Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 515E, multiple DMZ's, and videotape

i looked through the various topics for something similar and didn't find anything. if this is already posted, please accept my apologies.

anyway, i have a pix515e, running ver 6.1(2). it has 6 interfaces, internal, external, and 4 DMZs (intf1, intf2, intf3, and intf4). my question is this:

say i have a webserver on dmz1. this dmz lives in a local subnet and is assigned the address of 1.1.1.1. currently, the PIX routes packets appropriately both to the outside and the inside as necessary. it needs to be accessible from both the outside as well as the inside. i have a PAT address assigned on the dmz with:

global (intf1) 1 1.1.1.2

nat (inside) 1 0.0.0.0 0.0.0.0

that allows any user on the 'inside' interface to be dynamically assigned an address of 1.1.1.2 on the dmz to access the webserver.

i have also setup a static mapping to the outside with the commands:

static (intf1,outside) 2.2.2.2 1.1.1.1 netmask 255.255.255.255

conduit permit tcp host 2.2.2.2 eq www any

that allows any user on the 'outside' interface to access the machine on port 80.

i later find that i need to map a netbios share from a specific machine on the 'inside' interface to update webserver data. i create a new entry:

static (inside, intf1) 3.3.3.3 3.3.3.3 netmask 255.255.255.255

i find that if i remove the nat/global statements, this works, but that's not an option. as it is, i get a 'the network path was not found' error.

i'm stuck. what am i doing wrong??

any help would be greatly appreciated.

  • Other Security Subjects
1 REPLY
Silver

Re: PIX 515E, multiple DMZ's, and videotape

Windows networking hates nat.

You will want to have no natting between the two hosts at all. This will most likely require you having a nat 0 access-list command for the higher security int in question (inside). The access lists should classify traffic between the subnets, or just these two hosts.

Allowing netbios sharing between these segments is pretty risky. I would try to find another file transfer method.

Matt

110
Views
0
Helpful
1
Replies