Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
970
Views
0
Helpful
0
Comments

Hosts are unable to pass traffic from one DMZ to another DMZ

TCC_2
Level 10
Level 10

‎06-22-2009 03:33 PM - edited ‎03-08-2019 06:08 PM

Resolution

Hosts on the Demilitarized Zone (DMZ) network need to pass traffic through the PIX Firewall to connect to devices on another DMZ network. For the purposes of this example, all devices on both of the DMZ interfaces need to use their native addresses.

Configure a static translation and access for the workstations on the DMZ to reach the other DMZ network.

Note: The static Network Address Translation (NAT) that is required is for the entire DMZ network with the highest security. The Access Control List (ACL) will not defer from the standard, but will be applied to the DMZ interface with the lowest security.

In this example, the DMZ with the higher security is called DMZ1 and its network will be 10.10.1.0. The DMZ with the lower security will be called DMZ2 and its network will be 10.10.2.0. All the traffic will pass between the two DMZ networks.

Issue the following commands to configure static NAT:

pixfirewall> enable
pixfirewall# configure terminal
pixfirewall (config t)# static (DMZ1, DMZ2) 10.10.1.0 10.10.1.0

What the above statement is saying is that when traffic hits the PIX from DMZ2 and is destined for DMZ1's network (10.10.1.0), to translate that address to itself. Any traffic that passes through a PIX must be translated. To satisfy this requirement, configure the PIX to translate any address in this range to itself. This is a one-to-one translation. Because this example uses the same range twice, if traffic destined for 10.10.1.19 hits the PIX, when it is sent out of the DZ1 interface it will remain destined for 10.10.1.19. It does not reassign it a random IP address in the range.

The ACL to permit traffic from the DMZ2 network to the DMZ1 network must be configured. For the example,  you will permit all traffic to pass between the two interfaces. However, this may not always be the best choice depending on the security policy you must follow. If you are in doubt on what to allow, it is best to allow only necessary traffic.

Issue the following commands to configure the ACL:

pixfirewall (config t)# access-list dmz2dmz permit ip any any
pixfirewall (config t)# access-group dmz2dmz in interface DMZ2

After these commands have been issued, you should be able to pass the specified traffic. If there is any problem with passing traffic at that point, issue the clear xlate command.

Note: Issuing this command will temporarily drop active connections. It should re-establish within 10 seconds.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents