Outside host needs to use dmz gateway for internet - pix 6.3

Answered Question
Feb 18th, 2010
User Badges:

Hello Experts,


How would i configure a host outside of my firewall to use a dmz server as a gateway to the internet?

Example:

10.10.4.5 --- 10.10.4.1 (outside)pix--(dmz)192.168.1.1 ------192.168.1.10(gateway) ---- Internet


How would the host 10.10.4.5 use 192.168.1.10 to reach the internet?

what acls are needed

what nat is needed

Please let me know if someone has been able to do this gateway config from

low security to high security to the net.


Thank you,

Randall

Correct Answer by Kureli Sankar about 7 years 3 months ago

You have the internet on the DMZ (higher security level than the outside) ? That is strange and not common.


You have to provide translation for all the internet hosts like google and yahoo when they respond to this host on the outside.


1. The outside ACL should allow necessary access for this host to go out to the inter (port 80 and 443 and others)

access-l outside per tcp host 10.10.4.5 any eq 80

access-l outside per tcp host 10.10.4.5 any eq 443


2. Now the traslation

nat (DMZ) 0 access-l nat_0

access-l nat_0 per ip any host 10.10.4.5


-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Kureli Sankar Fri, 02/19/2010 - 17:16
User Badges:
  • Cisco Employee,

You have the internet on the DMZ (higher security level than the outside) ? That is strange and not common.


You have to provide translation for all the internet hosts like google and yahoo when they respond to this host on the outside.


1. The outside ACL should allow necessary access for this host to go out to the inter (port 80 and 443 and others)

access-l outside per tcp host 10.10.4.5 any eq 80

access-l outside per tcp host 10.10.4.5 any eq 443


2. Now the traslation

nat (DMZ) 0 access-l nat_0

access-l nat_0 per ip any host 10.10.4.5


-KS

Actions

This Discussion

Related Content