Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Global IP communications problems with outside interface

Hi all. I have small problem I need help to figure out

I have a Global statement:

global (outside) 2 1.1.1.10 netmask 255.255.255.240

And my nat statement is:

nat (dmz2) 2 0.0.0.0 0.0.0.0 0 0

Now, I have a host inside DMZ2 that wants to talk to my PIX's outside interface which is: 1.1.1.3

So the traffic goes from insidehost -> gets PAT/NAT with 1.1.1.10 (global interface) and then trying to contact the real outside interface 1.1.1.3. But it dont work

In my DMZ2 ACL i have the rule "permit ip any any" just to be on the safe side.

My insidehost can contact other sites outside my PIX. (I Have 2 other pix with other ip-ranges that the inside host can contact without problems.)

So, is it possible for the global interface to contact the outside interface or is that denied somehow intentionaly`?

Or do i need to add a rule in the outside ACL that permits the outside interface to communicate with the global interface?

Regards

Anders

3 REPLIES
Silver

Re: Global IP communications problems with outside interface

This wont work. But why exactly do you need a DMZ host to communicate with PIX's outside interface IP address? If you can tell the requirement like a webserver on inside using PIX's outside interface IP address, we may be able to help.

Regards,

Vibhor.

New Member

Re: Global IP communications problems with outside interface

hi

might have figured something out, gonna test and come back later

brb

New Member

Re: Global IP communications problems with outside interface

It is recommended to use static nat translation for servers within a DMZ, for example.

static (dmz,outside) 66.44.44.33 192.168.1.1 netmask 255.255.255.255

If 192.168.1.1 (real address) is a webserver, then do:

access-l outside_in permit tcp any host 66.44.44.33 eq 80

access-group outside_in in interface OUTSIDE

220
Views
0
Helpful
3
Replies