09-25-2008 02:22 PM - edited 03-11-2019 06:49 AM
I am trying to get my DMZ functioning properly and need some assistance. I have the outsdie to the DMZ functioning as it should, but can't seem to get access working between the inside and the DMZ. I've tried using suggestions from previous posts to no avail. I'm thinking it has something to do with exemptions overlapping with my nat, etc., because with a clean config (no site-to-site VPN) it works fine...HELP! I've attached my config for reference.
Solved! Go to Solution.
09-26-2008 12:17 PM
You will have to explain what are you trying to do .
Are you accessing hosts in DMZ zone from inside zone . right? Is this ICMP ping ? or FTP ? or what traffic ? tell me the source and destination IPs ?
Also can you paste the access list that you are binding to DMZ interface. Remember this access list will need to permit traffic from DMZ to outside also.
09-26-2008 12:08 AM
try adding:-
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.100.1.0 255.255.255.0
HTH>
09-26-2008 08:53 AM
I tried your recommendation and it appears I may have to button hook the traffic back in now? My log doesn't show any traffic from my host to the DMZ host, and I no longer get the port map error I used to get.
09-26-2008 10:56 AM
For the traffic , inside to DMZ -> you need just NAT translation. i.e
nat (inside) 10 0.0.0.0 0.0.0.0
global (DMZ) 10 interface
For traffic from DMZ to Inside , you would need to open ports using access list.
access-list DMZ_access_in extended permit ip 10.100.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-group DMZ_access_in in interface DMZ
HTH
Saju
09-26-2008 11:20 AM
I tried to add the
nat (inside) 10 0.0.0.0 0.0.0.0, came back with "Duplicate NAT entry", since I have
nat (inside 1 0.0.0.0 0.0.0.0
Should drop the following?
nat (DMZ) 10 10.100.1.0 255.255.255.0
And add the ACL?
My logs show that the traffic hts the outside at 1.1.1.241, should that happen?
I greatly appreciate your help!
09-26-2008 11:38 AM
yes you do not need "nat (DMZ) 10 10.100.1.0 255.255.255.0 "
no nat (DMZ) 10 10.100.1.0 255.255.255.0
Yes add the access list including networks as you need .I just included directly connected networks to give you an example.
Also alongwith access-list you will also need Static statements if you want to access hosts in Inside zone .
Static(Inside,DMZ)
HTH
Saju
Pls rate helpful posts
09-26-2008 12:06 PM
09-26-2008 12:17 PM
You will have to explain what are you trying to do .
Are you accessing hosts in DMZ zone from inside zone . right? Is this ICMP ping ? or FTP ? or what traffic ? tell me the source and destination IPs ?
Also can you paste the access list that you are binding to DMZ interface. Remember this access list will need to permit traffic from DMZ to outside also.
09-26-2008 12:25 PM
I've been doing some trace routes and it appears to be a routing issue on the inside. Thanks for the help! If I run into something else I'll post again.
09-26-2008 01:33 PM
Ended up being ACL on an inside router blocking the traffic...explains the absence of dropped packets in the logs.
Thanks again!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: