Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1400
Views
0
Helpful
8
Replies

Opening PIX Inside to Outside

collinss
Level 1
Level 1

‎05-15-2002 06:55 AM - edited ‎02-20-2020 10:03 PM

I am trying to find a way to have multiple hosts inside a DMZ be able to access my entire internal network. Does anyone know of a way to do this without creating individual statics for every device that may be accessed?

0 Helpful
8 Replies 8

mkumar
Level 1
Level 1

‎05-15-2002 09:20 AM

If you have only one DMZ it is very easy with access list, you have to just do following, assuming you want to permit all the dmz and inside hosts to go anywhere (Including internet) freely:

------------------------------------------------------------

access-list acl_inside permit ip any any

access-list acl_dmz permit ip any any

access-group acl_inside in interface inside

access-group acl_dmz in interface dmz

------------------------------------------------------------

But if have multiple DMZs (say 4) and you want only specific hosts on inside/dmz to access specific hosts/services then you have to be a little more specific. In the config below we assume that you have 4 dmzs :

------------------------------------------------------------

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security90

nameif ethernet3 dmz2 security80

nameif ethernet4 dmz3 security70

nameif ethernet5 dmz4 security60

ip address outside xx.xx.xx.xx1 255.255.255.224

ip address inside 172.16.0.1 255.255.255.0

ip address dmz1 172.16.1.1 255.255.255.0

ip address dmz2 172.16.2.1 255.255.255.0

ip address dmz3 172.16.3.1 255.255.255.0

ip address dmz4 172.16.4.1 255.255.255.0

access-list acl_outside permit

access-list acl_inside deny tcp any any eq 6667

access-list acl_inside deny udp any any eq 6667

access-list acl_inside permit ip any any

access-list acl_dmz1 deny tcp any any eq 6667

access-list acl_dmz1 deny udp any any eq 6667

access-list acl_dmz1 permit ip any 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list acl_dmz1 permit ip any 172.16.1.0 255.255.255.0 172.16.3.0 255.255.255.0

access-list acl_dmz1 deny ip any 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list acl_dmz1 deny ip any 172.16.1.0 255.255.255.0 172.16.4.0 255.255.255.0

access-list acl_dmz1 permit ip any any

access-list acl_dmz2 deny tcp any any eq 6667

access-list acl_dmz2 deny udp any any eq 6667

access-list acl_dmz2 deny ip any 172.16.2.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list acl_dmz2 deny ip any 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list acl_dmz2 deny ip any 172.16.2.0 255.255.255.0 172.16.3.0 255.255.255.0

access-list acl_dmz2 deny ip any 172.16.2.0 255.255.255.0 172.16.4.0 255.255.255.0

access-list acl_dmz2 permit ip any any

access-list acl_dmz3 deny tcp any any eq 6667

access-list acl_dmz3 deny udp any any eq 6667

access-list acl_dmz3 deny ip any 172.16.3.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list acl_dmz3 deny ip any 172.16.3.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list acl_dmz3 deny ip any 172.16.3.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list acl_dmz3 deny ip any 172.16.3.0 255.255.255.0 172.16.4.0 255.255.255.0

access-list acl_dmz3 permit ip any any

access-list acl_dmz4 deny tcp any any eq 6667

access-list acl_dmz4 deny udp any any eq 6667

access-list acl_dmz4 deny ip any 172.16.4.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list acl_dmz4 deny ip any 172.16.4.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list acl_dmz4 deny ip any 172.16.4.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list acl_dmz4 deny ip any 172.16.4.0 255.255.255.0 172.16.3.0 255.255.255.0

access-list acl_dmz4 permit ip any any

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz3) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz4) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_outside in interface outside

access-group acl_inside in interface inside

access-group acl_dmz1 in interface dmz1

access-group acl_dmz2 in interface dmz2

access-group acl_dmz3 in interface dmz3

access-group acl_dmz4 in interface dmz4

static (inside,outside) xx.xx.xx.xx2 172.16.0.100 netmask 255.255.255.255 0 0

-----------------------------------------------------------------

In the above example:

1. we have restricted all the hosts on all the interface from accessing IRC on the internet but have allowed all other internet services to be accessed.

2. All the hosts on the inside are free to access any host on any interface.

3. All dmz1 hosts are allowed to access all inside, dmz3 and internet (except IRC:6667) but they can't access hosts on dmz2 and dmz4.

4. Hosts on dmz2,3,4 can access only internet (except IRC:6667).

Hope this will help you.

0 Helpful

collinss
Level 1
Level 1
In response to mkumar

‎05-15-2002 10:31 AM

So if you are using an access-list you can connect directly to hosts on your internal network by their real (not NATed) IP address? I thought you had to do statics to go from a less trusted (dmz) to a more trusted (inside) network.

0 Helpful

mkumar
Level 1
Level 1
In response to collinss

‎05-15-2002 12:00 PM

I am sorry, I forgot to include two very important config entries. After putting this DMZ hosts can access inside hots with their real IP address and you don't have to put any "static (inside,dmz1)" statement

-------------------------------------------

access-list acl_no_nat permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0

nat (dmz1) 0 access-list acl_no_nat

-------------------------------------------

0 Helpful

collinss
Level 1
Level 1
In response to mkumar

‎05-16-2002 03:58 AM

Great...thanks for the help.

0 Helpful

g.rodegari
Level 1
Level 1
In response to mkumar

‎05-16-2002 04:30 AM

Hi,

really to permit a traffic from less secure area to a more secure area you must

use a static command, if you don't want to nat the address you can use a static of this type (the nat 0 version for the static):

static (inside, dmz1) 1 72.16.1.0 255.255.255.0.0 172.16.1.0 255.255.255.0

with the nat 0 command you cannot initiate connection from the dmz1 zone.

bye,

Graz.

0 Helpful

mkumar
Level 1
Level 1
In response to g.rodegari

‎05-16-2002 10:54 AM

Hi,

With "nat 0" you don't need any static to access from dmz1 to inside and with tying it to access-list there is no problem in initiating a session from dmz1. I have this configuration working.

bye

mk

0 Helpful

g.rodegari
Level 1
Level 1
In response to mkumar

‎05-17-2002 02:15 AM

Hi,

I agree...

with the access-list in the nat 0 command is right!

bye

Graz.

0 Helpful

mike-banks
Level 1
Level 1

‎05-16-2002 08:45 AM

When you create your static reference the entire inside network address.

My inside network is 172.16.20.0 and my dmz is using public addresses.

I am using the following:

static(inside,dmz1) 172.16.20.0 172.16.20.0 netmask 255.255.255.0 0 0

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card