PIX 515 (6.2) accessing DMZ from the inside interface.

dino · ‎09-09-2002

I am testing with the following configs:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

ip address outside 66.100.123.85 255.255.255.128

ip address inside 66.100.123.129 255.255.255.192

ip address DMZ 66.100.123.249 255.255.255.248

nat (inside) 0 66.100.123.128 255.255.255.192 0 0

nat (DMZ) 0 66.100.123.248 255.255.255.248 0 0

static (DMZ,outside) 66.100.123.248 66.100.123.248 netmask 255.255.255.248 0 0

static (inside,outside) 66.100.123.128 66.100.123.128 netmask 255.255.255.192 0 0

access-group test1 in interface outside

access-list test1 permit icmp host DNS1 any

access-list test1 permit icmp host DNS2 any

access-list test1 permit icmp host 66.100.123.1 any

access-list test1 permit icmp any any

access-list test1 permit udp host 200.10.10.10 host 66.100.123.253 eq snmp

access-list test1 permit udp host 200.10.10.10 host 66.100.123.253 eq snmptrap

access-list test1 permit tcp any host 66.100.123.253 eq www

With the previous configs:

Anybody from "outside" can access the web-server(66.100.123.253) in DMZ.

Anybody from "outside" can ping either "inside" and "DMZ".

Anybody from "DMZ" can ping "outside".

How can I enable somebody in "inside" be able to access a server in "DMZ"?

jleuenberger · ‎09-11-2002

I hope this is what you're looking for-->

By default, 'inside' can access 'dmz' because of the higher to lower security level. All you would need next is a static command translating the IP of the machine on 'inside' or range of addresses on 'inside' to the 'dmz' interface.

ex:

static (inside,DMZ) 66.100.123.128 66.100.123.128 netmask 255.255.255.255 0 0

david.bradley · ‎09-11-2002

Is the static mapping actually needed in this case, shouldn't the the PIX know what to do with the packets already?

jleuenberger · ‎09-11-2002

I believe translation has to occur when the session is attempted because the interfaces are on two different subnets.

dino · ‎09-11-2002

Thanks a lot to everybody for all the suggestions. I got it to work.

With this configuration "inside" can access "DMZ" and viceversa.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

ip address outside 65.100.123.85 255.255.255.128

ip address inside 65.100.123.129 255.255.255.192

ip address DMZ 65.100.123.249 255.255.255.248

static (DMZ,outside) 65.100.123.248 65.100.123.248 netmask 255.255.255.248 0 0

static (inside,outside) 65.100.123.128 65.100.123.128 netmask 255.255.255.192 0 0

static (inside,DMZ) 65.100.123.128 65.100.123.128 netmask 255.255.255.192 0 0

access-list test1 permit icmp host DNS1 any

access-list test1 permit icmp host DNS2 any

access-list test1 permit icmp host 65.100.123.1 any

access-list test1 permit icmp any any

access-list test1 permit udp host 200.10.10.10 host 65.100.123.253 eq snmp

access-list test1 permit udp host 200.10.10.10 host 65.100.123.253 eq snmptrap

access-list test1 permit tcp any host 65.100.123.253 eq www

access-list inside permit ip any any

access-list inside permit icmp any any

access-list dmz permit ip any any

access-list dmz permit icmp any any

access-group test1 in interface outside

access-group inside in interface inside

access-group dmz in interface DMZ