Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

rai
New Member

PIX DMZ Config request

I have a PIX515, with three interfaces: outside, DMZ, and inside. Their is a current configuration in place with the exception of the DMZ, will install shortly. A new webserver will sit on the DMZ with nat to the server. Do I setup the DMZ interface to accept traffic from ports 80 and 443? Do I need to setup some kind of access-list as well? Also, LAN clients will need access to this webserver, (also hosts the intranet). Two types of LAN clients: 1. Ordinary users that will access the intranet, and 2. Admin users, who will need to hard map to HDDs for system and web maintenance (developers). Obviously, I would need to setup some kind of access-list for LAN clients. Could anyone shed some light on this issue? Input would be appreciated.

2 REPLIES
New Member

Re: PIX DMZ Config request

Here are some snipits from a similar config:

This config is NOT doing NAT from DMZ to outside or from inside to DMZ. The Outside and DMZ are on /26 subnets of the /25 subnet they own. IE: both outside and DMZ are public space.

(Public ip changed to 9.9.9.x for security reasons)

global (outside) 1

#sets outside nat address(es)

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

#this nats inside to outside, wont nat to dmz because no global (dmz

) command exists.

static (DMZ,outside) 9.9.9.9 9.9.9.9 netmask 255.255.255.255 0 0

#this line makes the web server visible to outside

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

#this line makes the inside subnet visible to the DMZ

Access lists will be needed for all traffic permitted from outside to DMZ and from DMZ to inside.

rai
New Member

Re: PIX DMZ Config request

Thank you very much for your quick response. Let's assume the following:

Outside: 215.202.205.250 255.255.255.248

DMZ: 215.202.205.253 255.255.255.248

inside: 129.1.1.10 255.255.255.0

global (outside) 1 215.202.205.250

nat (inside) 1 129.1.1.10 255.255.255.0 0 0

static (DMZ,outside) 215.202.205.250 215.202.205.253 netmask 255.255.255.255.248 0 0

static (inside,DMZ) 215.202.205.253 129.1.1.10 netmask 255.255.255.0

Is this correct? Your input would be appreciated. Thanks.

79
Views
0
Helpful
2
Replies