DMZ Configuration in Active-Active Mode

haithamnofal · ‎12-14-2005

Hi,

I'm trying to configure DMZ on my Active-Active PIX units; when piblishing my web server on the first context things work fine and the web becomes accessible using the published IP.. but when I try to apply the same static command on the second context (using the same IP I used on the other context) the PIX refuses publishing the web and a static overlap error message appears. If I publish the web server on this context using a different public IP, the web becomes totally unaccessible neither using the old IP nor using the second one.

Can somebody assist how should I deal with this problem? I need to be able to configure the same command on both contexts and using one public IP?

Thanks,

Haitham

wong34539 · ‎12-20-2005

Command statements for the static command cannot contain overlapping IP addresses. When IP addresses are overlapped, PIX Firewall experiences service denials without sending denial statements to syslog. [CSCdp22217] In this caveat report, an FTP session was attempted but was denied without a denial message sent to syslog.

For example, the following command statements do not work:

nat (inside) 0 10.0.0.0 255.0.0.0

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (inside,perim1) 10.64.0.0 10.64.0.0 netmask 255.255.0.0

In this example, the nat 0 command statement enables the identity feature so that any host on the 10.0.0.0 network can start connections to a lower security level interface. The first static command statement lets all hosts on the inside 10.0.0.0 network be visible on the outside network. The second static statement attempts to use a subset of the 10.0.0.0 address range on another interface. Because 10.64.0.0 is a part of the 10.0.0.0 range of addresses, the addresses overlap.