cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


213
Views
0
Helpful
3
Replies
Beginner

Accessing a node on the DMZ from an inside interface on the same PIX

I have a PIX 515e running version 7.2(4).

I have 2 interfaces - DMZ3 (sec lvl 50) and LAB (sec lvl 100) behind the pix. There is also the OUTSIDE interface (sec lvl 0) which connects to the internet.

In DMZ3 I have a webserver - x.x.124.217/24 (host is NATed via static command to public IP)

In LAB I have a server - x.x.1.203/24 (entire range is NATed via NAT/Global statements to public IP)

The server in LAB needs to access a webserver in DMZ3. From the internet both of these hosts have public addresses that are NATed into the inside addresses. I can reach the webserver from the internet, but not from the LAB interface.

I think I have to add a static command so that the LAB host can access the DMZ3 host without accessing the internet.

Any assistance would be appriciated.

3 REPLIES 3
Enthusiast

Accessing a node on the DMZ from an inside interface on the same

Do you want to access the DMZ3 server by using its public or private IP?

In case it's the first one, try to add the "dns" keywork at the end of the static translation for that server to the outside, it'll enable the DNS doctoring feature.

In case you want to access the server using its private IP from the internal clients, you can configure a self-translation rule.

Something like this:

static(LAB,DMZ3)

Beginner

Accessing a node on the DMZ from an inside interface on the same

I tried this and so far no luck:

static (LAB,DMZ3) x.x.1.203 x.x.1.203 netmask 255.255.255.255 dns

I can see in the PIX log:

Apr 01 2013 14:10:07: %PIX-6-302013: Built outbound TCP connection 96258 for outside:x.x.196.217/443 (x.x.196.217/443) to LAB:x.x.1.203/49314 (x.x.196.222/1032)

Where x.x.196.217 = the static NATed address of the web server and x.x.196.222 = the global NATed address of x.x.1.203

IP addresses appear to get translated correctly and I can see the ACLs are incrementing when I attempt to connect but I don't think it is getting through the PIX.

Highlighted
Enthusiast

Accessing a node on the DMZ from an inside interface on the same

Apologies for the late reply.

Can you please be very specific on how you want to access the server and from where.

Once that is clarified, the answer will be easy to get.