Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX Firewall - Access to DMZ interface from remote locations

I currently have a PIX 520 running ver 4.4. I am not using access lists. The problem I have is that all workstations at my remote branches (frame relay connection) cannot access my Home Banking page which is on the DMZ interface. Everyone at the main branch can get to it just fine.

The remote branches all come back through the main router to access the internet.

Can anyone explain why this is happening?

thanks for any assistance

5 REPLIES
New Member

Re: PIX Firewall - Access to DMZ interface from remote locations

What interface does the frame relay connection use to get to the pix?

1. If its the "outside" interface you will need to come up with a conduit statement to permit

the remotes to access the specific host/port(s) on the home banking server(s).

Don't try access lists on 4.4.....start thinking upgrate though.

2. If the frame attached hosts come in via a higher security level interface (inside),

Then you will need to NAT them across to the lower security level interface

New Member

Re: PIX Firewall - Access to DMZ interface from remote locations

The remote machines access the dmz interface via the inside interface, just as all of the local machines do. The local machines have no issues with seeing the home banking server, just the remotes. Could it be related to RIP not being enabled on the DMZ? I don't want to enable it for that interface for obvious reasons.

I have helper addresses entered for all of the remote locations and everything else, including internet access works just fine.

New Member

Re: PIX Firewall - Access to DMZ interface from remote locations

How are you advertising a route to the dmz on the

local machines? is it different than the remotes ?

a helper won't do you much good unless your using a

udp broadcast.

can you ping the dmz from a remote host ?

are you running symitar as your app ? as i recall

that has some issues with IP addressing.

New Member

Re: PIX Firewall - Access to DMZ interface from remote locations

This is the statement I have in my local host router regarding the home banking server:

ip route 10.55.0.0 255.255.0.0 10.54.1.7 permanent

Where 10.55.0.0 is the network where the homebanking server is located and 10.54.1.7 is the inside interface of the firewall. I think that is what you mean by 'how is it advertised'.

When I attempt to ping the dmz from a remote host I get a reply from the local router that says the destination host is unreachable.

We are using Symitar as our app, but as some background; the problem began occurring when we removed thin clients from the remote environment and went to pc's. It was not an issue with the thin clients because they were all routed to the internet through a machine that resided on the local network.

Symitar does not seem to be an issue.

New Member

Re: PIX Firewall - Access to DMZ interface from remote locations

I know I shouldn't pick on symitar, but it does add some addressing issues in a C.U. Net.

What happens when you ping (from the Pix) to the remote network(s).

What routing protocol are you running on the inside network?

do you have a default route built anywhere ?

230
Views
0
Helpful
5
Replies
CreatePlease to create content