It seems I should know this, but I seem to be defeated.
I have a box with a DMZ address. It is attached to a switchport that is in the DMZ vlan.
I have another box with an inside address, attached to a switchport that is in the correct inside vlan.
(Functionally, they are exchange servers, DMZ is an "edge transport" server, Inside is a "hub transport" server.
The DMZ server had an inside address, the windows guy configured it, then I moved it to the DMZ.)
I'm doing this on a PIX 525, v 8.0(4). I'm comfortable in both CLI and ASDM.
I have the following static command for the DMZ server:
static (dmz1,outside) 22.214.171.124 126.96.36.199 netmask 255.255.255.255
With just that command, the firewall log shows this: (this is from ASDM log viewer. column 5 (188.8.131.52) is Source IP.)
|4||Jan 28 2010||19:27:15||106023||184.108.40.206||58346||10.10.17.27||53||Deny udp src dmz1:220.127.116.11/58346 dst inside:10.10.17.27/53 by access-group "acl_dmz1" [0x0, 0x0]|
So I add this:
access-list acl_dmz1 line 1 extended permit udp host 18.104.22.168 10.10.17.0 255.255.255.0 eq domain (hitcnt=5)
Then I get these in the firewall log: (again from ASDM log viewer. now Source IP is 10.10.17.27)
|3||Jan 28 2010||19:30:40||305005||10.10.17.27||53||No translation group found for udp src dmz1:22.214.171.124/58515 dst inside:10.10.17.27/53|
I could NAT the 10.10.17.27 address into the DMZ, but the windows guy says he talked to a Windows tech guy who says "put the Edge server in the DMZ, put the Hub server on the inside, then configure the firewall to allow them to talk", and in his mind that means DON"T NAT, and my boss thinks he know more about everything than I do...
So, is there any way to get these 2 boxes to talk to each other that doesn't involve NAT'ing?
Found another thread that said do this:
static (inside,dmz1) 10.10.17.27 10.10.17.27 netmask 255.255.255.255
I did it, and that stopped the NAT errors. But, is it an OK thing to do? I'm not at all sure that it's correct to associate an actual inside address directly with the DMZ, instead of (as I'm accustomed to doing) associating it to a dmz address, like this:
static (inside,dmz1) 10.10.17.27 126.96.36.199 netmask 255.255.255.255
(Not to mention, I'm still being directed to find a way to make it happen without nat'ing...)
TIA for any and all assistance.