Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
6
Replies

Adding static for inside to DMZ access kills FTP access

jwmock
Level 1
Level 1

‎09-30-2004 11:32 AM - edited ‎03-09-2019 08:57 AM

We have had an FTP server on our DMZ with no issues related to access from inside or outside. We added a 2nd DMZ server that needs internal access. Based on other forum discussions, it appeared we just needed to add a static from inside to dmz with the inside network ip range. When I added this command, it allowed the new server inside access, but my internal access to the FTP server died. External access to the FTP server remained fine.

Some of my config is as follows:

ip address outside 208.5.114.xxx 255.255.255.0

ip address inside 10.57.x.x 255.255.255.0

ip address WEBDmz 192.168.1.1 255.255.255.0

ip address ISADmz 192.168.5.1 255.255.255.0

fixup protocol ftp 21

access-list WEBDmz_access_in permit udp any any

access-list WEBDmz_access_in permit tcp any any

access-list WEBDmz_access_in permit icmp any any

access-list WEBDmz_access_in permit ip any any

global (outside) 10 208.5.114.50-208.5.114.180 netmask 255.255.255.0

global (outside) 10 208.5.114.181

global (WEBDmz) 10 192.168.1.51-192.168.1.200 netmask 255.255.255.0

global (ISADmz) 10 192.168.5.100-192.168.5.150 netmask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

nat (WEBDmz) 10 0.0.0.0 0.0.0.0 0 0

nat (ISADmz) 10 0.0.0.0 0.0.0.0 0 0

static (WEBDmz,outside) 208.5.114.xx Systems netmask 255.255.255.255 0 0

The command I tried to add was like

static (inside,WEBdmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

As I said this allowed full access to the new DMZ host but killed internal access to DMZ FTP host.

Can anyone lead some insight into my problem?

Labels:
0 Helpful
6 Replies 6

Patrick Iseli
Level 7
Level 7

‎09-30-2004 12:47 PM

The static uses a syntax like that:

ip address dmz 192.168.1.1 255.255.255.0

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

And not the network from the inside network.

sincerely

Patrick

0 Helpful

jwmock
Level 1
Level 1
In response to Patrick Iseli

‎10-01-2004 05:51 AM

entering this command also killed all access to the dmz. logging buffer showed 305006 regular translation failed...

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to jwmock

‎10-01-2004 06:40 AM

Could you give me more details what you are trying to do exactly. A modified copy of the config would be great.

If I understand you right you are trying to connect from your inside interface to the DMZ using a private address. Thats how it is setup

static (inside,WEBdmz) insidenet insidenet netmask 255.0.0.0 0 0

How looks the nat (inside) 0 access-list inside_nat0_outbound

Becaus this does basicly the same thing.

sincerely

Patrick

0 Helpful

jwmock
Level 1
Level 1
In response to Patrick Iseli

‎10-01-2004 07:08 AM

The nat statement you mentioned was just used to block some outbound protocols from inside.

My issue is that in my current setup from the inside I can utilize my FTP/web server on the dmz. We now have another server on the DMZ that needs more access to the inside for sql,and other protocols. Right now that 2nd server cannot access the inside.

On this forum, I have seen two options one where you utilize a static (inside,webdmz) 10.0.0.0 10.0.0.0.. which does allow the 2nd server internal access but this command kills my access from inside to the ftp/web server. I added the command you recommended which uses the dmz network. Once I entered this command, I lost all access to the FTP/web server from the inside. Outside access stillworked. The only things in my config not similar to other postings are my Nat statement for the dmz.

The other problem which may be a pix bug is that after I enter the commands, do a clear xlate, later remove the commands and do a clear xlate, my access remains blocked until I reload the pix.

We use private addressing on the inside and dmz.

0 Helpful

laje
Level 1
Level 1
In response to jwmock

‎10-01-2004 08:53 AM

Looking at ur config, I will suggest these

1.) Remove ur access-list webdmz_access_in permit udp any any and its corresponding tcp entry. There is no need for it as it is allowed at the Network Layer by ur access-list webdmz_access_in permit ip any any.

2) I see no need to nat ur traffic between the inside and both DMZ's. This should take care of that

access-list no_nat_inside permit ip 10.57.x.x 255.255.255.0 192.168.1.0 255.255.255.0

access-list no_nat_inside permit ip 10.57.x.x 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 0 access-list no_nat_inside

then remove the global (webdmz) and global (isadmz) statements.

3) I will include a static statement to include the servers specific ip address and not the whole subnet since u were okay with the ftp/webserver prior to this time.

static (inside,webdmz) "new server ip" "new server ip" netmask 255.255.255.255 0 0

4) Clear xlate

Hope this helps

0 Helpful

jwmock
Level 1
Level 1
In response to laje

‎10-01-2004 11:44 AM

My thanks to all. I finally opened a ticket. The fix was the static (inside,webdmz) insidenet insidenet command as thought. Our problem after entering this command with no access to the FTP server was related to the FTP server being multihomed. Once we killed the 2nd nic that had an inside address, all worked as expected.

0 Helpful
Customers Also Viewed These Support Documents