03-26-2006 07:12 AM - edited 03-09-2019 02:24 PM
Hi all
I have the following configuratinon: PIX firewall 7.0 4 interfaces, (Inside, outside, DMZ1,DMZ2)
Inside private addresses 10.0.0.0/24 (security 100)
Outside public addresses 101.1.1.0/24 (security 0)
Remote branch 10.10.10.0/24
DMZ1 pirvate addresses 10.1.0.0/24 (security 50)
DMZ2 pirvate addresses 10.2.0.0/24 (security 90)
What I need is this:
inside to outside PAT on the external IP
DMZ1 to ouside PAT and some static (need to publish let's say SVR1 and SVR2 to outside world)
DMZ1 to DMZ2 nonat at all, bidirectional traffic
DMZ1 and DMZ2 to Remote LAN (branch) encrypted.
Here is what I implemented:
nat-control
global (outside) 1 interface
! access to the Internet
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz1) 1 0.0.0.0 0.0.0.0
nat (dmz2) 1 0.0.0.0 0.0.0.0
! nonat for VPN
nat (inside) 0 access-list nonat
! nonat for DMZ1 to DMZ2 and VPN DMZ1 to Remote LAN)
nat (dmz1) 0 access-list nonat
! nonat for VPN DMZ2 to Remote LAN)
nat (dmz2) 0 access-list nonat
!servers published on the OUTSIDE interface -coresponding access list not included
static (dmz1,outside) PublicIP1 SVR1 netmask 255.255.255.255
static (dmz1,outside) PublicIP2 SVR2 netmask 255.255.255.255
access-list nonat remark =====Encrypts traffic L2L VPN to an external branch=====
access-list nonat permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat remark =====Encrypts traffic DMZ(1) to RemoteLAN VPN to an external branch=====
access-list nonat permit ip 10.1.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat remark =====Encrypts traffic DMZ(2) to RemoteLAN VPN to an external branch=====
access-list nonat permit ip 10.2.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat remark =====NAT Exemption DMZ1 to DMZ2 =====
access-list nonat permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0
My problem is that the configuration is not working when it comes to DMZ1 to DMZ2 access.
Everything elese is working.
When I try to ping the something in DMZ1 from DMZ2 I get a connection denied.
What am I doing wrong ?
Thank you
Cristian
03-26-2006 08:57 PM
Hi Cristian,
I think you need to focus on these lines:
nat (dmz1) 0 access-list nonat
access-list no-nat
from where and to where are u trying to ping. your no-nat access-list will define what kinda traffic will be allowed to traverse dmz1-dmz2 without nat.
also , the traffic across the DMZs are on different subnets right? so i hope you have some routing enabled since they are now not being natted.
with that in mind. the hosts on either side of the DMZs should have their respective gateways set to the pix interfaces.
that being said, best ways to troubleshoot are Traceroute and watch the logs when u ping. post the output of the log if u wish and the traceroute info.
Vic
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: