AM
I have two servers one located in pix inside and one in dmz. I wanted to configure them so that they can communicate with routers and switches
located outside of pix firewall.
My inside server is working fine, able to go Internet and able to comminicate with all devices located on outside of Pix firewall. below mention is configuration
of insideserver.
access-list outside_acl extended permit ip x.223.188.0 255.255.255.0 host 172.28.32.50
access-list outside_acl extended permit ip host x.219.212.217 host 172.28.32.50
access-list nonat extended permit ip host 172.28.32.50 host x.219.212.217
access-list nonat extended permit ip host 172.28.32.50 x.223.188.0 255.255.255.0
access-list inside_acl extended permit ip host 172.28.32.50 any
But my DMZ server is not working. Though I did the same configuration as for Inside server. DMZ server not able to communicate with outside
network.
access-list outside_acl extended permit ip x.223.188.0 255.255.255.0 host 172.28.92.72
access-list outside_acl extended permit ip host x.219.212.217 host 172.28.92.72
access-list nonat extended permit ip host 172.28.92.72 host x.219.212.217
access-list nonat extended permit ip host 172.28.92.72 x.223.188.0 255.255.255.0
access-list dmz_acl extended permit ip host 172.28.92.72 any
If i creat a static entry for DMZ SNMP server,
static (edn,outside) 172.28.92.72 172.28.92.72 netmask 255.255.255.255
it starts communicating with outside devices but Internet stop working on that server. same configuration
works with INside server but not with dmz server.
nat (inside) 0 access-list nonat
nat (inside) 3 172.28.32.0 255.255.255.0
nat (dmz) 3 172.28.92.0 255.255.255.0
global (outside) 3 interface
Solved! Go to Solution.
03-06-2008 12:53 PM
Your static entry is by-passing your nat (dmz) 3 entry . You can do NAT exemption instead, like you do on your inside
1-Remove the static entry (followed by clear xlate)
Add - nat (dmz) 0 access-list nonat
I suggest using two different nonat acl , one for each interface.
Ex: nonat_inside
nonat_dmz
03-06-2008 12:53 PM
Your static entry is by-passing your nat (dmz) 3 entry . You can do NAT exemption instead, like you do on your inside
1-Remove the static entry (followed by clear xlate)
Add - nat (dmz) 0 access-list nonat
I suggest using two different nonat acl , one for each interface.
Ex: nonat_inside
nonat_dmz
03-06-2008 01:38 PM
It is rocking. It is working. Thanks for the help, u r excellent. now please help me out in concentrator configuration. I will be very helpful to you.
I have 3020 VPN Concentrator. Everything is running fine. Now management wanted to add second VPN 3020 Concentrator. Of course i will configure the VRRP and three global Ip addresses is required for it. Two for Concentrators and one for VRRP IP. Now I wanted to know, How the configuration will replicate. After configuring VRRP, My currently concentrator will become master. If I will Configure New VPN Conncection. Will i configure on Master concentrator or I suppose to configure Both master and Slave. Kindly guide me and help me out.
Will slave also connect to Internet Router or its Public Interface will connect with Master Concentrator only. How Private interface will configure how routing will be occur. Right now concentrator public is connected with Internet Router and Private Interface is connected with Lan Switch. How I will plug the Second Slave Conncentrator in network.
How the network topology will be. Please help me out as you did with firewall problem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide