https://community.cisco.com/t5/network-security/pix-routing-with-3rd-interface/m-p/6684#M681681 <HTML><HEAD></HEAD><BODY><P>You have to statically assign a public IP address corresponding with the private IP address used by your Web server with the command "static".</P><P></P><P>You have to create an access-list to open a port to your Web server and finally assigned the access list created before to an access-group assign to the outside port. You can see an example at the following URL: </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/config.htm#xtocid2987342" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/config.htm#xtocid2987342</A></P><P></P><P></P></BODY></HTML> Thu, 17 May 2001 17:27:01 GMT bdube 2001-05-17T17:27:01Z https://community.cisco.com/t5/network-security/pix-routing-with-3rd-interface/m-p/6682#M681661 <P>Example Topology</P><P>Inside - 10.0.0.1</P><P>DMZ - 192.168.0.1</P><P>Outside - 216.x.x.x</P><P></P><P>I have a web server sitting on the dmz. I added a global statement which I understand allows all inside clients start connections to the dmz and outside interfaces. I can access outside resouces but I am unable to access the web server on the dmz. What I'm I missing. </P><P></P><P>Thanks, </P><P></P><P>Keith Townsend</P><P></P> Fri, 21 Feb 2020 05:47:44 GMT https://community.cisco.com/t5/network-security/pix-routing-with-3rd-interface/m-p/6682#M681661 k.townsend 2020-02-21T05:47:44Z https://community.cisco.com/t5/network-security/pix-routing-with-3rd-interface/m-p/6683#M681667 <HTML><HEAD></HEAD><BODY><P>may need to NAT from inside to dmz</P><P>the rule being high to low security use nat</P><P>low to high use global and access lists</P></BODY></HTML> Thu, 17 May 2001 16:56:20 GMT https://community.cisco.com/t5/network-security/pix-routing-with-3rd-interface/m-p/6683#M681667 millerv 2001-05-17T16:56:20Z https://community.cisco.com/t5/network-security/pix-routing-with-3rd-interface/m-p/6684#M681681 <HTML><HEAD></HEAD><BODY><P>You have to statically assign a public IP address corresponding with the private IP address used by your Web server with the command "static".</P><P></P><P>You have to create an access-list to open a port to your Web server and finally assigned the access list created before to an access-group assign to the outside port. You can see an example at the following URL: </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/config.htm#xtocid2987342" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/config.htm#xtocid2987342</A></P><P></P><P></P></BODY></HTML> Thu, 17 May 2001 17:27:01 GMT https://community.cisco.com/t5/network-security/pix-routing-with-3rd-interface/m-p/6684#M681681 bdube 2001-05-17T17:27:01Z https://community.cisco.com/t5/network-security/pix-routing-with-3rd-interface/m-p/6685#M681696 <HTML><HEAD></HEAD><BODY><P>In a additona to static command, you must include a conduit or acces list that allows inbound traffic to the web server.</P><P></P><P>-John</P></BODY></HTML> Mon, 21 May 2001 11:29:57 GMT https://community.cisco.com/t5/network-security/pix-routing-with-3rd-interface/m-p/6685#M681696 johncharris 2001-05-21T11:29:57Z https://community.cisco.com/t5/network-security/pix-routing-with-3rd-interface/m-p/6686#M681707 <HTML><HEAD></HEAD><BODY><P>Hello Keith.</P><P>Since you are trying to access a web sever from the inside, which is the highest security interface, all you need is to crate a global (perimeter) entry. But youhave to make sure that there is a nat entry for the inside network. The nat id for the nat (inside) entry should match the id for the global (perimeter) entry. For example if you have nat (inside)1 10.0.0.0 255.255.255.0, then you should have global (perimeter) 1 172.16.10.0 255.255.255.0. Users on the inside network would use 172.16.10.0 net to connect to your web server. You don't need any conduit statement since by default the pix allows all connections from the higher security interface to any lower security intf. If you want your web server to initiate a connection to the inside network you will need the static command. I think you've been doing the right thing all along. You need to make sure that the nat id matches the global id.</P><P>Cheers and good luck</P><P></P><P>Gilles</P><P> </P></BODY></HTML> Mon, 21 May 2001 17:59:50 GMT https://community.cisco.com/t5/network-security/pix-routing-with-3rd-interface/m-p/6686#M681707 gsatchivi 2001-05-21T17:59:50Z https://community.cisco.com/t5/network-security/pix-routing-with-3rd-interface/m-p/6687#M681712 <HTML><HEAD></HEAD><BODY><P>you must add a static and conduit command. </P><P>ex:</P><P>static (inside,dmza) 10.x.x.x 10.x.x.x netmask 255.255.0.0 0 0</P><P>conduit permit udp 10.x.x.x 255.255.0.0 host 20.x.x.x</P><P>conduit permit tcp 10.x.x.x 255.255.0.0 host 20.x.x.x</P><P>the static command here shown allows the inside (10.x.x.x) see that dmz. on that command the inside address has to be typed twice and it needs to be the same.</P><P>the conduit command allows the different protocols (tcp and udp) to go back to that inside address scheme from the web server (20.x.x.x)</P><P>this should work for you.</P><P> </P><P></P></BODY></HTML> Mon, 04 Jun 2001 15:17:24 GMT https://community.cisco.com/t5/network-security/pix-routing-with-3rd-interface/m-p/6687#M681712 wraights 2001-06-04T15:17:24Z