Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix communicate DMZ to inside

I'm trying to communicate on port 53 (doman/DNS) from my DMZ to the inside interface. I's just not working. I've even been on the phone with cisco and he can't get it to work.

Right now I'm trying to verify two things.

1. When i do a packet trace, it stops on NAT

Type - NAT
Subtype - rpf-check
Action - DROP
Show rule in NAT Rules table.

Config
nat (inside) 1 192.168.199.0 255.255.255.0
nat-control
match                  ip inside 192.168.199.0 255.255.255.0 DMZ any
dynamic                  translation to pool 1 (192.168.200.100 - 192.168.200.200)
translate_hits                  = 0, untranslate_hits = 0

Then I click on Show rule in NAT Rules table it goes to

     Type               Source              (Translated) Interface      Address

6 Dynamic     192.168.199.0/24                    DMZ               192.168.200.100-192.168.200.200

rule.jpg

Which leads me to problem #2

2. Cisco has documantation on their web site for configuring Inside/DMZ to Internet and it's isn't configured this way.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

Theres a picture of the map and commands, but the way they implemet it is

ASA-AIP-CLI(config)# nat (inside) 1 172.20.1.0 255.255.255.0 (LAN)

ASA-AIP-CLI(config)# nat (inside) 1 192.168.1.0 255.255.255.0 (DMZ)

ASA-AIP-CLI(config)# global (Outside) 1 interface

I spoke with a cisco tech about the difference and he says the document is wrong and mapping the nat DMZ to the inside wont work.

Would cisco publish a document that is completely wrong? Is he right or is the document right?

Thanks

  • Firewalling
1 REPLY
Purple

Pix communicate DMZ to inside

Hi,

so you have a DNS server in DMZ and you want to communicate from inside to this server ?

just simply do this:I suppose that dmz security level is lower than inside

nat(inside) 2 192.168.199.0 255.255.255.0

global(dmz) 2 interface

Regards.

Alain

Don't forget to rate helpful posts.
241
Views
0
Helpful
1
Replies
This widget could not be displayed.