Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1252
Views
0
Helpful
2
Replies

PIX DMZ Config request

rai
Level 1
Level 1

‎04-26-2002 05:54 AM - edited ‎02-20-2020 10:02 PM

I have a PIX515, with three interfaces: outside, DMZ, and inside. Their is a current configuration in place with the exception of the DMZ, will install shortly. A new webserver will sit on the DMZ with nat to the server. Do I setup the DMZ interface to accept traffic from ports 80 and 443? Do I need to setup some kind of access-list as well? Also, LAN clients will need access to this webserver, (also hosts the intranet). Two types of LAN clients: 1. Ordinary users that will access the intranet, and 2. Admin users, who will need to hard map to HDDs for system and web maintenance (developers). Obviously, I would need to setup some kind of access-list for LAN clients. Could anyone shed some light on this issue? Input would be appreciated.

0 Helpful
2 Replies 2

jboyer
Level 1
Level 1

‎04-26-2002 07:23 AM

Here are some snipits from a similar config:

This config is NOT doing NAT from DMZ to outside or from inside to DMZ. The Outside and DMZ are on /26 subnets of the /25 subnet they own. IE: both outside and DMZ are public space.

(Public ip changed to 9.9.9.x for security reasons)

global (outside) 1

#sets outside nat address(es)

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

#this nats inside to outside, wont nat to dmz because no global (dmz

) command exists.

static (DMZ,outside) 9.9.9.9 9.9.9.9 netmask 255.255.255.255 0 0

#this line makes the web server visible to outside

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

#this line makes the inside subnet visible to the DMZ

Access lists will be needed for all traffic permitted from outside to DMZ and from DMZ to inside.

0 Helpful

rai
Level 1
Level 1
In response to jboyer

‎04-29-2002 01:00 PM

Thank you very much for your quick response. Let's assume the following:

Outside: 215.202.205.250 255.255.255.248

DMZ: 215.202.205.253 255.255.255.248

inside: 129.1.1.10 255.255.255.0

global (outside) 1 215.202.205.250

nat (inside) 1 129.1.1.10 255.255.255.0 0 0

static (DMZ,outside) 215.202.205.250 215.202.205.253 netmask 255.255.255.255.248 0 0

static (inside,DMZ) 215.202.205.253 129.1.1.10 netmask 255.255.255.0

Is this correct? Your input would be appreciated. Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card