Hi Brahmam,

Pls refer attached PIX config and Internet Router config.

Internet Router internal network is private.

Proxy server placed in DMZ is statically natted to PIX firewall outside interface network.

I don't want inside network to go directly to ouside world.

Instead i want internal network to go to proxy server in DMZ and through DMZ to ouside world.

Natting of private to public IP is happening on the Internet router and not PIX firewall.

Pls suggest.....

pix by default will permit traffic from higher security level to lower security level. e.g. from inside to dmz. however, nat/global or static is required with v6.x.

add the command below:

static (inside,dmz) 172.17.37.5 172.17.37.5 netmask 255.255.255.224

i guess all three acls are applied for testing purposes only, as permitting ip any any is not a very good security practice.

assuming all you need is to permit the inside to dmz proxy server, from the proxy server to the internet, and no inbound traffic. then, no acl is required at all.

the reason being all these traffic flows from higher security level to lower security level; i.e. from inside to dmz, then from dmz to outside.

Hi Brahmam,

Thanx,

Also

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) 192.168.22.11 172.17.37.181 netmask 255.255.255.255 0 0

static (inside,dmz) 172.17.37.5 172.17.37.5 netmask 255.255.255.224

route outside 0.0.0.0 internet router internal IP

route inside ...... appropriate routes

routes in internet router for DMZ network.

Pls suggest if i am OK with the config.

internal users will hit the DMZ proxy server enroute to internet.

Natting will happen on internet router.

Regards

Deepak

Deepak

As per your pix config, you used same class of IP address for both inside and DMZ.... try to chage DMZ IP .. since the nature of pix is to translate the ip's on interfaces...this should solve your problem.

Cheers

Brahmam

Hi

I dont find access-list commands at your PIX...