topic Access DMZ ffom Inside in Network Security

Access DMZ ffom Inside

mahirv8680 — Mon, 11 Mar 2019 14:24:16 GMT

Hi,

I've got a web server in the DMZ (single IP address). I somehow managed to get the users from the inside interface to access the web server in the DMZ but sometimes its takes about 20 to 30 seconds to show up which is way too long. Is this to do with my DNS settings or with the PIX settings? Which of the two settings below should I use for the pix?

DMZ Subnet: 10.3.30.0 / 255.255.255.0

DMZ web server: 10.3.30.100

Inside Subnet: 172.16.0.0 / 255.255.0.0

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

acl dmz permit tcp 10.3.30.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 80

access-group dmz in interface dmz

or no nat?

access-list nonat extended permit ip 172.16.0.0 255.255.0.0 10.3.30.0 255.255.255.0

nat (inside) 0 access-list nonat

Or should I create and ip pool?

If it's none of the above, could you please give me a suggestion of what to do (what config I should enter)?

Thanks. Appreciate it.

Re: Access DMZ ffom Inside

Jon Marshall — Wed, 10 Dec 2008 18:39:22 GMT

Mahir

You do not need the access-list

acl dmz permit tcp 10.3.30.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 80

access-group dmz in interface dmz

because the firewall is stateful so if the connection is initiated from the inside to the DMZ the return traffic will be allowed. So remove the access-list.

Static or nonat shouldn't make much differenc.

Are youi accessing the web server on the URL or by IP address. If URL how is that being resolved ?

Jon

Re: Access DMZ ffom Inside

mahirv8680 — Thu, 11 Dec 2008 12:26:47 GMT

I'm accessing the web server in DMZ through URL. I've got DNS server on the inside and on the webserver in DMZ I also installed own DNS. I've entered records for web server on inside DNS to resolve name. Something else I should do?