01-17-2007 09:06 PM - edited 03-11-2019 02:21 AM
Hi, i have forwaded port 82 to my internal machine, however i cannot access this when on the dmz, any ideas? If i type 10.0.0.1 it doesnt work, the packet is denied. Is there anyway to allow some packets from my dmz onto the internal subnet?
Is the problem that i have NAT for the dmz enabled when the packets will go back in through the pix?
Part config is below:
PIX Version 7.2(2)
!
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.0.0
!
ftp mode passive
access-list 1 extended permit tcp any any eq www
access-list 1 extended permit tcp any any eq pop3
access-list 1 extended permit tcp any any eq smtp
access-list 1 extended permit tcp any any eq https
access-list 1 extended permit tcp any any eq domain
access-list 1 extended permit tcp any any eq 8081
access-list 1 extended permit tcp any any eq 8082
access-list outside_access_in extended permit tcp any interface outside eq 46750
access-list outside_access_in extended permit tcp any interface outside eq 5444
access-list outside_access_in extended permit udp any interface outside eq 8044
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list outside_access_in extended permit tcp any interface outside eq 82
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) udp interface tftp 192.168.2.171 tftp netmask 255.255.255.255
static (inside,outside) tcp interface 5444 192.168.2.200 5444 netmask 255.255.255.255
static (inside,outside) udp interface 8044 192.168.2.200 8044 netmask 255.255.255.255
static (inside,outside) tcp interface 46750 192.168.2.200 46750 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.0.25 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 82 192.168.2.200 82 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
route inside 192.168.0.0 255.255.0.0 192.168.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no sysopt connection permit-vpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
!
service-policy global_policy global
Thanks in advance,
Chris
01-17-2007 09:16 PM
Hello chris,
I can see statics only from inside to outside.. If you are accessing from DMZ, u need to have a translation table entry from inside to DMZ... u also need an access-list to allow port from DMZ to inside, since inside is a high security zone... your sample config will look like this:
Inside PC - 192.168.0.10
DMZ PC - 172.16.1.10
Port needed - TCP 82
static (inside, DMZ) 192.168.0.10 192.168.0.10 netmask 255.255.255.255
access-list dmz permit tcp host 172.16.1.10 host 192.168.0.10 eq 82
access-group dmz in interface dmz
you can also do it through NAT 0, but i would prefer static, since you will really have control of what traffic you want to allow.... you can change the netmask or the acl in accordance with your network ....
Hope this helps. let us know if this works for you...
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide