07-08-2003 09:47 AM - edited 03-09-2019 03:57 AM
Part of my config is as shown below: What I'm trying to do is establish connection from my dmz to the inside network. The plan is to put a dns server on the dmz so the internal one will use that for the outside dns.
Currently I have a ftp server on the dmz zone, clients are able to access it from outside and access is also ok from the inside as well.
However I was trying to open a telnet session in order to test to make sure that
The machine that the dns will be installed on can talk to the internal server.
192.168.200.6 ---> server on the dmz zone
192.168.100.50 ----> dns server on the inside
The command I used was similar to the ftp server but it didn't work, can you help. Thanks
E.g.. access-list 101 permit tcp host 192.168.200.6 eq telnet any
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp host 200.47.66.6 eq ftp any
access-list 101 permit tcp host 200.47.66.6 eq ftp-data any
access-list 101 permit tcp host 192.168.200.6 eq domain any
pager lines 24
global (outside) 1 200.47.66.150-200.47.66.200 netmask 255.255.255.0
global (dmz) 1 192.168.200.10-192.168.200.100 netmask 255.255.255.0
nat (inside) 0 access-list 100
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
nat (dmz) 1 192.168.200.0 255.255.255.0 0 0
static (inside,outside) 200.47.66.5 192.168.100.50 netmask 255.255.255.255 0 0 (dns server inside)
static (dmz,outside) 200.47.66.6 192.168.200.6 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.200.6 192.168.100.50 netmask 255.255.255.255 0 0
access-group 101 in interface outside
07-08-2003 10:21 AM
Hi Oliver -
Here are documents that will help you on your problem, the 1st document is from cisco and the other two is from my mentor and a expert that even cisco look up too and I've used his papers on many problems -
>http://www.cisco.com/warp/public/707/28.html
>http://www.netcraftsmen.net/welcher/papers/pix01.html
Hope this helps --
07-08-2003 05:55 PM
Hi,
About your connection from DMZ to Inside, then from low security to high security interface, you need the triple commands: static/access-list/access-group.
In your case, you already have the static part:
static (inside,dmz) 192.168.200.6 192.168.100.50 netmask 255.255.255.255 0 0, but it's not OK. The low security(DMZ) IP address represents an address as seen by the DMZ's DNS server, it's not his own address. Then, you should replace 192.168.200.6 by 192.168.200.7 or any other IP addresses within the same subnet as the DMZ's DNS server. Then, your static becomes:
-static (inside,dmz) 192.168.200.7 192.168.100.50 netmask 255.255.255.255 0 0
Then you must add the access-list/access-group, as example:
access-list 102 permit udp host 192.168.200.6 host 192.168.200.7 eq domain
access-group 102 in interface DMZ
Regards
Ben
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: