Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ access from inside

I have a client who we just put a new DMZ card in for on a 515. Moved a machine out to the DMZ and that server can be accessed from the outside no problem (web server). The problem is, that there is no access from the LAN to the DMZ. I have compared the config to other working configs and everything looks like it should be fine. I am thinking that I am missing something simple. Below is most of the config and everything related to the DMZ. Any ideas on why we can't access the DMZ from the Inside inderface? No ping, no nothing at this point. We just want to allow all traffic from the LAN (inside) to the DMZ. Thanks!

:

PIX Version 6.3(1)

interface ethernet0 10baset

interface ethernet1 10baset

interface ethernet2 10baset

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

hostname PIX

domain-name mydomain.com

access-list acl_out permit icmp any any

access-list acl_out permit tcp any host 64.xx.xx.xx eq www

pager lines 24

logging on

logging trap warnings

logging host inside 192.168.200.x

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 64.xx.xx.xx 255.255.255.224

ip address inside 192.168.200.1 255.255.255.0

ip address dmz 192.168.201.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list vpn

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) 64.xx.xx.xx 192.168.201.25 netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 64.xx.xx.xx 1

[OK]

2 REPLIES
Gold

Re: DMZ access from inside

Hello Chad,

Here’s a configuration example of 3 interface PIX, running PIX IOS 6.2 – Sorry no time for a full explanation but if you require one then you can e-mail me direct on the above e-mail address.

Pix(config)# global (outside) 1 200.200.200.10-200.200.200.253 netmask 255.255.255.0

Pix(config)# nat (inside) 1 0 0

Pix(config)# nat (dmz) 1 0 0

Pix(config)# static (dmz,outside) 200.200.200.1 192.168.5.5

Pix(config)# static (inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

Pix(config)# access-list no_nat permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

Pix(config)# access-list no_nat permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0

Pix(config)# nat (inside) 0 access-list no_nat

Pls. Remember the rule: From Interface Inside to Interface DMZ requires nat/global command.And DMZ to Inside requires static/conduit. Pls. issue cmd: 'clear xlate' after configuration has been saved with cmd: 'wr m' (write memory)

Hope this helps out for your problem. Let me know how you get on.

New Member

Re: DMZ access from inside

Here's the command you must add:

global (dmz) 1 interface

This way, inside hosts will be Natted, based on nat (inside) 1 0.0.0.0 0.0.0.0, to the DMZ interface's IP address as specified with the global command.

Regards,

Ben

99
Views
0
Helpful
2
Replies
CreatePlease login to create content