11-27-2009 03:58 AM - edited 03-11-2019 09:43 AM
I do not have a Pix to test but can someone confirm that these two configurations below are equivalent. Thanks in advance
PIX 6.3(5)
outside: 1.1.1.1
inside: 10.0.0.254/24
dmz: 192.168.1.254/23
nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 interface
static (inside,dmz) 192.168.0.0 10.0.0.0 netmask 255.255.255.0
access-list outside_acl permit tcp any any log
access-group outside_acl in interface outside
conduit permit tcp host 192.168.0.1 eq 389 host 192.168.1.1
conduit permit tcp host 192.168.0.1 eq 25 host 192.168.1.1
conduit permit tcp host 192.168.0.1 eq 21 host 192.168.1.1
conduit permit tcp host 192.168.0.1 eq 135 host 192.168.1.1
ASA 8.2(1):
outside: 1.1.1.1
inside: 10.0.0.254/24
dmz: 192.168.1.254/23
nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 interface
static (inside,dmz) 192.168.0.0 10.0.0.0 netmask 255.255.255.0
access-list outside_acl permit tcp any any log
access-group outside_acl in interface outside
access-list dmz_acl permit tcp host 192.168.1.1 host 192.168.0.1 eq 389 log
access-list dmz_acl permit tcp host 192.168.1.1 host 192.168.0.1 eq 25 log
access-list dmz_acl permit tcp host 192.168.1.1 host 192.168.0.1 eq 21 log
access-list dmz_acl permit tcp host 192.168.1.1 host 192.168.0.1 eq 135 log
access-list dmz_acl deny ip any 192.168.0.0 255.255.255.0 log
access-list dmz_acl permit ip any any log
access-group dmz_acl in interface dmz
11-29-2009 07:10 AM
inside: 10.0.0.254/24
static (inside,dmz) 192.168.0.0 10.0.0.0 netmask 255.255.255.0
The above doesn't make sense. The inside n/w is 10.0.0.0/24 but, then this static says make the inside n/w 192.168.0.0/24 to look like 10.0.0.0/24 in the dmz. May be 192.168.0.0/24 lives on the inside as well.
Now, if the above is true then the acls are incorrect. The acls are talking about 192.168.0.1 for destination from the dmz which has to be 10.0.0.1 as the dmz will see the 192.168.0.0/24 as 10.0.0.0/24 so the destination should be 10.0.0.1 instead.
May be the static should be like this:
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
Then the acl is correct as it stands.
-KS
11-29-2009 11:24 AM
inside: 10.0.0.254/24
static (inside,dmz) 192.168.0.0 10.0.0.0 netmask 255.255.255.0
The above doesn't make sense.
Not sure what you meant by it?
There is NO network of 192.168.0.0/24 on the inside network. Everything is directly connected.
I want the DMZ to see the inside network of 10.0.0.0/24 as 192.168.0.0/24
Given this is what I want, is the configuration correct, especially the ACL?
11-29-2009 11:29 AM
cisco24x7 wrote:
inside: 10.0.0.254/24
static (inside,dmz) 192.168.0.0 10.0.0.0 netmask 255.255.255.0
The above doesn't make sense.
Not sure what you meant by it?
There is NO network of 192.168.0.0/24 on the inside network. Everything is directly connected.
I want the DMZ to see the inside network of 10.0.0.0/24 as 192.168.0.0/24
Given this is what I want, is the configuration correct, especially the ACL?
David
Looks okay to me. Presumably the permit ip any any on the DMZ acl is simply to allow DMZ servers to initiate connections outbound to outside ?
Jon
11-29-2009 11:45 AM
I have no idea what I was thinking.
That static looks correct. Thought the global was local.
ACL looks good too.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: