access from lan to dmz not working

jmdakecisco · ‎01-08-2007

wan--->1720---->pix---->dmz=10.200.0.0/16

pix inside(10.50.0.0/16) to 3600

3600

vlan 101 10.101.0.0/16

vlan 120 10.120.0.0/16

access to dmz from wan working.

not able to access the dmz from any inside network, do i need a no nat ? once i have a no nat if needed do i need a acl to get traffic back into inside from dmz?

network.king · ‎01-08-2007

Hi

Have you added a route for your inside network ( 10.101.0.0/16 and 10.120.0.0/16 )in the pix .

regards

vanesh k

Fernando_Meza · ‎01-08-2007

HI .. you need to check that routing is working first .. in other words make sure that the VLANs know how to get to the DMZ segment and make sure the DMZ segment knows how to get to the inside VLANs. Then the only thing you need is to allow access from inside to DMZ ( Allowed by default is not using access list). You also need to bypass NAT inside to DMZ as below

access-list nonat extended permit ip 10.101.0.0 255.255.0.0 10.200.0.0 255.255.0.0

access-list nonat extended permit ip 10.120.0.0 255.255.0.0 10.200.0.0 255.255.0.0

nat (inside) 0 access-list nonat

You might also need to bypas NAT from DMZ to inside as below

access-list nonatDMZ extended permit ip any 10.101.0.0 255.255.0.0

access-list nonatDMZ extended permit ip any 10.120.0.0 255.255.0.0

nat (dmz) 0 access-list nonatDMZ outside

If you need traffic to be initiated from the DMZ to the inside vlans then you also need to specifically allow that access on an access-list applied to the dmz interface.

I hope it helps .. please rate it if it does !!!