Re: Inside to DMZ Windows browsing issue

glenthms · ‎08-24-2006

I just need someone to review my config and make sure Im not crazy here.

access-list nonat permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 10.3.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 10.2.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 10.4.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 10.5.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 10.6.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 10.7.0.0 255.255.0.0 192.168.0.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) 1.1.1.1 192.168.0.2 netmask 255.255.255.255 0 0

static (dmz,outside) 1.1.1.2 192.168.0.4 netmask 255.255.255.255 0 0

ip address outside 1.1.1.3 255.255.255.192

ip address inside 10.1.0.2 255.255.0.0

ip address dmz 192.168.0.1 255.255.255.0

This should allow all ports and all traffic from inside users to connect to DMZ devices without restriction right??

sundar.palaniappan · ‎08-24-2006

Hi,

For traffic from inside to dmz I have used static transalations and it has worked fine. Can you remove the 'nat (inside) 0 access-list nonat' and the access-list nonat. Instead, use a static transalation for the inside hosts like the one below.

static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.248.0

Hope that helps!

Regards,

Sundar

sundar.palaniappan · ‎08-24-2006

Oops, a typo error in the previous posting.

static (inside, dmz) 10.0.0.0 10.0.0.0 netmask 255.248.0.0

HTH,

Sundar

glenthms · ‎08-28-2006

Sundar,

Can you explain what this does?

fred.s.mollenkopf · ‎08-28-2006

Glen,

What Sundar recommended is good for a pinned up static configuration from inside to DMZ and DMZ to inside. Essentially he is recommending on your DMZ interface to allow anything to access the inside with an address in the range of 10.0.0.0 255.248.0.0. Statics work both directions so the inside hosts would then be allowed to access the DMZ without a NAT/Global statement.

The NoNat configuration is actually what I prefer as this doesn't add a consistent NAT from the DMZ to the inside addresses. If you require outside to inside then just repeat your ACL with Source and Destination flopped. This in my mind is more secure. Talking to Sundar we both feel either one will work. Basically we aren't sure if your existing configuration was working and are giving alternate suggestions.

Sundar kick in if I misrepresented anything wrong.

Please rate any helpful posts

Thanks

Fred

sundar.palaniappan · ‎08-28-2006

Glen,

I agree with Fred that either one of these configurations should work.

Can you make sure the device(s) on the DMZ is using 192.168.0.1 as their gateway to access anything on 10.0.0.0 255.248.0.0 network and the inside hosts are using the 10.1.0.2 as the gateway to get to host(s) on the DMZ.

Plus, can you check whether you have a route on the PIX for the 10.2.0.0 - 10.7.0.0 network that should be pointing to the inside network.

HTH,

Sundar

glenthms · ‎08-28-2006

The reason I brought it up was that for some reason we can browse to shared files on one server on the DMZ but not the other. Both are Windows based servers. We confirmed that we can browse (network shares) on one server but no the other. Its odd. I jumped on one of the servers on the DMZ and can browse to the other server on the same DMZ lan fine, but for some reason inside users can only browse to one of the 2 servers. When I debugged today I see SYN packets being sent from the inside source but nothing ever comes back so either its the firewall or the server. Can't tell. Will have further access to that server today or tomorrow. The nonat was working before and I tried what Sundar reccomended but results were the same. Ill let you know what comes about. Thank you for all your help and I will definitely rate your posts. Thank you.