cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
637
Views
0
Helpful
2
Replies

What address should I whitelist to connect from inside to DMZ

akblackwel
Level 1
Level 1

I'm putting a couple of servers in my DMZ on a PIX 515E. The inside is nated (192.168.199.0/24) and the DMZ is nated also (192.168.200.0/24). inside the DMZ is an ISA 2006 server. I was to block that server off entirely except from the inside network. Currently I can RDP to the server, but it's reporting the connecting address as 192.168.200.107 which is an address inside the DMZ. The pix is repoting ICMP's as

6Feb 16 201208:42:45302020192.168.200.110512192.168.199.190Built inbound ICMP connection for faddr 192.168.200.110/512 gaddr 192.168.200.107/0 laddr 192.168.199.19/0

I guess I'm not understanding the gaddr address being reported. I would think I would tell the ISA to allow remote management from 192.168.199.1/24. Not sure how the 192.168.200.107 address gets reported as the connecting from address when it's really an address on the inside which is 192.168.199.19.

Thanks

2 Replies 2

varrao
Level 10
Level 10

Hi,

It's a bit opposite actually what you are thinking, it is reporting the destination address first and then the source address. If you have a look at the syslog again, it is connection for the destination:

Built inbound ICMP connection for faddr 192.168.200.110/512 gaddr 192.168.200.107/0 laddr 192.168.199.19/0

Don't confuse it with being the source address.

Thanks,

Varun

Thanks,
Varun Rao

OK,

Then is the gaddr 192.168.200.107/0 an address that gets dynamically created when the tunnel is created? I dont have any machines on the network with that address, and I am initiating a connection from the inside interface from machine 192.168.199.19

Review Cisco Networking for a $25 gift card