Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Opening PIX Inside to Outside

I am trying to find a way to have multiple hosts inside a DMZ be able to access my entire internal network. Does anyone know of a way to do this without creating individual statics for every device that may be accessed?

8 REPLIES
New Member

Re: Opening PIX Inside to Outside

If you have only one DMZ it is very easy with access list, you have to just do following, assuming you want to permit all the dmz and inside hosts to go anywhere (Including internet) freely:

------------------------------------------------------------

access-list acl_inside permit ip any any

access-list acl_dmz permit ip any any

access-group acl_inside in interface inside

access-group acl_dmz in interface dmz

------------------------------------------------------------

But if have multiple DMZs (say 4) and you want only specific hosts on inside/dmz to access specific hosts/services then you have to be a little more specific. In the config below we assume that you have 4 dmzs :

------------------------------------------------------------

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security90

nameif ethernet3 dmz2 security80

nameif ethernet4 dmz3 security70

nameif ethernet5 dmz4 security60

ip address outside xx.xx.xx.xx1 255.255.255.224

ip address inside 172.16.0.1 255.255.255.0

ip address dmz1 172.16.1.1 255.255.255.0

ip address dmz2 172.16.2.1 255.255.255.0

ip address dmz3 172.16.3.1 255.255.255.0

ip address dmz4 172.16.4.1 255.255.255.0

access-list acl_outside permit

access-list acl_inside deny tcp any any eq 6667

access-list acl_inside deny udp any any eq 6667

access-list acl_inside permit ip any any

access-list acl_dmz1 deny tcp any any eq 6667

access-list acl_dmz1 deny udp any any eq 6667

access-list acl_dmz1 permit ip any 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list acl_dmz1 permit ip any 172.16.1.0 255.255.255.0 172.16.3.0 255.255.255.0

access-list acl_dmz1 deny ip any 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list acl_dmz1 deny ip any 172.16.1.0 255.255.255.0 172.16.4.0 255.255.255.0

access-list acl_dmz1 permit ip any any

access-list acl_dmz2 deny tcp any any eq 6667

access-list acl_dmz2 deny udp any any eq 6667

access-list acl_dmz2 deny ip any 172.16.2.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list acl_dmz2 deny ip any 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list acl_dmz2 deny ip any 172.16.2.0 255.255.255.0 172.16.3.0 255.255.255.0

access-list acl_dmz2 deny ip any 172.16.2.0 255.255.255.0 172.16.4.0 255.255.255.0

access-list acl_dmz2 permit ip any any

access-list acl_dmz3 deny tcp any any eq 6667

access-list acl_dmz3 deny udp any any eq 6667

access-list acl_dmz3 deny ip any 172.16.3.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list acl_dmz3 deny ip any 172.16.3.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list acl_dmz3 deny ip any 172.16.3.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list acl_dmz3 deny ip any 172.16.3.0 255.255.255.0 172.16.4.0 255.255.255.0

access-list acl_dmz3 permit ip any any

access-list acl_dmz4 deny tcp any any eq 6667

access-list acl_dmz4 deny udp any any eq 6667

access-list acl_dmz4 deny ip any 172.16.4.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list acl_dmz4 deny ip any 172.16.4.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list acl_dmz4 deny ip any 172.16.4.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list acl_dmz4 deny ip any 172.16.4.0 255.255.255.0 172.16.3.0 255.255.255.0

access-list acl_dmz4 permit ip any any

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz3) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz4) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_outside in interface outside

access-group acl_inside in interface inside

access-group acl_dmz1 in interface dmz1

access-group acl_dmz2 in interface dmz2

access-group acl_dmz3 in interface dmz3

access-group acl_dmz4 in interface dmz4

static (inside,outside) xx.xx.xx.xx2 172.16.0.100 netmask 255.255.255.255 0 0

-----------------------------------------------------------------

In the above example:

1. we have restricted all the hosts on all the interface from accessing IRC on the internet but have allowed all other internet services to be accessed.

2. All the hosts on the inside are free to access any host on any interface.

3. All dmz1 hosts are allowed to access all inside, dmz3 and internet (except IRC:6667) but they can't access hosts on dmz2 and dmz4.

4. Hosts on dmz2,3,4 can access only internet (except IRC:6667).

Hope this will help you.

New Member

Re: Opening PIX Inside to Outside

So if you are using an access-list you can connect directly to hosts on your internal network by their real (not NATed) IP address? I thought you had to do statics to go from a less trusted (dmz) to a more trusted (inside) network.

New Member

Re: Opening PIX Inside to Outside

I am sorry, I forgot to include two very important config entries. After putting this DMZ hosts can access inside hots with their real IP address and you don't have to put any "static (inside,dmz1)" statement

-------------------------------------------

access-list acl_no_nat permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0

nat (dmz1) 0 access-list acl_no_nat

-------------------------------------------

New Member

Re: Opening PIX Inside to Outside

Great...thanks for the help.

New Member

Re: Opening PIX Inside to Outside

Hi,

really to permit a traffic from less secure area to a more secure area you must

use a static command, if you don't want to nat the address you can use a static of this type (the nat 0 version for the static):

static (inside, dmz1) 1 72.16.1.0 255.255.255.0.0 172.16.1.0 255.255.255.0

with the nat 0 command you cannot initiate connection from the dmz1 zone.

bye,

Graz.

New Member

Re: Opening PIX Inside to Outside

Hi,

With "nat 0" you don't need any static to access from dmz1 to inside and with tying it to access-list there is no problem in initiating a session from dmz1. I have this configuration working.

bye

mk

New Member

Re: Opening PIX Inside to Outside

Hi,

I agree...

with the access-list in the nat 0 command is right!

bye

Graz.

New Member

Re: Opening PIX Inside to Outside

When you create your static reference the entire inside network address.

My inside network is 172.16.20.0 and my dmz is using public addresses.

I am using the following:

static(inside,dmz1) 172.16.20.0 172.16.20.0 netmask 255.255.255.0 0 0

92
Views
0
Helpful
8
Replies
CreatePlease login to create content