Solved: Outside host needs to use dmz gateway for internet - pix 6.3

Ranbeckycr_2 · ‎02-18-2010

Hello Experts,

How would i configure a host outside of my firewall to use a dmz server as a gateway to the internet?

Example:

10.10.4.5 --- 10.10.4.1 (outside)pix--(dmz)192.168.1.1 ------192.168.1.10(gateway) ---- Internet

How would the host 10.10.4.5 use 192.168.1.10 to reach the internet?

what acls are needed

what nat is needed

Please let me know if someone has been able to do this gateway config from

low security to high security to the net.

Thank you,

Randall

Kureli Sankar · ‎02-19-2010

You have the internet on the DMZ (higher security level than the outside) ? That is strange and not common.

You have to provide translation for all the internet hosts like google and yahoo when they respond to this host on the outside.

1. The outside ACL should allow necessary access for this host to go out to the inter (port 80 and 443 and others)

access-l outside per tcp host 10.10.4.5 any eq 80

access-l outside per tcp host 10.10.4.5 any eq 443

2. Now the traslation

nat (DMZ) 0 access-l nat_0

access-l nat_0 per ip any host 10.10.4.5

-KS

Kureli Sankar · ‎02-19-2010