Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
0
Helpful
2
Replies

Same interface issue on PIX

Muhammad Khan
Level 1
Level 1

‎06-22-2010 01:03 PM - edited ‎03-11-2019 11:02 AM

HI,

I have following scenarion I wounder if someone could guide me. I have two servers in DMZ (on same subnet) both servers have static defined NAT entries on the firewall. I want to access one server from another using public IP but doesn't seem to work. Please could someone look at my lab config and give me some hint?

PIX version 7.0

hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.0.0.1 255.0.0.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.0.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
access-list OUTSIDE_IN extended permit ip any host 10.0.0.12
access-list OUTSIDE_IN extended permit ip any host 10.0.0.13
access-list OUTSIDE_IN extended permit icmp any host 10.0.0.12
access-list OUTSIDE_IN extended permit icmp any host 10.0.0.13
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400
static (inside,outside) 10.0.0.12 172.16.0.2 netmask 255.255.255.255
static (inside,outside) 10.0.0.13 172.16.0.3 netmask 255.255.255.255
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

Labels:
0 Helpful
2 Replies 2

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-22-2010 01:08 PM

Hi,

static (dmz,dmz) public_IP real_IP

So, when accesing the server from the DMZ, it will get to the ASA which will redirect it to the same DMZ interface.

You also need:

same-security-traffic permit intra-interface

Federico.

0 Helpful

abinjola
Cisco Employee
Cisco Employee
In response to Federico Coto Fajardo

‎06-22-2010 08:56 PM

Please make sure you are on min. version 7.2.1 to support clear text u-turning

http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn72.html#wp186199

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card