Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
297
Views
5
Helpful
4
Replies

pix inside+dmz problem

ramesh.krishnan
Level 1
Level 1

‎05-14-2003 08:29 AM - edited ‎02-20-2020 10:44 PM

Hi,

I have a cisco 520 pix firewall and have the inside, outside and dmz working well. The INSIDE was addded recently and now, I want the inside and dmz zones to communicate with each other. IS this possible. If then how?

can anyone help me out with some links or their own solutions?

thanks in advance.

Ramesh

0 Helpful
4 Replies 4

mhoda
Level 5
Level 5

‎05-14-2003 11:51 AM

Ramesh,

Yes, this will definitely work. For simplicity purpose lets have an example:

Inside : 10.1.1.0/24 network inside interface of pix: 10.1.1.1

dmz: 172.16.171.0/24 network dmz interface of pix: 172.16.171.1

For connection from inside to dmz:

nat (inside) 1 10.1.1.0

global (dmz) 1 interface

If you have acl appalied on inside interface, pl. make sure to allow the traffic from iunside to dmz. Also, if you have an existing nat for the outside, then you may apply the same nat to the dmz interface.

For connection from dmz to inside:

static (inside, dmz) 10.1.1.50 10.1.1.50 (lets say web server has ip 10.1.1.50)

access-list 102 permit tcp any host 10.1.1.50 permit 80

access-group dmz in

Note: if you want to allow the communication from dmz to inside, the whole network then you can define " static (inside, dmz) 10.1.1.0 10.1.1.0), in that case, you will not need the nat/global for the inside to outside communication.

I hope this helps ! Thanks,

Mynul

0 Helpful

m.laporta
Level 1
Level 1
In response to mhoda

‎05-15-2003 12:15 AM

Hi Minul.

I have the problem to configure access from the whole dmz to (a subnet in) the inside and viceversa.

For dmz to inside connection, I understand from your reply that I need :

static (inside, dmz) 10.1.1.0 10.1.1.0 + access-list 102.

But what about inside to dmz connections? Do you mean that I need a simple

nat (inside) 0 access-list in-to-dmz

or that I need nothing else at all?

Thank you very much!

Michele

0 Helpful

mhoda
Level 5
Level 5
In response to m.laporta

‎05-15-2003 01:43 PM

Hi Michele,

Once you define static, you will not need anyting else. If you define nat (inside) 0 ACL then, this will superce static and will perform the same job. So, either of this two options will work for you. So, define either static or nat 0 ACL.

I hope its clear ! Thanks,

Mynul

ramesh.krishnan
Level 1
Level 1
In response to mhoda

‎05-18-2003 04:40 AM

hi Mynul,

The same worked. thanks a lot...thanks a 100 times..... :)

cheers,

Ramesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card