Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 520 DMZ to INSIDE

Silly question here, but I give up and am cold stuck.

If I have a web app running on port 8080 on a DMZ'd web server and I want to give my users on the inside as well as the public on the outside access to this web app, what woul the acl look like?

Would I need a static trans?

For example:

User on inside - 192.168.1.0-192.168.5.0

PIX DMZ int.: 192.168.100.1

Web Srv on DMZ int. IP: 192.168.100.2

Thanks to All whom can solve this mystery!

6 REPLIES
Green

Re: PIX 520 DMZ to INSIDE

For outside users you need static and acl.

static (DMZ,outside) 192.168.100.2 netmask 255.255.255.255

access-list permit tcp any host eq 8080

access-group in interface outside

For inside users try...

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

New Member

Re: PIX 520 DMZ to INSIDE

Users on the inside should by default be able to access the application as far as ACL's are concerned. Because your INSIDE interface is more trusted the traffic will flow to a less trusted interface ie. your DMZ. Concerning NAT you may have to do a nat 0 for traffic to flow back to inside correctly but it really depends on your config.

If your have ACL's written already for your INSIDE interface you will need to update them with something like this:

access-list INSIDE permit TCP 192.168.1.0 255.255.255.0 host 192.168.100.2 eq 8080

Hope this helps. Good luck.

Green

Re: PIX 520 DMZ to INSIDE

I think you meant

access-list INSIDE permit TCP 192.168.1.0 255.255.255.0 host 192.168.100.2 eq 8080

New Member

Re: PIX 520 DMZ to INSIDE

Thanks for the heads up your right. I edited my post with the correct ACL. Sorry about that.

New Member

Re: PIX 520 DMZ to INSIDE

I was able to get the outside access working just fine, then I went to set the static for the inside users access to the DMZ. I did this according to acomiskey first post. It worked enough to get access to the DMZ from the inside, but..

I had many people telling me their internet connections and local resource connections were dropping randomly. I checked this to be true, so I removed the static. I assume this is because of an existing NAT statement? and the pix is just looping??

cratejockey's post about depending on my config might shed some light here. Do you have a recommendation?

Here is some more info to help:

MD-Pix# sho nat

nat (inside) 0 access-list 102 (VPN Clients)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Thx

Green

Re: PIX 520 DMZ to INSIDE

So local resource connections are through pix?

Anyway, not sure what the issue is, so communication between inside and dmz worked, but it messed everything else up? Try

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

If that works ok, then add one for each 192.168.x network.

119
Views
8
Helpful
6
Replies
CreatePlease login to create content