02-26-2009 04:48 AM - edited 03-11-2019 07:57 AM
i have a pix520 running 6.3, i have access to the outside from both the dmz and inside but cant seem to figure out how to allow access to the dmz from the inside, network as follows, dmz int 10.1.10.1, inside 10.1.0.1, outside 81.*.*.*, default route to outside next hop router. acl states, tcp permit an any eq www, ......help wanted please.
02-26-2009 05:05 AM
What does your inside ACL and NAT configuration look like? I would suggest posting a sanitized version of your configuration.
02-26-2009 01:52 PM
02-26-2009 02:18 PM
So, you're trying to access the DMZ from the inside?
I would add the following:
access-list nonat extended permit ip 10.1.0.0 255.255.255.0 10.1.10.0 255.255.255.0
nat (inside) 0 access-list nonat
I would also recommend adding an ACL to the inside interface to restrict the outbound access.
02-26-2009 02:37 PM
eddie,
with access-list bound to the inside int, i would still need to apply a 'permit ip any any' on the second line would i not?
02-26-2009 02:49 PM
The access-list I posted for you is not being bound to an interface. This is a nat exemption ACL which is telling the PIX to not perform NAT on traffic flowing from the inside to the DMZ network.
What I was suggesting was creating another ACL and applying this to the inside interface of the pix via 'access-group
02-26-2009 02:57 PM
eddie, many thanks.
I am only using this config to test for access between the inside/dmz and vice versa, once this has been established i will alter the config to only allow smtp as a mail server will be placed on the dmz.
Did you see my original config?
can you please tell me what an ACL would look like?
kind regards.
02-26-2009 05:24 AM
What is your inside subnet? I assume it is 10.1.0.0/24. Try the command below:
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.255.0 0 0
02-26-2009 01:54 PM
02-26-2009 02:52 PM
02-26-2009 03:04 PM
Hi,
please try to change the following:
static (inside,dmz) 10.1.10.2 10.1.10.2 netmask 255.255.255.255 0 0
to:
static (inside,dmz) 10.1.0.0 10.1.0. netmask 255.255.255.0
Also: try this without using an inside ACL at first. Once you have it running than you can move on to applying ACL as you see fit.
rgds,
02-26-2009 03:06 PM
etienne, many thanks
I will give it a try.
regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide