02-13-2007 08:37 AM - edited 03-11-2019 02:32 AM
Silly question here, but I give up and am cold stuck.
If I have a web app running on port 8080 on a DMZ'd web server and I want to give my users on the inside as well as the public on the outside access to this web app, what woul the acl look like?
Would I need a static trans?
For example:
User on inside - 192.168.1.0-192.168.5.0
PIX DMZ int.: 192.168.100.1
Web Srv on DMZ int. IP: 192.168.100.2
Thanks to All whom can solve this mystery!
02-13-2007 08:53 AM
For outside users you need static and acl.
static (DMZ,outside)
access-list
access-group
For inside users try...
static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
02-13-2007 09:00 AM
Users on the inside should by default be able to access the application as far as ACL's are concerned. Because your INSIDE interface is more trusted the traffic will flow to a less trusted interface ie. your DMZ. Concerning NAT you may have to do a nat 0 for traffic to flow back to inside correctly but it really depends on your config.
If your have ACL's written already for your INSIDE interface you will need to update them with something like this:
access-list INSIDE permit TCP 192.168.1.0 255.255.255.0 host 192.168.100.2 eq 8080
Hope this helps. Good luck.
02-13-2007 09:05 AM
I think you meant
access-list INSIDE permit TCP 192.168.1.0 255.255.255.0 host 192.168.100.2 eq 8080
02-13-2007 09:18 AM
Thanks for the heads up your right. I edited my post with the correct ACL. Sorry about that.
02-13-2007 01:13 PM
I was able to get the outside access working just fine, then I went to set the static for the inside users access to the DMZ. I did this according to acomiskey first post. It worked enough to get access to the DMZ from the inside, but..
I had many people telling me their internet connections and local resource connections were dropping randomly. I checked this to be true, so I removed the static. I assume this is because of an existing NAT statement? and the pix is just looping??
cratejockey's post about depending on my config might shed some light here. Do you have a recommendation?
Here is some more info to help:
MD-Pix# sho nat
nat (inside) 0 access-list 102 (VPN Clients)
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Thx
02-13-2007 02:09 PM
So local resource connections are through pix?
Anyway, not sure what the issue is, so communication between inside and dmz worked, but it messed everything else up? Try
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
If that works ok, then add one for each 192.168.x network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide