How to allow all IP traffic from dmz1 to inside interface

li.simon · ‎11-18-2002

We are using PIX-525 and have three interfaces: Outside, Inside and DMZ1.

Does anybody know the command to allow all IP traffic from dmz1 to inside interface?

Thanks,

Simon

gfullage · ‎11-18-2002

To allow traffic from a lower security interface (dmz1) to a higher (inside), you need a static and an access-list. If you just want all traffic to flow between these interfaces as though the PIX was a router and not a firewall, then you need to create static NAT entries for every host on the inside so that they appear on the dmz1 interface, and then simply permit all IP traffic with an access-list.

Let's say your inside interface is on the 10.1.1.0/24 network, and your dmz1 interface is on the 172.16.1.0/24 network. You'd do:

static (inside,dmz1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

access-list 100 permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-group 100 in interface dmz1

Of course this takes away the security of having a DMZ in the first place.

li.simon · ‎11-19-2002

Thank you for your answer.

Are the above commands taking away the security from the outside to the

inside and from the outside to the dmz1? We need the security stay for

"outside to inside" and "outside to dmz1" and security can be taken

away between "dmz1 and inside".

In addition to your commands above, can I add the following command to

do the same function but from higher security (inside) interface to a

lower security interface (dmz1)?

static (dmz1, inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-list 101 permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-group 101 in interface inside

Same question again:

Are the above command taking away the security from the outside to the

inside and from the outside to the dmz1? We need the security stay for

"outside to inside" and "outside to dmz1" and security can be taken

away between "inside and dmz1".

Thank you very much for your help again.

Simon