Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2057
Views
0
Helpful
5
Replies

PIX Routing With 3rd Interface

k.townsend
Level 1
Level 1

‎05-17-2001 09:45 AM - edited ‎02-20-2020 09:47 PM

Example Topology

Inside - 10.0.0.1

DMZ - 192.168.0.1

Outside - 216.x.x.x

I have a web server sitting on the dmz. I added a global statement which I understand allows all inside clients start connections to the dmz and outside interfaces. I can access outside resouces but I am unable to access the web server on the dmz. What I'm I missing.

Thanks,

Keith Townsend

0 Helpful
5 Replies 5

millerv
Level 1
Level 1

‎05-17-2001 09:56 AM

may need to NAT from inside to dmz

the rule being high to low security use nat

low to high use global and access lists

0 Helpful

bdube
Level 2
Level 2

‎05-17-2001 10:27 AM

You have to statically assign a public IP address corresponding with the private IP address used by your Web server with the command "static".

You have to create an access-list to open a port to your Web server and finally assigned the access list created before to an access-group assign to the outside port. You can see an example at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/config.htm#xtocid2987342

0 Helpful

johncharris
Level 1
Level 1

‎05-21-2001 04:29 AM

In a additona to static command, you must include a conduit or acces list that allows inbound traffic to the web server.

-John

0 Helpful

gsatchivi
Level 1
Level 1

‎05-21-2001 10:59 AM

Hello Keith.

Since you are trying to access a web sever from the inside, which is the highest security interface, all you need is to crate a global (perimeter) entry. But youhave to make sure that there is a nat entry for the inside network. The nat id for the nat (inside) entry should match the id for the global (perimeter) entry. For example if you have nat (inside)1 10.0.0.0 255.255.255.0, then you should have global (perimeter) 1 172.16.10.0 255.255.255.0. Users on the inside network would use 172.16.10.0 net to connect to your web server. You don't need any conduit statement since by default the pix allows all connections from the higher security interface to any lower security intf. If you want your web server to initiate a connection to the inside network you will need the static command. I think you've been doing the right thing all along. You need to make sure that the nat id matches the global id.

Cheers and good luck

Gilles

0 Helpful

wraights
Level 1
Level 1

‎06-04-2001 08:17 AM

you must add a static and conduit command.

ex:

static (inside,dmza) 10.x.x.x 10.x.x.x netmask 255.255.0.0 0 0

conduit permit udp 10.x.x.x 255.255.0.0 host 20.x.x.x

conduit permit tcp 10.x.x.x 255.255.0.0 host 20.x.x.x

the static command here shown allows the inside (10.x.x.x) see that dmz. on that command the inside address has to be typed twice and it needs to be the same.

the conduit command allows the different protocols (tcp and udp) to go back to that inside address scheme from the web server (20.x.x.x)

this should work for you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card