Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
197
Views
0
Helpful
2
Replies

DMZ access from inside

9clord
Level 1
Level 1

‎07-19-2003 07:18 PM - edited ‎03-09-2019 04:06 AM

I have a client who we just put a new DMZ card in for on a 515. Moved a machine out to the DMZ and that server can be accessed from the outside no problem (web server). The problem is, that there is no access from the LAN to the DMZ. I have compared the config to other working configs and everything looks like it should be fine. I am thinking that I am missing something simple. Below is most of the config and everything related to the DMZ. Any ideas on why we can't access the DMZ from the Inside inderface? No ping, no nothing at this point. We just want to allow all traffic from the LAN (inside) to the DMZ. Thanks!

:

PIX Version 6.3(1)

interface ethernet0 10baset

interface ethernet1 10baset

interface ethernet2 10baset

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

hostname PIX

domain-name mydomain.com

access-list acl_out permit icmp any any

access-list acl_out permit tcp any host 64.xx.xx.xx eq www

pager lines 24

logging on

logging trap warnings

logging host inside 192.168.200.x

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 64.xx.xx.xx 255.255.255.224

ip address inside 192.168.200.1 255.255.255.0

ip address dmz 192.168.201.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list vpn

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) 64.xx.xx.xx 192.168.201.25 netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 64.xx.xx.xx 1

[OK]

Labels:
0 Helpful
2 Replies 2

jmia
Level 7
Level 7

‎07-20-2003 03:46 AM

Hello Chad,

Here’s a configuration example of 3 interface PIX, running PIX IOS 6.2 – Sorry no time for a full explanation but if you require one then you can e-mail me direct on the above e-mail address.

Pix(config)# global (outside) 1 200.200.200.10-200.200.200.253 netmask 255.255.255.0

Pix(config)# nat (inside) 1 0 0

Pix(config)# nat (dmz) 1 0 0

Pix(config)# static (dmz,outside) 200.200.200.1 192.168.5.5

Pix(config)# static (inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

Pix(config)# access-list no_nat permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

Pix(config)# access-list no_nat permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0

Pix(config)# nat (inside) 0 access-list no_nat

Pls. Remember the rule: From Interface Inside to Interface DMZ requires nat/global command.And DMZ to Inside requires static/conduit. Pls. issue cmd: 'clear xlate' after configuration has been saved with cmd: 'wr m' (write memory)

Hope this helps out for your problem. Let me know how you get on.

0 Helpful

bdube
Level 2
Level 2

‎07-20-2003 05:55 AM

Here's the command you must add:

global (dmz) 1 interface

This way, inside hosts will be Natted, based on nat (inside) 1 0.0.0.0 0.0.0.0, to the DMZ interface's IP address as specified with the global command.

Regards,

Ben

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents