Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dmz to inside

Part of my config is as shown below: What I'm trying to do is establish connection from my dmz to the inside network. The plan is to put a dns server on the dmz so the internal one will use that for the outside dns.

Currently I have a ftp server on the dmz zone, clients are able to access it from outside and access is also ok from the inside as well.

However I was trying to open a telnet session in order to test to make sure that

The machine that the dns will be installed on can talk to the internal server.

192.168.200.6 ---> server on the dmz zone

192.168.100.50 ----> dns server on the inside

The command I used was similar to the ftp server but it didn't work, can you help. Thanks

E.g.. access-list 101 permit tcp host 192.168.200.6 eq telnet any

access-list 101 permit tcp any any eq domain

access-list 101 permit tcp host 200.47.66.6 eq ftp any

access-list 101 permit tcp host 200.47.66.6 eq ftp-data any

access-list 101 permit tcp host 192.168.200.6 eq domain any

pager lines 24

global (outside) 1 200.47.66.150-200.47.66.200 netmask 255.255.255.0

global (dmz) 1 192.168.200.10-192.168.200.100 netmask 255.255.255.0

nat (inside) 0 access-list 100

nat (inside) 1 192.168.100.0 255.255.255.0 0 0

nat (dmz) 1 192.168.200.0 255.255.255.0 0 0

static (inside,outside) 200.47.66.5 192.168.100.50 netmask 255.255.255.255 0 0 (dns server inside)

static (dmz,outside) 200.47.66.6 192.168.200.6 netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.200.6 192.168.100.50 netmask 255.255.255.255 0 0

access-group 101 in interface outside

2 REPLIES
Gold

Re: dmz to inside

Hi Oliver -

Here are documents that will help you on your problem, the 1st document is from cisco and the other two is from my mentor and a expert that even cisco look up too and I've used his papers on many problems -

>http://www.cisco.com/warp/public/707/28.html

>http://www.netcraftsmen.net/welcher/papers/pix01.html

Hope this helps --

New Member

Re: dmz to inside

Hi,

About your connection from DMZ to Inside, then from low security to high security interface, you need the triple commands: static/access-list/access-group.

In your case, you already have the static part:

static (inside,dmz) 192.168.200.6 192.168.100.50 netmask 255.255.255.255 0 0, but it's not OK. The low security(DMZ) IP address represents an address as seen by the DMZ's DNS server, it's not his own address. Then, you should replace 192.168.200.6 by 192.168.200.7 or any other IP addresses within the same subnet as the DMZ's DNS server. Then, your static becomes:

-static (inside,dmz) 192.168.200.7 192.168.100.50 netmask 255.255.255.255 0 0

Then you must add the access-list/access-group, as example:

access-list 102 permit udp host 192.168.200.6 host 192.168.200.7 eq domain

access-group 102 in interface DMZ

Regards

Ben

104
Views
0
Helpful
2
Replies