10-23-2005 12:14 AM - edited 03-09-2019 12:48 PM
We have 2 subnets 10.241.34.0 /24 and 10.241.71.0 /24 in the LAN which form a part of the ofshore dev center, which need to have access to the internet as well as to our local lan 172.19.0.0. how do i configure it?
10-23-2005 03:42 AM
assuming 10.241.34.0/24 and 10.241.71.0/24 are connected to the pix dmz interface, then
for dmz accessing the internet:
global (outside) 1 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
for dmz accessing the inside:
static (dmz,inside) 10.241.34.0 10.241.34.0 netmask 255.255.255.0
access-list dmz_access_inside permit ip 10.241.34.0 255.255.255.0 172.19.0.0 255.255.255.0
access-group dmz_access_inside in interface dmz
you may restrict the dmz accessing the inside by playing with the acl dmz_access_inside.
e.g.
access-list dmz_access_inside permit tcp 10.241.34.0 255.255.255.0 host 172.19.0.100 eq 3389
10-23-2005 08:35 PM
Hi Jackko
Thanks for the info.. I am attaching the config of the FW. 10.249.34.0 is on the inside and 10.249.71.0 is on the DMZ and the 172.19.0.0 is on the outside which i would now be moving to the DMZ and on the outside i will have a internet connectivity terminating.
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 Outside security0
nameif ethernet1 dbinside security99
nameif ethernet2 dbinside1 security50
hostname DB-FW
clock timezone IST 5 30
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 102 permit tcp any host ipms.ultimatix.net eq www
access-list 102 permit tcp any host ipms2.ultimatix.net eq www
access-list 102 permit tcp any host ipmsambattur eq www
access-list 102 permit tcp any host ipmskol eq www
access-list 102 permit tcp any host ipmsseepz eq www
access-list 102 permit tcp any host ipmsshol eq www
access-list 102 permit tcp any host ipmsuat eq www
access-list 102 permit tcp any host pulse eq https
access-list 102 permit tcp any host pulse eq www
access-list 102 permit tcp any host inblrm01 eq https
access-list 102 permit tcp any host inblrm01 eq ldap
access-list 102 permit tcp any host inblrm01 eq netbios-ssn
ip address outside 172.19.X.X 255.255.255.192
ip address dbinside 10.249.34.X 255.255.255.0
ip address dbinside1 10.249.71.X 255.255.255.0
global (outside) 1 172.19.X.X
nat (dbinside) 1 0.0.0.0 0.0.0.0 0 0
access-group 102 in interface dbinside
route tcs 172.17.0.0 255.255.0.0 172.19.x.x 1
route tcs 172.19.0.0 255.255.0.0 172.19.x.x 1
route tcs 172.20.0.0 255.255.0.0 172.19.x.x 1
10-24-2005 12:29 AM
you mentioned, "172.19.0.0 is on the outside which i would now be moving to the DMZ". just wondering if 172.19.0.0 is replacing the existing 10.249.71.0 or there is another router that in turns connects to other subnets.
10-24-2005 02:52 AM
Jaccko 172.19.0.0 is being moved to DMZ and the internet will be on ths outside. Also the 10.249.71.0 range is configured on another DMZ interface.
10-24-2005 07:24 PM
please excuse me for misunderstanding.
would you please specify what sort assistance you are looking for?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide