cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
499
Views
0
Helpful
10
Replies

PIX - Access DMZ server using an inside IP

soilemezis
Level 1
Level 1

Hi there,

how would go about setting up access to a server on the dmz from the inside, not by using "nonat" (ie nat 0 or a static with same IP), but by accessing the server with an IP from the inside LAN ?

Thanks in advance.

10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

Sorry, not sure i entirely understand. What is the inside IP, what is the DMZ IP and what do you want the inside IP address to be when it gets to the DMZ server ?

Jon

mcvhintex
Level 1
Level 1

If there is not an ACL already on the inside interface and if the inside interface has a higher security level than the DMZ interface, then all you will need is an address translation. Either a static or a nat statement.

Thanks guys for your interest.

The answer may be simple, maybe its a bit too late for me.

I'll make it an example.

Inside is of higher security.

IP addresses

inside 192.168.1.0/24 pix: 192.168.1.1

dmz 192.168.2.0/24 pix: 192.168.2.1

dmz server 192.168.2.2

need inside users to connect to this server (Web!) by using a local IP, e.g. 192.168.1.2, not the 192.168.2.2 IP.

Thanks again.

static (outside,inside) 192.168.1.2 192.168.2.2 netmask 255.255.255.255

You need to make sure that 192.168.1.2 is not allocated to any device on the internal LAN.

Jon

Thanks Jon,

in other words you do

static (outside,inside)etc

just as if you allowing access to an internal server from the outside where you would have done

static (inside,outside) etc

Is that so ?

Thanks

Correct me if I'm wrong Jon, but I think you meant...

static (dmz,inside) 192.168.1.2 192.168.2.2 netmask 255.255.255.255

You have it correct. You need to have the DMZ and Inside interfaces.

Thanks,

I realise Jon meant to use dmz instead of outside.

So we agree that no matter whether the security level is from higher to lower, or lower to higher we use the same syntax for the static.

Any objections, pls advise.

Well yes and no as you'll notice that the interfaces in the static statement are reversed ie. the most common syntax for a static would be

static (inside,dmz) or

static (inside,outside)

whereas what you are doing here is reversing the interface order ie.

static (dmz,inside) or

static (inside,dmz)

Jon

Adam

Nice to know someone was paying attention :)

Yes i mean't dmz, thanks for clarifying.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: