Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access from DMZ to WAN

Hi,

We have the interfaces called DMZ (low security interface) and WAN (high security Interface) in our firewall. When i configured the following line to enable access from DMZ to WAN, its not working. Can somebody help me.

access-list dmz permit ip host 10.10.10.1 host 10.20.10.1

static (wan,dmz) 20.20.20.1 10.10.10.1 netmask 255.255.255.255

DMZ Source should get NAT, to gain access at WAN network. The IP addresses are changed, as i don't want to give the original IPs.

1 REPLY
Silver

Re: Access from DMZ to WAN

I believe that your security setting are inverted; the dmz should have a higher weight than the wan. The higher weight means more trusted. Also, is there a router between the pix and the wan cloud, or does the pix connect direct to your wan provider?

Look at the static statement as (higher wt, lowerwt) lower-ip higher-ip (where wt means weight). Try reworking the static to:

static (dmz, wan) 20.20.20.1 10.10.10.1 netmask 255.255.255.255

Make sure you do a clear xlate after the change. Your traffic from the dmz host 10.10.10.1 should cross the wan link using ip address of 20.20.20.1 with the change.

If for some reason, you want to trust the wan link more than the dmz link, you may be able to accomplish what you want, but I would need to know what version of the pix, and what model to help determine that.

Regards, Ed Hirsel

96
Views
0
Helpful
1
Replies
CreatePlease to create content