https://community.cisco.com/t5/network-security/pix-dmz-config-request/m-p/46276#M628884 <P>I have a PIX515, with three interfaces: outside, DMZ, and inside. Their is a current configuration in place with the exception of the DMZ, will install shortly. A new webserver will sit on the DMZ with nat to the server. Do I setup the DMZ interface to accept traffic from ports 80 and 443? Do I need to setup some kind of access-list as well? Also, LAN clients will need access to this webserver, (also hosts the intranet). Two types of LAN clients: 1. Ordinary users that will access the intranet, and 2. Admin users, who will need to hard map to HDDs for system and web maintenance (developers). Obviously, I would need to setup some kind of access-list for LAN clients. Could anyone shed some light on this issue? Input would be appreciated.</P> Fri, 21 Feb 2020 06:02:27 GMT rai 2020-02-21T06:02:27Z https://community.cisco.com/t5/network-security/pix-dmz-config-request/m-p/46276#M628884 <P>I have a PIX515, with three interfaces: outside, DMZ, and inside. Their is a current configuration in place with the exception of the DMZ, will install shortly. A new webserver will sit on the DMZ with nat to the server. Do I setup the DMZ interface to accept traffic from ports 80 and 443? Do I need to setup some kind of access-list as well? Also, LAN clients will need access to this webserver, (also hosts the intranet). Two types of LAN clients: 1. Ordinary users that will access the intranet, and 2. Admin users, who will need to hard map to HDDs for system and web maintenance (developers). Obviously, I would need to setup some kind of access-list for LAN clients. Could anyone shed some light on this issue? Input would be appreciated.</P> Fri, 21 Feb 2020 06:02:27 GMT https://community.cisco.com/t5/network-security/pix-dmz-config-request/m-p/46276#M628884 rai 2020-02-21T06:02:27Z https://community.cisco.com/t5/network-security/pix-dmz-config-request/m-p/46277#M628887 <HTML><HEAD></HEAD><BODY><P>Here are some snipits from a similar config:</P><P>This config is NOT doing NAT from DMZ to outside or from inside to DMZ. The Outside and DMZ are on /26 subnets of the /25 subnet they own. IE: both outside and DMZ are public space.</P><P>(Public ip changed to 9.9.9.x for security reasons)</P><P></P><P>global (outside) 1 <OUTSIDE address=""></OUTSIDE></P><P> #sets outside nat address(es)</P><P></P><P>nat (inside) 1 192.168.0.0 255.255.0.0 0 0</P><P> #this nats inside to outside, wont nat to dmz because no global (dmz</P><P>) command exists.</P><P></P><P>static (DMZ,outside) 9.9.9.9 9.9.9.9 netmask 255.255.255.255 0 0</P><P> #this line makes the web server visible to outside</P><P></P><P>static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0</P><P> #this line makes the inside subnet visible to the DMZ</P><P></P><P>Access lists will be needed for all traffic permitted from outside to DMZ and from DMZ to inside. </P><P></P></BODY></HTML> Fri, 26 Apr 2002 14:23:47 GMT https://community.cisco.com/t5/network-security/pix-dmz-config-request/m-p/46277#M628887 jboyer 2002-04-26T14:23:47Z https://community.cisco.com/t5/network-security/pix-dmz-config-request/m-p/46278#M628892 <HTML><HEAD></HEAD><BODY><P>Thank you very much for your quick response. Let's assume the following:</P><P>Outside: 215.202.205.250 255.255.255.248</P><P>DMZ: 215.202.205.253 255.255.255.248</P><P>inside: 129.1.1.10 255.255.255.0</P><P>global (outside) 1 215.202.205.250</P><P>nat (inside) 1 129.1.1.10 255.255.255.0 0 0</P><P>static (DMZ,outside) 215.202.205.250 215.202.205.253 netmask 255.255.255.255.248 0 0</P><P>static (inside,DMZ) 215.202.205.253 129.1.1.10 netmask 255.255.255.0</P><P></P><P>Is this correct? Your input would be appreciated. Thanks.</P></BODY></HTML> Mon, 29 Apr 2002 20:00:49 GMT https://community.cisco.com/t5/network-security/pix-dmz-config-request/m-p/46278#M628892 rai 2002-04-29T20:00:49Z