Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Connet to DMZ server from insdie host using the DMZ outside IP

The setup is as in the attached picture.

Pix config is as follows:

access-list DMZ extended permit icmp host Pubsrv any

access-list ACLIN extended permit tcp any host 172.31.0.5 eq www

access-list ACLIN extended permit tcp any host 172.31.0.5 eq ftp

access-list ACLIN extended permit tcp any host 172.31.0.9 eq ftp <<< Allow ftp to Public Server

access-list ACLIN extended permit icmp host Inetsrv host 172.31.0.11

access-group ACLIN in interface outside

access-group DMZ in interface dmz

nat-control

nat (inside) 1 10.0.0.0 255.255.255.0

global (outside) 1 172.31.0.10-172.31.0.254

global (dmz) 1 192.168.1.10-192.168.1.254

static (dmz,outside) 172.31.0.9 Pubsrv netmask 255.255.255.255 <<Public Server static NAT

static (inside,outside) 172.31.0.5 Insrv netmask 255.255.255.255 <<Internal Server static NAT

static (inside,outside) 172.31.0.11 Wstation netmask 255.255.255.255

static (inside,dmz) 192.168.1.11 Wstation netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 172.31.0.2 1

=====================

Pix interfaces are configured with IPs shown in figure and sec levels are in:100 - dmz:50 - out:0

I go to the "Internal Server" and do an: ftp 172.31.0.9 which is the outside IP of the "Public Server" intstead of doing: ftp 192.168.1.2 and connect to it directly, but it does not work and I cannot understand why.

As far as I understand the following steps should happen:

1)Internal Server (IP 10.0.0.11) sends first ftp packet to Public Server (IP 172.31.0.9)

2)pix receives the packet on the inside interface and makes static NAT for the src IP from 10.0.0.11 to 172.31.0.5 and send the pkt to outside interface (based on routing table)

3)pix sees dest IP address 172.31.0.9 so it takes packet again in from the outside interface and performs static NAT for the dst IP from 172.31.0.9 to 192.168.1.2 and sends packet out to Public server at DMZ.

4)Public server responds and there should be no problem for the response to go back as the session is stored in the Session Table.

However this does not happen and I am very confused....

3 REPLIES
New Member

Re: Connet to DMZ server from insdie host using the DMZ outside

If I understand your situation correctly try adding the following command in your pix (not sure what version you are running):

alias(inside) 172.31.0.9 192.168.1.2 255.255.255.255

Hope this helps.

Re: Connet to DMZ server from insdie host using the DMZ outside

Hi .. your description of the issue is a bit confusing .. can you just post your config and with few words explaining what are you trying to achieve.

New Member

Re: Connet to DMZ server from insdie host using the DMZ outside

the config I put above is the full config minus the interface configs.(which are correct). look at the attached picture to see the topology.

my question is this. when I am on an inside host (Internal Server or Workstation) and I make ftp 192.168.1.2 (dmz real IP) it works. when I make ftp 172.31.0.9 (dmz static translated IP) it does not.

in other words, I try to ftp from inside to dmz server via the dmz server outside IP. Is it clear now?

169
Views
0
Helpful
3
Replies
CreatePlease to create content