03-22-2010 04:26 PM - edited 03-11-2019 10:24 AM
Hi Guys,
Solved! Go to Solution.
03-22-2010 04:38 PM
This static route 172.19.10.0 255.255.255.0 [1/0] via 172.19.1.1, inside seems incorrect.
You said this network 172.19.10.0/24 lives behind the DMZ-A. Pls. remove that static route.
What is the security level for DMZ-A and DMZ-B?
Depending on that you need the static below. Let us say DMZ-A has a higher level security than DMZ-B then you need the following:
static (DMZ-A, DMZ-B) 172.19.10.0 172.19.10.0 net 255.255.255.0
You can remove the caputres configured
no cap IN
no cap OUT
Follow this link to collect fresh set of captures if needed:
https://supportforums.cisco.com/docs/DOC-1222;jsessionid=A11197443F5D79D04565C4331EFA5806.node0
-KS
03-22-2010 04:38 PM
This static route 172.19.10.0 255.255.255.0 [1/0] via 172.19.1.1, inside seems incorrect.
You said this network 172.19.10.0/24 lives behind the DMZ-A. Pls. remove that static route.
What is the security level for DMZ-A and DMZ-B?
Depending on that you need the static below. Let us say DMZ-A has a higher level security than DMZ-B then you need the following:
static (DMZ-A, DMZ-B) 172.19.10.0 172.19.10.0 net 255.255.255.0
You can remove the caputres configured
no cap IN
no cap OUT
Follow this link to collect fresh set of captures if needed:
https://supportforums.cisco.com/docs/DOC-1222;jsessionid=A11197443F5D79D04565C4331EFA5806.node0
-KS
03-22-2010 04:46 PM
Hi KS,
Sorry about the bumsteer with the routes, I should have edited that out before I posted (its correct for our environment, but not for the hypothetical I was posting to this discussion)
Thanks for your help. The static NAT rule did the job.
I am curious as to why it worked though.... both DMZs are configured to route traffic to each other, so why do I even need NAT at all? If it's unconfigured its not applied right?
Rgds
Scott
03-22-2010 06:09 PM
May be next time you can edit it really good. We focus on all the lines that would pertain to the networks that you listed.
Anyway, the static rule worked because you probably had nat-control enabled.
You need
1. route
2. translation
3. permission
all three for any traffic to traverse the firewall. If you want to disable nat then you have to issue "no nat-control".
static 1-1 nat is birectional. You need this going high to low and automatically low to high (meaning traffic initiated from the lower security interface) will be allowed due to its bidirectional nature provided acl allows it.
-KS
03-22-2010 08:12 PM
Thanks for the heads-up, I had no idea.
Cheers
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide