Re: Dmz to inside

dhengste7 · ‎01-15-2007

Added 4 port ethernet on a Pix 515e, ver: 6.3

So I have the following:

ip address outside 63.209.xxx.xx 255.255.255.192

ip address inside 172.16.x.x 255.255.255.0

ip address dmz 192.168.121.4 255.255.255.0

From a web server on the dmz interface I'm unable to ping inside hosts. Although from inside I can ping the dmz web server. Show icmp:

icmp permit any outside

icmp permit any inside

icmp permit any echo dmz

What am I missing. Thanks.

Collin Clark · ‎01-15-2007

To go from a lower security interface to a higher one, you need NAT translations. For example

static (inside,dmz) 172.16.x.x 172.16.x.x netmask 255.255.255.0

You will also need an ACL.

access-list dmz_access permit icmp any any

access-group dmz_access in interface dmz

This example is NOT secure-- only allow access to what is needed.

HTH and please rate.

dhengste7 · ‎01-16-2007

Here's what I have in place:

static (inside,dmz) 172.0.0.0 172.0.0.0 netmask 255.255.255.0 0 0

access-group dmz_access_in in interface dmz

access-list dmz_access_in line 1 permit icmp any any (hitcnt=845)

access-list dmz_access_in line 2 permit tcp host 192.168.121.34 host 172.16.x.x eq 1433 (hitcnt=0)

Goal is to be able to communicate with a sql server on the inside.

acomiskey · ‎01-16-2007

Did you want to put 172.0.0.0/24 in your static (inside,dmz)?

Do you have a 172.0.0.0/24 network inside?

If not, it should be

static (inside,dmz) 172.0.0.0 172.0.0.0 netmask 255.0.0.0

or

static (inside,dmz) 172.16.x.0 172.16.x.0 netmask 255.255.255.0

dhengste7 · ‎01-16-2007

Yes I have a 172.0.0.0/24 on the inside interface.

My issue is unable to communicate with the inside from the dmz web server. With what I posted above how would I proceed? thanks.

acomiskey · ‎01-16-2007

But the host on the inside you want to hit on 1433 is not part of 172.0.0.0/24.

You need to add another static (inside,dmz) for the 172.16.x.0 network.

dhengste7 · ‎01-24-2007

I have:

static (inside,dmz) tcp interface 1433 172.16.3.3 1433 netmask 255.255.255.255 0 0

Still having a problem connecting to a sql server on the inside.

acomiskey · ‎01-24-2007

Have you tried the suggested above? I don't think you want what you just posted.

If you can watch the logs you are probably getting "No translation group found". If 172.16.3.3 is you sql server, then add

static (inside,dmz) 172.16.3.3 172.16.3.3 netmask 255.255.255.255

Post a sanitized config if you can.

dhengste7 · ‎01-25-2007

Watching the log, but not getting the "no translation error". Attached is the config.

acomiskey · ‎01-25-2007

Try this.

http://www.cisco.com/warp/public/110/mailserver.html

Pay close attention to the following line

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0

You will need one except yours would be

static (inside,dmz) 172.16.3.0 172.16.3.0 netmask 255.255.255.0 0 0

This will allow anything on 172.16.3.0/24 network to communicate with dmz server and vice versa.

I also don't know what this line is supposed to do static (inside,dmz) tcp interface 1433 172.16.3.3 1433 netmask 255.255.255.255 0 0.

You may have to "clear xlate" after the command is added. Just be aware of that. Also make sure your sql is running on 1433.

Someone correct me if I'm wrong here.

dhengste7 · ‎02-20-2007

I removed:

static (inside,dmz) 172.16.3.3 172.16.3.3 netmask 255.255.255.0 0 0

Added:

static (inside,dmz) 172.16.3.0 172.16.3.0 netmask 255.255.255.0 0 0

Right now would be happy just to ping from inside to dmz. Have the acl:

access-list dmz_access permit icmp any any

acomiskey · ‎02-20-2007

As long as you are coming from inside 172.16.3.x you should be fine. Did you apply that acl with access-group dmz_access in interface dmz?

dhengste7 · ‎02-20-2007

Yes, coming from 172.16.3.x and have the acl:

access-group dmz_access in interface dmz

acomiskey · ‎02-20-2007

Did you get rid of this line

static (inside,dmz) tcp interface 1433 172.16.3.3 1433 netmask 255.255.255.255

Might as well post current config and start logging.