11-06-2007 08:59 AM - edited 02-21-2020 01:46 AM
Hey guys/gals:
I want to put a web server on my DMZ. I set up the IP address on the PIX's DMZ. How can get my web server access to my inside network and vice versa? I don't know what to do next.
I already created a VLAN in my network for this network 172.16.0.0. This network is in the same network as the DMZ's IP.
Muchas Gracias
11-06-2007 10:15 AM
So if you have something like
ip address dmz 172.16.0.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
To get the inside and dmz to talk you could add..
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
To initiate communication from the dmz to the inside you will also need to create an acl on the dmz. For instance, to get the dmz network to hit the inside network on port 80 and 443 it would look like this...
access-list dmz permit tcp 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80
access-list dmz permit tcp 172.16.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 443
access-list dmz deny ip any 192.168.1.0 255.255.255.0
access-list dmz permit ip any any
access-group dmz in interface dmz
Please rate helpful posts.
11-06-2007 10:48 AM
Is this line correct? Or do these two networks need to be different?
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
I don't understand this command. Thanks
11-06-2007 10:50 AM
It's correct. It is so no nat will take place between inside and dmz.
11-15-2007 01:02 PM
you also need to setup the devices on the DMZ with the default gateway to match that of the FW DMZ interface.
11-16-2007 07:45 PM
Hello,
I'm just curious about this command "access-list dmz permit ip any any"...is it really necessary?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide