09-20-2013 09:13 PM - edited 03-11-2019 07:41 PM
Hi,
I created simple PIX,inside,outside and dmz.....my inside to outside connection working just fine...outside to inside also work fine ...but outside to dmz not working
global (outside) 1 110.110.110.200-110.110.110.253
global (outside) 2 110.110.110.254
nat (inside) 0 access-list NONAT
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (DMZ) 2 172.16.0.0 255.255.0.0 0 0
access-group OUT_IN_DMZ in interface outside
access-group DMZ_IN in interface DMZ
access-list OUT_IN_DMZ permit tcp host 110.110.110.2 110.0.0.0 255.0.0.0 eq teln
et
access-list DMZ_IN permit tcp any any eq telnet
access-list DMZ_IN permit ip any any
access-list NONAT permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0
I did above config in PIX to only allow telnet traffic inside my network and DMZ from outside now outside to inside telnet possible with first host suppose 110.110.110.200 .... unfortunately DMZ to outside work but outside to DMZ 110.110.110.254 not telnetting ???????!!!!!!!!!!!
Please help me why outside to DMZ not telnet even though DMZ to outside telnet and outside also get global address 110.110.110.254 !!!!
so inshort
inside --->outside 10.1.1.2 --- 110.110.110.200 (after NAT) telnet-------> 110.110.110.2 good
dmz----->outside 172.16.1.2 ---- 110.110.110.254(after NAT) telnet ------>110.110.110.2 good again
but
outside ---->dmz 110.110.110.2----110.110.110.254 telnet bad
Thanks in advance I attached my lab and config with this mail.
Bye,
Solved! Go to Solution.
09-21-2013 12:07 AM
When you access from a lower security zone (outside) to a higher security zone (dmz) you need two things:
1. Static nat translation (bidirectional)
2. Permit on the access list
What do you have configured is dynamic pat translation from the dmz to the outside and this is only uni directional from the higher to lower zone.
You need to publish dmz hosts to the outside using another public ips in one to one static mapping and permit the traffic to these public ips in the outside access list.
Sent from Cisco Technical Support Android App
09-21-2013 12:07 AM
When you access from a lower security zone (outside) to a higher security zone (dmz) you need two things:
1. Static nat translation (bidirectional)
2. Permit on the access list
What do you have configured is dynamic pat translation from the dmz to the outside and this is only uni directional from the higher to lower zone.
You need to publish dmz hosts to the outside using another public ips in one to one static mapping and permit the traffic to these public ips in the outside access list.
Sent from Cisco Technical Support Android App
09-21-2013 01:02 AM
Hi,
Thanks but in INSIDE to OUTSIDE also higher to lower in that NAT is working fine sometime I use """GLOBAL(OUTSIDE) 1 interface"""" ...command also and that also worked ,so why for DMZ not working ...I guess I used 2 NAT that is why
like
nat (inside) 1 0 0
nat (inside) 2 0.0
?????
But I removed nat (inside) 1 0 0 and after that also it was not working only after static it is working confusion
Bye,
09-21-2013 12:15 AM
Hi Anand,
Telnet on Outisde interface is not possible. you will have to configure VPN to do the same.
Although you can configure SSH on outside interface.
Cheers!!
Pankaj
Mark if this resolve your issue.
09-21-2013 01:04 AM
Hi,
Telnet is working just fine from DMZ to OUTSIDE(110.110.110.2) and traslating also but my question is why outside can not telnet to my DMZ ?????? and one more thing outside can telnet to inside so it is working !!!!
Bye,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide