Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
823
Views
0
Helpful
4
Replies

PIX 515 (6.2) accessing DMZ from the inside interface.

dino
Level 1
Level 1

‎09-09-2002 02:09 PM - edited ‎02-20-2020 10:14 PM

I am testing with the following configs:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

ip address outside 66.100.123.85 255.255.255.128

ip address inside 66.100.123.129 255.255.255.192

ip address DMZ 66.100.123.249 255.255.255.248

nat (inside) 0 66.100.123.128 255.255.255.192 0 0

nat (DMZ) 0 66.100.123.248 255.255.255.248 0 0

static (DMZ,outside) 66.100.123.248 66.100.123.248 netmask 255.255.255.248 0 0

static (inside,outside) 66.100.123.128 66.100.123.128 netmask 255.255.255.192 0 0

access-group test1 in interface outside

access-list test1 permit icmp host DNS1 any

access-list test1 permit icmp host DNS2 any

access-list test1 permit icmp host 66.100.123.1 any

access-list test1 permit icmp any any

access-list test1 permit udp host 200.10.10.10 host 66.100.123.253 eq snmp

access-list test1 permit udp host 200.10.10.10 host 66.100.123.253 eq snmptrap

access-list test1 permit tcp any host 66.100.123.253 eq www

With the previous configs:

Anybody from "outside" can access the web-server(66.100.123.253) in DMZ.

Anybody from "outside" can ping either "inside" and "DMZ".

Anybody from "DMZ" can ping "outside".

How can I enable somebody in "inside" be able to access a server in "DMZ"?

0 Helpful
4 Replies 4

jleuenberger
Level 1
Level 1

‎09-11-2002 07:51 AM

I hope this is what you're looking for-->

By default, 'inside' can access 'dmz' because of the higher to lower security level. All you would need next is a static command translating the IP of the machine on 'inside' or range of addresses on 'inside' to the 'dmz' interface.

ex:

static (inside,DMZ) 66.100.123.128 66.100.123.128 netmask 255.255.255.255 0 0

0 Helpful

david.bradley
Level 1
Level 1
In response to jleuenberger

‎09-11-2002 08:18 AM

Is the static mapping actually needed in this case, shouldn't the the PIX know what to do with the packets already?

0 Helpful

jleuenberger
Level 1
Level 1
In response to david.bradley

‎09-11-2002 08:54 AM

I believe translation has to occur when the session is attempted because the interfaces are on two different subnets.

0 Helpful

dino
Level 1
Level 1
In response to jleuenberger

‎09-11-2002 11:21 AM

Thanks a lot to everybody for all the suggestions. I got it to work.

With this configuration "inside" can access "DMZ" and viceversa.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

ip address outside 65.100.123.85 255.255.255.128

ip address inside 65.100.123.129 255.255.255.192

ip address DMZ 65.100.123.249 255.255.255.248

static (DMZ,outside) 65.100.123.248 65.100.123.248 netmask 255.255.255.248 0 0

static (inside,outside) 65.100.123.128 65.100.123.128 netmask 255.255.255.192 0 0

static (inside,DMZ) 65.100.123.128 65.100.123.128 netmask 255.255.255.192 0 0

access-list test1 permit icmp host DNS1 any

access-list test1 permit icmp host DNS2 any

access-list test1 permit icmp host 65.100.123.1 any

access-list test1 permit icmp any any

access-list test1 permit udp host 200.10.10.10 host 65.100.123.253 eq snmp

access-list test1 permit udp host 200.10.10.10 host 65.100.123.253 eq snmptrap

access-list test1 permit tcp any host 65.100.123.253 eq www

access-list inside permit ip any any

access-list inside permit icmp any any

access-list dmz permit ip any any

access-list dmz permit icmp any any

access-group test1 in interface outside

access-group inside in interface inside

access-group dmz in interface DMZ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card