Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX Configuration problem

I have two servers one located in pix inside and one in dmz. I wanted to configure them so that they can communicate with routers and switches

located outside of pix firewall.

My inside server is working fine, able to go Internet and able to comminicate with all devices located on outside of Pix firewall. below mention is configuration

of insideserver.

access-list outside_acl extended permit ip x.223.188.0 255.255.255.0 host 172.28.32.50

access-list outside_acl extended permit ip host x.219.212.217 host 172.28.32.50

access-list nonat extended permit ip host 172.28.32.50 host x.219.212.217

access-list nonat extended permit ip host 172.28.32.50 x.223.188.0 255.255.255.0

access-list inside_acl extended permit ip host 172.28.32.50 any

But my DMZ server is not working. Though I did the same configuration as for Inside server. DMZ server not able to communicate with outside

network.

access-list outside_acl extended permit ip x.223.188.0 255.255.255.0 host 172.28.92.72

access-list outside_acl extended permit ip host x.219.212.217 host 172.28.92.72

access-list nonat extended permit ip host 172.28.92.72 host x.219.212.217

access-list nonat extended permit ip host 172.28.92.72 x.223.188.0 255.255.255.0

access-list dmz_acl extended permit ip host 172.28.92.72 any

If i creat a static entry for DMZ SNMP server,

static (edn,outside) 172.28.92.72 172.28.92.72 netmask 255.255.255.255

it starts communicating with outside devices but Internet stop working on that server. same configuration

works with INside server but not with dmz server.

nat (inside) 0 access-list nonat

nat (inside) 3 172.28.32.0 255.255.255.0

nat (dmz) 3 172.28.92.0 255.255.255.0

global (outside) 3 interface

1 REPLY
New Member

Re: PIX Configuration problem

statics override nats, except if it is a nat 0 so:

1) Your inside server will be translated to the firewall interface address when it talks outside (nat (inside) 3)

2) Your dmz server will be translated to 172.28.92.72 (because of the nat (inside) 0 nonat) and this address (172.28.92.72) is private address space and is not routed on the internet.

For this to work you need to try this:

REMOVE NONAT CONFIG FOR DMZ SERVER:

no access-list nonat extended permit ip host 172.28.92.72 host x.219.212.217

no access-list nonat extended permit ip host 172.28.92.72 x.223.188.0 255.255.255.0

REMOVE STATIC ENTRY FOR DMZ SERVER:

no static (edn,outside) 172.28.92.72 172.28.92.72 netmask 255.255.255.255

CLEAR CURRENT TRANSLATION TABLE

clear xlate local 172.28.92.72

Attempt to connect again. This should be translated to the interface address now because of the "nat (dmz) 3" statement.

Good luck!

108
Views
0
Helpful
1
Replies
CreatePlease login to create content