DMZ webserver with Public IP unaccessable from inside intf

Movensis.Com · ‎11-18-2005

Hi.

I've a 3 branches network structure with Inside, Outside and DMZ interfaces.

DMZ network has a private IP range (192.168.x.x) and each server as a Public IP (19x.1x6.2x6.xxx) Assigned by PIX and I'm using NAT for the translation.

With this structure, I can do almost anything. I can ping outside and Private IPs of DMZ from inside, but I'm not able to connect to Web Servers by Public IPs.

If I try to connect to a Public IP coming from outside, I've no problems with that, but from Inside it´s not possible.

Any way to do it?!

Thanks!!

jackko · ‎11-18-2005

with the current config, the static statement for the dmz webserver should look like:

static (dmz,outside) netmask 255.255.255.255

as the statement suggests, the translation is between the dmz and the outside interface.

one way to access the webserver from the inside is to use the webserver private ip.

another way is to use the name, however, it requires public dns and the command "alias" on the pix.

e.g.

alias (inside) 255.255.255.255

bapatsubodh · ‎11-22-2005

Even i had the same problem. we had used alias command for Destination Nating. this works fine. But some PDM's dont support alias command. we can use the static command with interfaces swapped as compared with our normal static command. This is static from inside to DMZ. This changes the destination IP address of the destination by address from DMZ region.

Subodh

uvaraj · ‎11-23-2005

Hi,

Please try configuring the below configuration..

Example:

inside network 172.21.224.0 255.255.224.0 dmz server ip address 192.168.221.21

access-list 81 permit ip host 192.168.221.21 172.21.224.0 255.255.224.0

nat (dmz) 0 access-list 81

And configure the ACL for inside if requred to permit.

Uvaraj.B