Re: configuring 2 subnets to access the DMZ and Outside interfac

anilkumar.k · ‎10-23-2005

We have 2 subnets 10.241.34.0 /24 and 10.241.71.0 /24 in the LAN which form a part of the ofshore dev center, which need to have access to the internet as well as to our local lan 172.19.0.0. how do i configure it?

jackko · ‎10-23-2005

assuming 10.241.34.0/24 and 10.241.71.0/24 are connected to the pix dmz interface, then

for dmz accessing the internet:

global (outside) 1 interface

nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0

for dmz accessing the inside:

static (dmz,inside) 10.241.34.0 10.241.34.0 netmask 255.255.255.0

access-list dmz_access_inside permit ip 10.241.34.0 255.255.255.0 172.19.0.0 255.255.255.0

access-group dmz_access_inside in interface dmz

you may restrict the dmz accessing the inside by playing with the acl dmz_access_inside.

e.g.

access-list dmz_access_inside permit tcp 10.241.34.0 255.255.255.0 host 172.19.0.100 eq 3389

anilkumar.k · ‎10-23-2005

Hi Jackko

Thanks for the info.. I am attaching the config of the FW. 10.249.34.0 is on the inside and 10.249.71.0 is on the DMZ and the 172.19.0.0 is on the outside which i would now be moving to the DMZ and on the outside i will have a internet connectivity terminating.

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 Outside security0

nameif ethernet1 dbinside security99

nameif ethernet2 dbinside1 security50

hostname DB-FW

clock timezone IST 5 30

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 102 permit tcp any host ipms.ultimatix.net eq www

access-list 102 permit tcp any host ipms2.ultimatix.net eq www

access-list 102 permit tcp any host ipmsambattur eq www

access-list 102 permit tcp any host ipmskol eq www

access-list 102 permit tcp any host ipmsseepz eq www

access-list 102 permit tcp any host ipmsshol eq www

access-list 102 permit tcp any host ipmsuat eq www

access-list 102 permit tcp any host pulse eq https

access-list 102 permit tcp any host pulse eq www

access-list 102 permit tcp any host inblrm01 eq https

access-list 102 permit tcp any host inblrm01 eq ldap

access-list 102 permit tcp any host inblrm01 eq netbios-ssn

ip address outside 172.19.X.X 255.255.255.192

ip address dbinside 10.249.34.X 255.255.255.0

ip address dbinside1 10.249.71.X 255.255.255.0

global (outside) 1 172.19.X.X

nat (dbinside) 1 0.0.0.0 0.0.0.0 0 0

access-group 102 in interface dbinside

route tcs 172.17.0.0 255.255.0.0 172.19.x.x 1

route tcs 172.19.0.0 255.255.0.0 172.19.x.x 1

route tcs 172.20.0.0 255.255.0.0 172.19.x.x 1

jackko · ‎10-24-2005

you mentioned, "172.19.0.0 is on the outside which i would now be moving to the DMZ". just wondering if 172.19.0.0 is replacing the existing 10.249.71.0 or there is another router that in turns connects to other subnets.

anilkumar.k · ‎10-24-2005

Jaccko 172.19.0.0 is being moved to DMZ and the internet will be on ths outside. Also the 10.249.71.0 range is configured on another DMZ interface.

jackko · ‎10-24-2005

please excuse me for misunderstanding.

would you please specify what sort assistance you are looking for?

configuring 2 subnets to access the DMZ and Outside interface