Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
859
Views
10
Helpful
1
Replies

Access internal LAN from DMZ for some ports

cmorley
Level 1
Level 1

‎01-17-2007 09:06 PM - edited ‎03-11-2019 02:21 AM

Hi, i have forwaded port 82 to my internal machine, however i cannot access this when on the dmz, any ideas? If i type 10.0.0.1 it doesnt work, the packet is denied. Is there anyway to allow some packets from my dmz onto the internal subnet?

Is the problem that i have NAT for the dmz enabled when the packets will go back in through the pix?

Part config is below:

PIX Version 7.2(2)

!

names

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet2

nameif dmz

security-level 50

ip address 172.16.1.1 255.255.0.0

!

ftp mode passive

access-list 1 extended permit tcp any any eq www

access-list 1 extended permit tcp any any eq pop3

access-list 1 extended permit tcp any any eq smtp

access-list 1 extended permit tcp any any eq https

access-list 1 extended permit tcp any any eq domain

access-list 1 extended permit tcp any any eq 8081

access-list 1 extended permit tcp any any eq 8082

access-list outside_access_in extended permit tcp any interface outside eq 46750

access-list outside_access_in extended permit tcp any interface outside eq 5444

access-list outside_access_in extended permit udp any interface outside eq 8044

access-list outside_access_in extended permit tcp any interface outside eq pptp

access-list outside_access_in extended permit tcp any interface outside eq 82

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,outside) udp interface tftp 192.168.2.171 tftp netmask 255.255.255.255

static (inside,outside) tcp interface 5444 192.168.2.200 5444 netmask 255.255.255.255

static (inside,outside) udp interface 8044 192.168.2.200 8044 netmask 255.255.255.255

static (inside,outside) tcp interface 46750 192.168.2.200 46750 netmask 255.255.255.255

static (inside,outside) tcp interface pptp 192.168.0.25 pptp netmask 255.255.255.255

static (inside,outside) tcp interface 82 192.168.2.200 82 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

route inside 192.168.0.0 255.255.0.0 192.168.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no sysopt connection permit-vpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect pptp

!

service-policy global_policy global

Thanks in advance,

Chris

Labels:
0 Helpful
1 Reply 1

sachinraja
Level 9
Level 9

‎01-17-2007 09:16 PM

Hello chris,

I can see statics only from inside to outside.. If you are accessing from DMZ, u need to have a translation table entry from inside to DMZ... u also need an access-list to allow port from DMZ to inside, since inside is a high security zone... your sample config will look like this:

Inside PC - 192.168.0.10

DMZ PC - 172.16.1.10

Port needed - TCP 82

static (inside, DMZ) 192.168.0.10 192.168.0.10 netmask 255.255.255.255

access-list dmz permit tcp host 172.16.1.10 host 192.168.0.10 eq 82

access-group dmz in interface dmz

you can also do it through NAT 0, but i would prefer static, since you will really have control of what traffic you want to allow.... you can change the netmask or the acl in accordance with your network ....

Hope this helps. let us know if this works for you...

Raj

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card