Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
0
Helpful
1
Replies

PIX Configuration problem

wasiimcisco
Level 1
Level 1

‎03-06-2008 10:38 AM - edited ‎03-11-2019 05:13 AM

I have two servers one located in pix inside and one in dmz. I wanted to configure them so that they can communicate with routers and switches

located outside of pix firewall.

My inside server is working fine, able to go Internet and able to comminicate with all devices located on outside of Pix firewall. below mention is configuration

of insideserver.

access-list outside_acl extended permit ip x.223.188.0 255.255.255.0 host 172.28.32.50

access-list outside_acl extended permit ip host x.219.212.217 host 172.28.32.50

access-list nonat extended permit ip host 172.28.32.50 host x.219.212.217

access-list nonat extended permit ip host 172.28.32.50 x.223.188.0 255.255.255.0

access-list inside_acl extended permit ip host 172.28.32.50 any

But my DMZ server is not working. Though I did the same configuration as for Inside server. DMZ server not able to communicate with outside

network.

access-list outside_acl extended permit ip x.223.188.0 255.255.255.0 host 172.28.92.72

access-list outside_acl extended permit ip host x.219.212.217 host 172.28.92.72

access-list nonat extended permit ip host 172.28.92.72 host x.219.212.217

access-list nonat extended permit ip host 172.28.92.72 x.223.188.0 255.255.255.0

access-list dmz_acl extended permit ip host 172.28.92.72 any

If i creat a static entry for DMZ SNMP server,

static (edn,outside) 172.28.92.72 172.28.92.72 netmask 255.255.255.255

it starts communicating with outside devices but Internet stop working on that server. same configuration

works with INside server but not with dmz server.

nat (inside) 0 access-list nonat

nat (inside) 3 172.28.32.0 255.255.255.0

nat (dmz) 3 172.28.92.0 255.255.255.0

global (outside) 3 interface

Labels:
0 Helpful
1 Reply 1

brettmilborrow
Level 1
Level 1

‎03-06-2008 10:56 AM

statics override nats, except if it is a nat 0 so:

1) Your inside server will be translated to the firewall interface address when it talks outside (nat (inside) 3)

2) Your dmz server will be translated to 172.28.92.72 (because of the nat (inside) 0 nonat) and this address (172.28.92.72) is private address space and is not routed on the internet.

For this to work you need to try this:

REMOVE NONAT CONFIG FOR DMZ SERVER:

no access-list nonat extended permit ip host 172.28.92.72 host x.219.212.217

no access-list nonat extended permit ip host 172.28.92.72 x.223.188.0 255.255.255.0

REMOVE STATIC ENTRY FOR DMZ SERVER:

no static (edn,outside) 172.28.92.72 172.28.92.72 netmask 255.255.255.255

CLEAR CURRENT TRANSLATION TABLE

clear xlate local 172.28.92.72

Attempt to connect again. This should be translated to the interface address now because of the "nat (dmz) 3" statement.

Good luck!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card