Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Attempt at easy DMZ

Hello - I am trying to set up (for the first time) a simple DMZ on my PIX 515. Here is the DMZ layout. I have a PIX 515 connected to a 2950 switch that has one server (for now) that I need to have the world access a webpage on. I though I had it set up right, but I can't see it from the outside world, or from my private network behind the PIX. I can see the server from within the PIX. I am attaching my config, and any help would be great. I know I am probably missing a few things. Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Attempt at easy DMZ

Hi,

Glad to be of help. Could you update the forum that the solution resolved the issue, so others who run into similar issue can benefit out of the post. Thanks!

If the prod network is on the inside interface:

static (inside,dmz) 192.168.2.8 192.168.2.8

By default, there are not ACLs applied on the inside interface. In case if you have configured one, make sure that you permit the necessary ports/protocols for this server.

Regards,

Arul

*Pls rate all helpful posts*

4 REPLIES
Cisco Employee

Re: Attempt at easy DMZ

Andy,

I am assuming that the web server that you are talking about is with the ip address 172.16.99.10. If so, the static looks good.

static (DMZ,outside) 72.93.X.6 172.16.99.10 netmask 255.255.255.255

But, I dont see any access-list applied on the outside interface. You need to define an access-list to permit web traffic to this server.

Example:

access-list 100 permit tcp any host 72.93.X.6 eq 80

access-group 100 in interface outside

Regards,

Arul

*Pls rate all helpful posts*

New Member

Re: Attempt at easy DMZ

ok great!! Its working perfectly from outside now. Thank you.

Next - I need to have one server on my production network (192.168.2.8) talk to the server on the DMZ (172.16.99.10). How can I do that?

Cisco Employee

Re: Attempt at easy DMZ

Hi,

Glad to be of help. Could you update the forum that the solution resolved the issue, so others who run into similar issue can benefit out of the post. Thanks!

If the prod network is on the inside interface:

static (inside,dmz) 192.168.2.8 192.168.2.8

By default, there are not ACLs applied on the inside interface. In case if you have configured one, make sure that you permit the necessary ports/protocols for this server.

Regards,

Arul

*Pls rate all helpful posts*

New Member

Re: Attempt at easy DMZ

Thanks for your help!

138
Views
5
Helpful
4
Replies
CreatePlease to create content