08-24-2006 01:34 PM - edited 03-09-2019 04:00 PM
I just need someone to review my config and make sure Im not crazy here.
access-list nonat permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 10.3.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 10.2.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 10.4.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 10.5.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 10.6.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 10.7.0.0 255.255.0.0 192.168.0.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 1.1.1.1 192.168.0.2 netmask 255.255.255.255 0 0
static (dmz,outside) 1.1.1.2 192.168.0.4 netmask 255.255.255.255 0 0
ip address outside 1.1.1.3 255.255.255.192
ip address inside 10.1.0.2 255.255.0.0
ip address dmz 192.168.0.1 255.255.255.0
This should allow all ports and all traffic from inside users to connect to DMZ devices without restriction right??
08-24-2006 02:21 PM
Hi,
For traffic from inside to dmz I have used static transalations and it has worked fine. Can you remove the 'nat (inside) 0 access-list nonat' and the access-list nonat. Instead, use a static transalation for the inside hosts like the one below.
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.248.0
Hope that helps!
Regards,
Sundar
08-24-2006 02:26 PM
Oops, a typo error in the previous posting.
static (inside, dmz) 10.0.0.0 10.0.0.0 netmask 255.248.0.0
HTH,
Sundar
08-28-2006 10:03 AM
Sundar,
Can you explain what this does?
08-28-2006 11:11 AM
Glen,
What Sundar recommended is good for a pinned up static configuration from inside to DMZ and DMZ to inside. Essentially he is recommending on your DMZ interface to allow anything to access the inside with an address in the range of 10.0.0.0 255.248.0.0. Statics work both directions so the inside hosts would then be allowed to access the DMZ without a NAT/Global statement.
The NoNat configuration is actually what I prefer as this doesn't add a consistent NAT from the DMZ to the inside addresses. If you require outside to inside then just repeat your ACL with Source and Destination flopped. This in my mind is more secure. Talking to Sundar we both feel either one will work. Basically we aren't sure if your existing configuration was working and are giving alternate suggestions.
Sundar kick in if I misrepresented anything wrong.
Please rate any helpful posts
Thanks
Fred
08-28-2006 12:33 PM
Glen,
I agree with Fred that either one of these configurations should work.
Can you make sure the device(s) on the DMZ is using 192.168.0.1 as their gateway to access anything on 10.0.0.0 255.248.0.0 network and the inside hosts are using the 10.1.0.2 as the gateway to get to host(s) on the DMZ.
Plus, can you check whether you have a route on the PIX for the 10.2.0.0 - 10.7.0.0 network that should be pointing to the inside network.
HTH,
Sundar
08-28-2006 02:26 PM
The reason I brought it up was that for some reason we can browse to shared files on one server on the DMZ but not the other. Both are Windows based servers. We confirmed that we can browse (network shares) on one server but no the other. Its odd. I jumped on one of the servers on the DMZ and can browse to the other server on the same DMZ lan fine, but for some reason inside users can only browse to one of the 2 servers. When I debugged today I see SYN packets being sent from the inside source but nothing ever comes back so either its the firewall or the server. Can't tell. Will have further access to that server today or tomorrow. The nonat was working before and I tried what Sundar reccomended but results were the same. Ill let you know what comes about. Thank you for all your help and I will definitely rate your posts. Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide