Solved: Re:NAT problem of DMZ side

Anand Solgama · ‎09-20-2013

Hi,

I created simple PIX,inside,outside and dmz.....my inside to outside connection working just fine...outside to inside also work fine ...but outside to dmz not working

global (outside) 1 110.110.110.200-110.110.110.253

global (outside) 2 110.110.110.254

nat (inside) 0 access-list NONAT

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (DMZ) 2 172.16.0.0 255.255.0.0 0 0

access-group OUT_IN_DMZ in interface outside

access-group DMZ_IN in interface DMZ

access-list OUT_IN_DMZ permit tcp host 110.110.110.2 110.0.0.0 255.0.0.0 eq teln

et

access-list DMZ_IN permit tcp any any eq telnet

access-list DMZ_IN permit ip any any

access-list NONAT permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0

I did above config in PIX to only allow telnet traffic inside my network and DMZ from outside now outside to inside telnet possible with first host suppose 110.110.110.200 .... unfortunately DMZ to outside work but outside to DMZ 110.110.110.254 not telnetting ???????!!!!!!!!!!!

Please help me why outside to DMZ not telnet even though DMZ to outside telnet and outside also get global address 110.110.110.254 !!!!

so inshort

inside --->outside 10.1.1.2 --- 110.110.110.200 (after NAT) telnet-------> 110.110.110.2 good

dmz----->outside 172.16.1.2 ---- 110.110.110.254(after NAT) telnet ------>110.110.110.2 good again

but

outside ---->dmz 110.110.110.2----110.110.110.254 telnet bad

Thanks in advance I attached my lab and config with this mail.

Bye,

Tariq Bader · ‎09-21-2013

When you access from a lower security zone (outside) to a higher security zone (dmz) you need two things:
1. Static nat translation (bidirectional)
2. Permit on the access list

What do you have configured is dynamic pat translation from the dmz to the outside and this is only uni directional from the higher to lower zone.

You need to publish dmz hosts to the outside using another public ips in one to one static mapping and permit the traffic to these public ips in the outside access list.

Sent from Cisco Technical Support Android App

View solution in original post

Tariq Bader · ‎09-21-2013

When you access from a lower security zone (outside) to a higher security zone (dmz) you need two things:
1. Static nat translation (bidirectional)
2. Permit on the access list

What do you have configured is dynamic pat translation from the dmz to the outside and this is only uni directional from the higher to lower zone.

You need to publish dmz hosts to the outside using another public ips in one to one static mapping and permit the traffic to these public ips in the outside access list.

Sent from Cisco Technical Support Android App

Anand Solgama · ‎09-21-2013

Hi,

Thanks but in INSIDE to OUTSIDE also higher to lower in that NAT is working fine sometime I use """GLOBAL(OUTSIDE) 1 interface"""" ...command also and that also worked ,so why for DMZ not working ...I guess I used 2 NAT that is why

like

nat (inside) 1 0 0

nat (inside) 2 0.0

?????

But I removed nat (inside) 1 0 0 and after that also it was not working only after static it is working confusion

Bye,

pankaj29in · ‎09-21-2013

Hi Anand,

Telnet on Outisde interface is not possible. you will have to configure VPN to do the same.

Although you can configure SSH on outside interface.

Cheers!!

Pankaj

Mark if this resolve your issue.

Anand Solgama · ‎09-21-2013

Hi,

Telnet is working just fine from DMZ to OUTSIDE(110.110.110.2) and traslating also but my question is why outside can not telnet to my DMZ ?????? and one more thing outside can telnet to inside so it is working !!!!

Bye,