Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Access from "inside" interface to "dmz"

We are using a PIX515E (IOS 6.1(3)) with a "dmz". The DMZ has a single web server which is hosting multiple web sites. The web server uses a single private IP address, and each web site has a different public IP address. We have configured the PIX with the following for each web site :-

static (dmz, outside) tcp website_public_IP www webserver_private_IP 808x

Therefore each website "public" IP maps to the corresponding web server "private" IP / port combination (eg, 192.168.1.1 port 8082) on the DMZ. An access list has been configured to allow access from the "outside". ALL web sites are accessable from the Internet.

However, when we try to access the websites (on the DMZ) from "inside" hosts, DNS resolves to the correct "public" IP for each website, but the website cannot be opened. All other Internet sites can be accessed.

It seems like the packet entering the "inside" interface is NAT'd to the correct "public" IP address, but then the source & destination address are on the same "public" network. Because the packet does not enter the "outside" interface, then the static mappings to the DMZ based webserver do not occur.

We cannot use the "alias" command, as this does not work at the port level - only at the IP address level.

Does anyone know how to allow access to these multiple web sites on the DMZ from "inside" hosts ??

1 REPLY
New Member

Re: Access from "inside" interface to "dmz"

firewall will not allow the same packet to get out and get in to the same interface. So, you need to browse the webserver by the private IP

what i will do is, supose this.

you could add a traslation and a static route to reach the servers without leave the pix.

with a new nat on the inside, a global on the dmz and a static route

suppose this

nat (inside) 1 0 0

global (outside) 1 pool1

route outside 0 0 next_hop_ip

(until here, the nat that will allow the inside network reach internet)

then , the statics that you have declared for the dmz->outside

Now, the ones ill add to reach the webserver with the IP that DNS gave me for the Website (suppose the websites public IP as 200.0.0/24)

and make the static pairs to put the 192.168's on the inside interface with the public ip

static (dmz,inside) tcp 200.0.0.2 www 192.168.1.2 808x netmask 255.255.255.255

and so on.

now you have the same traslation in both interfaces (outside and outside) from the dmz interface.

i think that the default route is

route outside 0 0 next_hop

so , you can reach internet from the inside

now, the dns gave me for www.server1.com the ip 200.1.1.2 , i must avoid this packet leave the pix.

a static route could avoid it

route dmz 200.1.1.0 255.255.255.0 ip_dmz_interface

the traslation will set up by the static, all the other IP will leave the pix and go to internet, only the packets for the webserver will hop from inside to dmz.

Dont forget to add the acl statements for the inside access-group to permit this traffic.

This is an idea, i think it may work, but im with exams now , and i cant test it.

I hope it helps.

Alexis

251
Views
0
Helpful
1
Replies
CreatePlease to create content