Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dmz to inside

Added 4 port ethernet on a Pix 515e, ver: 6.3

So I have the following:

ip address outside 63.209.xxx.xx 255.255.255.192

ip address inside 172.16.x.x 255.255.255.0

ip address dmz 192.168.121.4 255.255.255.0

From a web server on the dmz interface I'm unable to ping inside hosts. Although from inside I can ping the dmz web server. Show icmp:

icmp permit any outside

icmp permit any inside

icmp permit any echo dmz

What am I missing. Thanks.

13 REPLIES

Re: Dmz to inside

To go from a lower security interface to a higher one, you need NAT translations. For example

static (inside,dmz) 172.16.x.x 172.16.x.x netmask 255.255.255.0

You will also need an ACL.

access-list dmz_access permit icmp any any

access-group dmz_access in interface dmz

This example is NOT secure-- only allow access to what is needed.

HTH and please rate.

New Member

Re: Dmz to inside

Here's what I have in place:

static (inside,dmz) 172.0.0.0 172.0.0.0 netmask 255.255.255.0 0 0

access-group dmz_access_in in interface dmz

access-list dmz_access_in line 1 permit icmp any any (hitcnt=845)

access-list dmz_access_in line 2 permit tcp host 192.168.121.34 host 172.16.x.x eq 1433 (hitcnt=0)

Goal is to be able to communicate with a sql server on the inside.

Green

Re: Dmz to inside

Did you want to put 172.0.0.0/24 in your static (inside,dmz)?

Do you have a 172.0.0.0/24 network inside?

If not, it should be

static (inside,dmz) 172.0.0.0 172.0.0.0 netmask 255.0.0.0

or

static (inside,dmz) 172.16.x.0 172.16.x.0 netmask 255.255.255.0

New Member

Re: Dmz to inside

Yes I have a 172.0.0.0/24 on the inside interface.

My issue is unable to communicate with the inside from the dmz web server. With what I posted above how would I proceed? thanks.

Green

Re: Dmz to inside

But the host on the inside you want to hit on 1433 is not part of 172.0.0.0/24.

You need to add another static (inside,dmz) for the 172.16.x.0 network.

New Member

Re: Dmz to inside

I have:

static (inside,dmz) tcp interface 1433 172.16.3.3 1433 netmask 255.255.255.255 0 0

Still having a problem connecting to a sql server on the inside.

Green

Re: Dmz to inside

Have you tried the suggested above? I don't think you want what you just posted.

If you can watch the logs you are probably getting "No translation group found". If 172.16.3.3 is you sql server, then add

static (inside,dmz) 172.16.3.3 172.16.3.3 netmask 255.255.255.255

Post a sanitized config if you can.

New Member

Re: Dmz to inside

Watching the log, but not getting the "no translation error". Attached is the config.

Green

Re: Dmz to inside

Try this.

http://www.cisco.com/warp/public/110/mailserver.html

Pay close attention to the following line

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0

You will need one except yours would be

static (inside,dmz) 172.16.3.0 172.16.3.0 netmask 255.255.255.0 0 0

This will allow anything on 172.16.3.0/24 network to communicate with dmz server and vice versa.

I also don't know what this line is supposed to do static (inside,dmz) tcp interface 1433 172.16.3.3 1433 netmask 255.255.255.255 0 0.

You may have to "clear xlate" after the command is added. Just be aware of that. Also make sure your sql is running on 1433.

Someone correct me if I'm wrong here.

New Member

Re: Dmz to inside

I removed:

static (inside,dmz) 172.16.3.3 172.16.3.3 netmask 255.255.255.0 0 0

Added:

static (inside,dmz) 172.16.3.0 172.16.3.0 netmask 255.255.255.0 0 0

Right now would be happy just to ping from inside to dmz. Have the acl:

access-list dmz_access permit icmp any any

Green

Re: Dmz to inside

As long as you are coming from inside 172.16.3.x you should be fine. Did you apply that acl with access-group dmz_access in interface dmz?

New Member

Re: Dmz to inside

Yes, coming from 172.16.3.x and have the acl:

access-group dmz_access in interface dmz

Green

Re: Dmz to inside

Did you get rid of this line

static (inside,dmz) tcp interface 1433 172.16.3.3 1433 netmask 255.255.255.255

Might as well post current config and start logging.

194
Views
4
Helpful
13
Replies