topic Re: PIX - Access DMZ server using an inside IP in Network Security

PIX - Access DMZ server using an inside IP

Tony_S — Mon, 11 Mar 2019 13:40:16 GMT

Hi there,

how would go about setting up access to a server on the dmz from the inside, not by using "nonat" (ie nat 0 or a static with same IP), but by accessing the server with an IP from the inside LAN ?

Thanks in advance.

Re: PIX - Access DMZ server using an inside IP

Jon Marshall — Thu, 04 Sep 2008 20:18:45 GMT

Sorry, not sure i entirely understand. What is the inside IP, what is the DMZ IP and what do you want the inside IP address to be when it gets to the DMZ server ?

Jon

Re: PIX - Access DMZ server using an inside IP

mcvhintex — Thu, 04 Sep 2008 20:28:49 GMT

If there is not an ACL already on the inside interface and if the inside interface has a higher security level than the DMZ interface, then all you will need is an address translation. Either a static or a nat statement.

Re: PIX - Access DMZ server using an inside IP

Tony_S — Thu, 04 Sep 2008 20:41:35 GMT

Thanks guys for your interest.

The answer may be simple, maybe its a bit too late for me.

I'll make it an example.

Inside is of higher security.

IP addresses

inside 192.168.1.0/24 pix: 192.168.1.1

dmz 192.168.2.0/24 pix: 192.168.2.1

dmz server 192.168.2.2

need inside users to connect to this server (Web!) by using a local IP, e.g. 192.168.1.2, not the 192.168.2.2 IP.

Thanks again.

Re: PIX - Access DMZ server using an inside IP

Jon Marshall — Thu, 04 Sep 2008 20:44:40 GMT

static (outside,inside) 192.168.1.2 192.168.2.2 netmask 255.255.255.255

You need to make sure that 192.168.1.2 is not allocated to any device on the internal LAN.

Jon

Re: PIX - Access DMZ server using an inside IP

Tony_S — Thu, 04 Sep 2008 20:52:46 GMT

Thanks Jon,

in other words you do

static (outside,inside)etc

just as if you allowing access to an internal server from the outside where you would have done

static (inside,outside) etc

Is that so ?

Thanks

Re: PIX - Access DMZ server using an inside IP

acomiskey — Thu, 04 Sep 2008 20:55:26 GMT

Correct me if I'm wrong Jon, but I think you meant...

static (dmz,inside) 192.168.1.2 192.168.2.2 netmask 255.255.255.255

Re: PIX - Access DMZ server using an inside IP

mcvhintex — Thu, 04 Sep 2008 20:58:24 GMT

You have it correct. You need to have the DMZ and Inside interfaces.

Re: PIX - Access DMZ server using an inside IP

Tony_S — Thu, 04 Sep 2008 21:05:12 GMT

Thanks,

I realise Jon meant to use dmz instead of outside.

So we agree that no matter whether the security level is from higher to lower, or lower to higher we use the same syntax for the static.

Any objections, pls advise.

Re: PIX - Access DMZ server using an inside IP

Jon Marshall — Thu, 04 Sep 2008 22:10:11 GMT

Adam

Nice to know someone was paying attention 🙂

Yes i mean't dmz, thanks for clarifying.

Jon

Re: PIX - Access DMZ server using an inside IP

Jon Marshall — Thu, 04 Sep 2008 22:15:44 GMT

Well yes and no as you'll notice that the interfaces in the static statement are reversed ie. the most common syntax for a static would be

static (inside,dmz) or

static (inside,outside)

whereas what you are doing here is reversing the interface order ie.

static (dmz,inside) or

static (inside,dmz)

Jon