Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
2
Replies

Cisco PIX configuration Question - very limited info. Sorry!!

Go to solution
davidchances
Level 1
Level 1

‎10-11-2006 01:22 AM - edited ‎02-21-2020 01:13 AM

People,

I have been asked a quetsion about a Cisco PIX (I do not know what model it is) of which I have very very limited knowledge. The person asking me the question, is helping someone else!!. I apologise in advance for the lack of information here, but Im hoping someone that has expert PIX skills will be able to diagnose the potential problem, or ask me the question to ask down the chain to get this fixed. The question they asked me was:-

"cannot get NAT to work properly between the DMZ and other ports"

I know this is very skectchy, but because I am not a firewall or security guy Im not sure what I am looking for or what other questions I need to ask. I do however have a copy of the config, if any one can help, one would really appreciate it.

Attached is config.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pcarvill
Level 1
Level 1
In response to m.sir

‎10-11-2006 04:56 AM

I think the above is not an issue.

However, the below is an issue;

static (dmz1,outside) 20.20.20.252 switch1 netmask 255.255.255.255 0 0

static (dmz1,outside) 20.20.20.22 switch1 netmask 255.255.255.255 0 0

I believe it should be;

static (dmz1,outside) 20.20.20.252 switch1 netmask 255.255.255.255 0 0

static (dmz1,outside) 20.20.20.22 nlbweb1 netmask 255.255.255.255 0 0

Let us know if it helps,

Paul

View solution in original post

0 Helpful
2 Replies 2

Go to solution
m.sir
Level 7
Level 7

‎10-11-2006 03:41 AM

I dont know what does mean "DMZ and other ports"

but there is some DMZ NAT strange configuration

global (dmz1) 1 10.30.30.100

nat (dmz1) 1 10.30.30.0 255.255.255.0 0 0

It means that host on DMZ1 are NATed to IP from same range

fe. host 10.30.30.10 is NATed to 10.30.30.100 even further host 10.30.30.100 is "NATed" to 10.30.30.100... It could be a problem... Why is it configured like this?? What is role of DMZ host, where should they access, from where should be those host accessible???

M.

Hope that helps rate if it does

0 Helpful

Go to solution
pcarvill
Level 1
Level 1
In response to m.sir

‎10-11-2006 04:56 AM

I think the above is not an issue.

However, the below is an issue;

static (dmz1,outside) 20.20.20.252 switch1 netmask 255.255.255.255 0 0

static (dmz1,outside) 20.20.20.22 switch1 netmask 255.255.255.255 0 0

I believe it should be;

static (dmz1,outside) 20.20.20.252 switch1 netmask 255.255.255.255 0 0

static (dmz1,outside) 20.20.20.22 nlbweb1 netmask 255.255.255.255 0 0

Let us know if it helps,

Paul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card