09-30-2004 11:32 AM - edited 03-09-2019 08:57 AM
We have had an FTP server on our DMZ with no issues related to access from inside or outside. We added a 2nd DMZ server that needs internal access. Based on other forum discussions, it appeared we just needed to add a static from inside to dmz with the inside network ip range. When I added this command, it allowed the new server inside access, but my internal access to the FTP server died. External access to the FTP server remained fine.
Some of my config is as follows:
ip address outside 208.5.114.xxx 255.255.255.0
ip address inside 10.57.x.x 255.255.255.0
ip address WEBDmz 192.168.1.1 255.255.255.0
ip address ISADmz 192.168.5.1 255.255.255.0
fixup protocol ftp 21
access-list WEBDmz_access_in permit udp any any
access-list WEBDmz_access_in permit tcp any any
access-list WEBDmz_access_in permit icmp any any
access-list WEBDmz_access_in permit ip any any
global (outside) 10 208.5.114.50-208.5.114.180 netmask 255.255.255.0
global (outside) 10 208.5.114.181
global (WEBDmz) 10 192.168.1.51-192.168.1.200 netmask 255.255.255.0
global (ISADmz) 10 192.168.5.100-192.168.5.150 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (WEBDmz) 10 0.0.0.0 0.0.0.0 0 0
nat (ISADmz) 10 0.0.0.0 0.0.0.0 0 0
static (WEBDmz,outside) 208.5.114.xx Systems netmask 255.255.255.255 0 0
The command I tried to add was like
static (inside,WEBdmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
As I said this allowed full access to the new DMZ host but killed internal access to DMZ FTP host.
Can anyone lead some insight into my problem?
09-30-2004 12:47 PM
The static uses a syntax like that:
ip address dmz 192.168.1.1 255.255.255.0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
And not the network from the inside network.
sincerely
Patrick
10-01-2004 05:51 AM
entering this command also killed all access to the dmz. logging buffer showed 305006 regular translation failed...
10-01-2004 06:40 AM
Could you give me more details what you are trying to do exactly. A modified copy of the config would be great.
If I understand you right you are trying to connect from your inside interface to the DMZ using a private address. Thats how it is setup
static (inside,WEBdmz) insidenet insidenet netmask 255.0.0.0 0 0
How looks the nat (inside) 0 access-list inside_nat0_outbound
Becaus this does basicly the same thing.
sincerely
Patrick
10-01-2004 07:08 AM
The nat statement you mentioned was just used to block some outbound protocols from inside.
My issue is that in my current setup from the inside I can utilize my FTP/web server on the dmz. We now have another server on the DMZ that needs more access to the inside for sql,and other protocols. Right now that 2nd server cannot access the inside.
On this forum, I have seen two options one where you utilize a static (inside,webdmz) 10.0.0.0 10.0.0.0.. which does allow the 2nd server internal access but this command kills my access from inside to the ftp/web server. I added the command you recommended which uses the dmz network. Once I entered this command, I lost all access to the FTP/web server from the inside. Outside access stillworked. The only things in my config not similar to other postings are my Nat statement for the dmz.
The other problem which may be a pix bug is that after I enter the commands, do a clear xlate, later remove the commands and do a clear xlate, my access remains blocked until I reload the pix.
We use private addressing on the inside and dmz.
10-01-2004 08:53 AM
Looking at ur config, I will suggest these
1.) Remove ur access-list webdmz_access_in permit udp any any and its corresponding tcp entry. There is no need for it as it is allowed at the Network Layer by ur access-list webdmz_access_in permit ip any any.
2) I see no need to nat ur traffic between the inside and both DMZ's. This should take care of that
access-list no_nat_inside permit ip 10.57.x.x 255.255.255.0 192.168.1.0 255.255.255.0
access-list no_nat_inside permit ip 10.57.x.x 255.255.255.0 192.168.5.0 255.255.255.0
nat (inside) 0 access-list no_nat_inside
then remove the global (webdmz) and global (isadmz) statements.
3) I will include a static statement to include the servers specific ip address and not the whole subnet since u were okay with the ftp/webserver prior to this time.
static (inside,webdmz) "new server ip" "new server ip" netmask 255.255.255.255 0 0
4) Clear xlate
Hope this helps
10-01-2004 11:44 AM
My thanks to all. I finally opened a ticket. The fix was the static (inside,webdmz) insidenet insidenet command as thought. Our problem after entering this command with no access to the FTP server was related to the FTP server being multihomed. Once we killed the 2nd nic that had an inside address, all worked as expected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide