Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DMZ outside OK; inside problems

I have a webserver on a DMZ from which I wish to access the inside network.

I can currently access the Internet from the DMZ'd webserver, the webserver from the Internet, and the webserver form the inside.

What I cannot do is access another inside machine while ssh'd into the webserver.

This webserver will be pulling an FTP mirror on this inside so I need this access.

I have searched the forums and found several relevant examples, but the solutions have not worked for me.

The example I found was:

+++

"For the mail server (or any host on the DMZ) to access the inside do the following:

static (inside,dmz) 128.100.0.0 128.100.0.0 netmask 255.255.0.0

access-list fromDMZ permit ip host 192.168.0.2 128.100.0.0 255.255.0.0

access-group fromDMZ in interface dmz

and for the dmz to access the outside do:

nat (dmz) 1 192.168.0.0 255.255.255.0"

+++

If I enable the access-group on the DMZ inteface, I lose outside connectivity...?

I currently have no group binding on this IF.

Here are my relevant config lines:

access-list 100 permit tcp any host 206.xxx.xxx.xxx eq www

access-list 100 permit tcp any host 206.xxx.xxx.xxx eq ssh

access-list 100 permit tcp any host 206.xxx.xxx.xxx eq ftp

When I try to access and inside machine for teh DMZ I get the following error on the log server:

Inbound TCP connection denied from 10.xxx.xxx.xxx/1152 to 192.168.xxx.xxx/22 flags SYN on interface DMZ.

static (DMZ,outside) 206.xxx.xxx.xxx piggy netmask 255.255.255.255 0 0

static (inside,DMZ) piggy Notes netmask 255.255.255.255 0 0

static (inside,DMZ) FDPNATICK-2 FDPNATICK-2 netmask 255.255.0.0 0 0

206~ is the outside range.

192.168~ inside

10~ is DMZ

"piggy" is the DMZ server.

"Notes" is the FTP server I want to connect to.

TIA

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: DMZ outside OK; inside problems

I think the solution you found on the net was the right one. You lost connectivity to the outside because the access-group you applied has a specific invisible deny ip any any at the bottom of it. As soon as you applied it, it allowed your dmz to get inside because you put that in the acl but you did not make reference for your dmz to be allowed outside, which is needed now that you have an access-list applied to your dmz interface. Your statics and Nat looks good, just make the changes to your dmz acl to allow the inbound connection as well as the outside connection. Take note that source for your acl on dmz will be your dmz hosts and destination will be the outside.

2 REPLIES
New Member

Re: DMZ outside OK; inside problems

I think the solution you found on the net was the right one. You lost connectivity to the outside because the access-group you applied has a specific invisible deny ip any any at the bottom of it. As soon as you applied it, it allowed your dmz to get inside because you put that in the acl but you did not make reference for your dmz to be allowed outside, which is needed now that you have an access-list applied to your dmz interface. Your statics and Nat looks good, just make the changes to your dmz acl to allow the inbound connection as well as the outside connection. Take note that source for your acl on dmz will be your dmz hosts and destination will be the outside.

New Member

Re: DMZ outside OK; inside problems

Thanks, that worked.

I think I was looking at the problem the wrong way.

After I added the fromDMZ access-group I then added an implicit DMZ-source -> any network IP rule. (access-list fromDMZ permit ip DMZNET 255.255.255.0 any )

Now I just have to fine-tune my access from the DMZ to the Inside.

99
Views
0
Helpful
2
Replies