Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

PIX: Allowing DMZ servers to access Inside servers

Hi,

I am building a PIX 520 from scratch using 6.2(2) and PDM 2.1(1). I have 3 interfaces:

outside (sec0) - xx.xx.xx.xx

inside (sec100) - 10.100.1.0/24

dmz (sec10) - 172.16.254.0/24

All was going well with the rulebase until I started on the task of allowing dmz hosts to access inside hosts. I'm having problems as soon as I create an access rule e.g:

access-list dmz_access_in permit tcp host 172.16.254.20 host 10.100.1.35 eq ldap

Problem 1:

pdm alerts to say that a static translation is needed for 10.100.1.35 between the inside network and the dmz. I would like the 172.16.254.20 server to access the 10.100.1.35 server using its actual address of 10.100.1.35. Can I simply assign these commands:

static (inside,dmz) 10.100.1.0 10.100.1.0 netmask 255.255.255.0 0 0

access-list dmz_inbound_nat0_acl permit ip any 10.100.1.0 255.255.255.0

nat (dmz) 0 access-list dmz_inbound_nat0_acl outside

and then:

access-list dmz_access_in permit tcp host 172.16.254.20 host 10.100.1.35 eq ldap

access-group dmz_access_in in interface dmz

...will this work without problems?

Problem 2:

The implicit outbound rule for the DMZ is broken - why? I need the DMZ servers to be able to access the internet without hindrance.

When I try and insert another rule to allow this, the following command is inserted into the PIX config:

access-list dmz_access_in permit ip 172.16.254.0 255.255.255.0 any

This command now allows any DMZ server to access all devices on my internal network! How can I solve this?

Hope someone can help... Thanks in advance,

Tariq.

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: PIX: Allowing DMZ servers to access Inside servers

One Problem 1, you don't need the nat 0 statement and correospnding access-list. The static is sufficient.

Problem 2: Since you applied an access-list to the DMZ interface, you must expand it to include Internet access as well. If this is what you need, I would try something like this:

access-list dmz_access_in permit tcp host 172.16.254.20 host 10.100.1.35 eq ldap

access-list dmz_access_in permit tcp host 172.16.254.30 host 10.100.1.35 eq ldap

...

...

etc. to allow all required access inside.

access-list dmz_access_in deny ip any 10.0.0.0 255.0.0.0

access-list dmz_access_in permit ip any any

Of course, you will want to tweak this as required.

3 REPLIES
Community Member

Re: PIX: Allowing DMZ servers to access Inside servers

One Problem 1, you don't need the nat 0 statement and correospnding access-list. The static is sufficient.

Problem 2: Since you applied an access-list to the DMZ interface, you must expand it to include Internet access as well. If this is what you need, I would try something like this:

access-list dmz_access_in permit tcp host 172.16.254.20 host 10.100.1.35 eq ldap

access-list dmz_access_in permit tcp host 172.16.254.30 host 10.100.1.35 eq ldap

...

...

etc. to allow all required access inside.

access-list dmz_access_in deny ip any 10.0.0.0 255.0.0.0

access-list dmz_access_in permit ip any any

Of course, you will want to tweak this as required.

Community Member

Re: PIX: Allowing DMZ servers to access Inside servers

Guys - thank you for your help - my firewall is now up and running!

Community Member

Re: PIX: Allowing DMZ servers to access Inside servers

Problem 1)

Using the PDM is harder because you tend to forget alot of other options to configure.

what does your global syntax configuration(PAT) look like? You should have a global (inside) 1 10.0.100.1.x and a corresponding nat statement NAT (dmz) 1 172.16.254.0 255.255.255.0. This says that the hosts on the DMZ network will be NAT's to PAT address specified in the global statement.

Also, I agree you don't need the NAT 0 and corresponding ACL either.

97
Views
0
Helpful
3
Replies
CreatePlease to create content