Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
5
Helpful
4
Replies

515e and DMZ trouble

manaughl
Level 1
Level 1

‎06-07-2004 08:44 AM - edited ‎03-09-2019 07:39 AM

We have recently installed a PIX 515e replacing a 506e. The reason we did this was to set Citrix Web and Gateway servers inside a DMZ. The pix has three interfaces outside, inside and DMZ. I need to be able to allow the DMZ servers to access a Citrix Farm on the inside and a Certificate Authority server also on the inside. I've been at this for about a week and have gotten the books, but I still am not getting it right.

Attached and topology is the entire config. There may be something in it that is causing my problem. I'm also not sure the DMZ interface is set up right. If anyone wants a rough of the topology I can attach that as well.

Also I want to be able to test the connections and my telneting and pinging to inside servers from the DMZ isn't working. Please help

Labels:
Preview file
469 KB
Preview file
6 KB
0 Helpful
4 Replies 4

insania2016
Level 1
Level 1

‎06-07-2004 11:29 AM

Try:

static(inside,dmz) 10.1.0.0 10.1.0.0 255.255.0.0

0 Helpful

joneschw1
Level 1
Level 1

‎06-07-2004 11:33 AM

I believe that you still need this statement in there:

nat (inside) 0 access-list NO_NAT

Post and let me know if this works

As far as the telnet and ping, since you are coming from a less secure interface (DMZ) to the internal you would have to add specific acls for that.

CJ

0 Helpful

ehirsel
Level 6
Level 6

‎06-07-2004 11:46 AM

I noted that you have this statement:

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

and this access-list that is not referred to: access-list NO_NAT permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

If your intention is to allow the dmz host to access the internal hosts using the true address you should remove the static and code this:

nat (inside) 0 access-list NO_NAT

followed by a clear xlate command.

Or you could just do this:

Remove the NO_NAT acl and code the static similar to what the privious poster recommended:

static (inside, DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

Again run the clear xlate command after adjusting any static statements to make the new entries take effect.

manaughl
Level 1
Level 1

‎06-08-2004 06:38 AM

The last post was correct. I had an access list without a group so, I fixed that. All is well. However, I have two static translations for the servers in the DMZ that are translated to public ip addresses. Shouldn't I be able to go the public ip and get that website? I am unable to now. When I use the internal IP I get to the site no problem. Is there a way in the pix to make that work without changing a local host file? The DMZ servers are in a workgroup and the internal network is in a 2003 Domain with ADS. Any ideas?

0 Helpful
Customers Also Viewed These Support Documents