PIX Configuration problem

wasiimcisco · ‎03-06-2008

I have two servers one located in pix inside and one in dmz. I wanted to configure them so that they can communicate with routers and switches

located outside of pix firewall.

My inside server is working fine, able to go Internet and able to comminicate with all devices located on outside of Pix firewall. below mention is configuration

of insideserver.

access-list outside_acl extended permit ip x.223.188.0 255.255.255.0 host 172.28.32.50

access-list outside_acl extended permit ip host x.219.212.217 host 172.28.32.50

access-list nonat extended permit ip host 172.28.32.50 host x.219.212.217

access-list nonat extended permit ip host 172.28.32.50 x.223.188.0 255.255.255.0

access-list inside_acl extended permit ip host 172.28.32.50 any

But my DMZ server is not working. Though I did the same configuration as for Inside server. DMZ server not able to communicate with outside

network.

access-list outside_acl extended permit ip x.223.188.0 255.255.255.0 host 172.28.92.72

access-list outside_acl extended permit ip host x.219.212.217 host 172.28.92.72

access-list nonat extended permit ip host 172.28.92.72 host x.219.212.217

access-list nonat extended permit ip host 172.28.92.72 x.223.188.0 255.255.255.0

access-list dmz_acl extended permit ip host 172.28.92.72 any

If i creat a static entry for DMZ SNMP server,

static (edn,outside) 172.28.92.72 172.28.92.72 netmask 255.255.255.255

it starts communicating with outside devices but Internet stop working on that server. same configuration

works with INside server but not with dmz server.

nat (inside) 0 access-list nonat

nat (inside) 3 172.28.32.0 255.255.255.0

nat (dmz) 3 172.28.92.0 255.255.255.0

global (outside) 3 interface

brettmilborrow · ‎03-06-2008

statics override nats, except if it is a nat 0 so:

1) Your inside server will be translated to the firewall interface address when it talks outside (nat (inside) 3)

2) Your dmz server will be translated to 172.28.92.72 (because of the nat (inside) 0 nonat) and this address (172.28.92.72) is private address space and is not routed on the internet.

For this to work you need to try this:

REMOVE NONAT CONFIG FOR DMZ SERVER:

no access-list nonat extended permit ip host 172.28.92.72 host x.219.212.217

no access-list nonat extended permit ip host 172.28.92.72 x.223.188.0 255.255.255.0

REMOVE STATIC ENTRY FOR DMZ SERVER:

no static (edn,outside) 172.28.92.72 172.28.92.72 netmask 255.255.255.255

CLEAR CURRENT TRANSLATION TABLE

clear xlate local 172.28.92.72

Attempt to connect again. This should be translated to the interface address now because of the "nat (dmz) 3" statement.

Good luck!