Re: Access to DMZ on PIX-515

kbozung · ‎02-25-2002

Let me try to explain my problem in a logical manner. I have a PIX-515R, I added a single 10/100 interface as my 'DMZ1' port. My 'inside' interface is running on 192.168.0.0/24, my 'DMZ1' interface is running on 192.168.1.0/24. I have configured my active directory DNS servers to also be real DNS servers, they are running on the 'inside' network. I wanted my users to be able to access the web server by it's outside name so I moved it to the DMZ interface. This works by using the alias command along with the 'sysopt nodnsalias outbound' command. However from 'Inside' I am unable to directly access anything on the 'DMZ1' network. For example I am unable to access my web server by it's 192.168.1.X address from 'inside.' I can't even ping it. I do get full access by using it's public IP address.

Additionally my web server on 'DMZ1' can't access anything statically mapped to 'Inside' by public addresses or 'Inside' addresses even though they are allowed by the access list. So DNS resolution from my Web server fails because it can't access my DNS servers.

Can anybody help?

jerryd · ‎02-26-2002

Your problem sounds like a nat problem. Because you are using private addresses you have nat (inside) 1 192.168.0.0 255.255.255.0 and you would map to a global public ip. What you should do when talking from private to private addresses is to use the

"nat (inside) 0 access-list NONAT"

The access-list will be as follows

"access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0"

kbozung · ‎02-26-2002

Thanks. I spent a couple hours with it last night and figured it all out. It was nat, plus you need static mappings for everything you want to access in a higher security level.

Thank you for your help.