Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Setting up DMZ "interoperability"

Dear ALL,

I'm setting up a PIX 515E 6.3 with one or more DMZ interface.

From external, everything seems to be run properly, problem starts when I try to establish connectivity like ICMP between two or more DMZ.

Please, anyone of you could give me an example or tell me where I can find literature about this ?

Regards and Happy New Year

Alberto Brivio

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Setting up DMZ "interoperability"

please excuse me for misleading.

e.g.

access-list dmz2_in permit icmp any any

access-group dmz2_in in interface dmz2

3 REPLIES
Gold

Re: Setting up DMZ "interoperability"

with v6.x, nat/global or static is a must before the pix will start forwarding any packet, plus an acl is required.

i suggest not to configure nat between the dmzs since they are all private.

e.g.

nameif ethernet2 dmz1 security80

nameif ethernet3 dmz2 security50

static (dmz1,dmz2) netmask

static (dmz2,dmz1) netmask

access-list dmz2_in permit icmp any any

New Member

Re: Setting up DMZ "interoperability"

Thanks for your prompt reply.

Just a question:

when you say

"access-list dmz2_in permit icmp any any" you mean "INBOUND" (from less secure to more secure) or "OUTBOUND" (from more secure to less secure)

Regards

Alberto Brivio

Gold

Re: Setting up DMZ "interoperability"

please excuse me for misleading.

e.g.

access-list dmz2_in permit icmp any any

access-group dmz2_in in interface dmz2

105
Views
0
Helpful
3
Replies
This widget could not be displayed.