Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
266
Views
0
Helpful
2
Replies

dmz to inside

oevans
Level 1
Level 1

‎07-08-2003 09:47 AM - edited ‎03-09-2019 03:57 AM

Part of my config is as shown below: What I'm trying to do is establish connection from my dmz to the inside network. The plan is to put a dns server on the dmz so the internal one will use that for the outside dns.

Currently I have a ftp server on the dmz zone, clients are able to access it from outside and access is also ok from the inside as well.

However I was trying to open a telnet session in order to test to make sure that

The machine that the dns will be installed on can talk to the internal server.

192.168.200.6 ---> server on the dmz zone

192.168.100.50 ----> dns server on the inside

The command I used was similar to the ftp server but it didn't work, can you help. Thanks

E.g.. access-list 101 permit tcp host 192.168.200.6 eq telnet any

access-list 101 permit tcp any any eq domain

access-list 101 permit tcp host 200.47.66.6 eq ftp any

access-list 101 permit tcp host 200.47.66.6 eq ftp-data any

access-list 101 permit tcp host 192.168.200.6 eq domain any

pager lines 24

global (outside) 1 200.47.66.150-200.47.66.200 netmask 255.255.255.0

global (dmz) 1 192.168.200.10-192.168.200.100 netmask 255.255.255.0

nat (inside) 0 access-list 100

nat (inside) 1 192.168.100.0 255.255.255.0 0 0

nat (dmz) 1 192.168.200.0 255.255.255.0 0 0

static (inside,outside) 200.47.66.5 192.168.100.50 netmask 255.255.255.255 0 0 (dns server inside)

static (dmz,outside) 200.47.66.6 192.168.200.6 netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.200.6 192.168.100.50 netmask 255.255.255.255 0 0

access-group 101 in interface outside

Labels:
0 Helpful
2 Replies 2

jmia
Level 7
Level 7

‎07-08-2003 10:21 AM

Hi Oliver -

Here are documents that will help you on your problem, the 1st document is from cisco and the other two is from my mentor and a expert that even cisco look up too and I've used his papers on many problems -

>http://www.cisco.com/warp/public/707/28.html

>http://www.netcraftsmen.net/welcher/papers/pix01.html

Hope this helps --

0 Helpful

bdube
Level 2
Level 2

‎07-08-2003 05:55 PM

Hi,

About your connection from DMZ to Inside, then from low security to high security interface, you need the triple commands: static/access-list/access-group.

In your case, you already have the static part:

static (inside,dmz) 192.168.200.6 192.168.100.50 netmask 255.255.255.255 0 0, but it's not OK. The low security(DMZ) IP address represents an address as seen by the DMZ's DNS server, it's not his own address. Then, you should replace 192.168.200.6 by 192.168.200.7 or any other IP addresses within the same subnet as the DMZ's DNS server. Then, your static becomes:

-static (inside,dmz) 192.168.200.7 192.168.100.50 netmask 255.255.255.255 0 0

Then you must add the access-list/access-group, as example:

access-list 102 permit udp host 192.168.200.6 host 192.168.200.7 eq domain

access-group 102 in interface DMZ

Regards

Ben

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents