cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
334
Views
0
Helpful
5
Replies

access dmz from inside

acristofari
Level 1
Level 1

hello

sorry but i have a problem

i have a pix firewall 515 with 3 interface inside dmz and outside

inside 10.34.10.0

dmz 192.168.1.0

outside 151.x.x.x

i need to reach from inside the dmz client and opposite, without nat, and the dmz to get internet with nat.

I configured

nat (dmz) 2 192.168.1.0 255.255.255.0 0 0

global (outside) 2 151.x.x.1

access-list dmz_inside_in line 1 permit ip 192.168.1.0 255.255.255.0 any

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I don't reach the host from inside to dmz and opposite

5 Replies 5

Terry Pattinson
Level 1
Level 1

if you don't want NAT use the special 0 NAT group

nat (inside) 0 192.168.1.0 255.255.255.0

This disables the NAT process.

When going from a higher (inside) to lower (dmz) interface, you don't - by default - need to specify an ACL. Of course, your acl doesn't actually do anything unless you apply it.

HTH,

Terry

thanks

but i need use nat for internet from dmz,

and don't use nat from dmz to inside.

Hi,

Do the following :

static 10.34.10.0 10.34.10.0 netmask 255.255.255.0

Static REAL-IP-Address 192.168.1.5 netmask 255.255.255.255

I hope this is helpful!

I think this document will help you.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

Plz. rate if it does!

Thanks

Abd Alqader

grant.maynard
Level 4
Level 4

The old rule used to be "high security -> low = nat+global, low -> high = static+ACL", although it gets more confusing when you have more interfaces and don't always want to NAT.

A traffic flow is always source->destination and therefore only involves two interfaces. So think of your traffic as being flows between two interfaces. Here we have two flows: when dmz accesses internet dmz=high, internet=low; when dmz accesses inside, inside=high, dmz=low. Therefore you're needing nat+global for the dmz->internet, and static for dmz->inside.

You have the correct lines to NAT your internet access:

nat (dmz) 2 192.168.1.0 255.255.255.0 0 100

global (outside) 2 151.x.x.1

The next line allows inside IPs to be visible to dmz (you still need ACL to permit traffic):

static (inside,dmz) 10.34.10.0 10.34.10.0 netmask 255.255.255.0

guru's, what if, in this exact situation, i want to NAT the source addresses of traffic coming from DMZ to inside? Is that possible?

And what actually happens when you reverse the interfaces in the static line?

Like: static (DMZ,inside) x.x.x.x x.x.x.x netmask x.x.x.x

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: