Re: Internal subnet unable to see server on DMZ.

jpeter · ‎11-26-2002

Hosts on an internal subnet that is 2 hops away are unable to connect to our DMZ. Here's the network layout...

192.168.50.0<DMZ<---PIX<---192.168.0.0<---192.168.3.0

Hosts on the 192.168.3.0 cannot access the 192.168.50.0 hosts on the DMZ unless aided by a proxy server on the 192.168.0.0 LAN.

Do I need to add route commands?

kdurrett · ‎11-26-2002

Yes thats correct, you will need to add a route for the remote network pointing to the next hop on the pix. You will also need some type of nat translation set up and access-list applied to the interface to allow communications.

Kurtis Durrett

jpeter · ‎11-26-2002

That doesn't explain why users in the 192.168.0.0 network can access the DMZ. It was my understanding that access is allowed by default when going from a higher security interface, to a lower security interface. Why would I need an access-list for going the opposite direction?

gfullage · ‎11-26-2002

You don't, I think kdurret just got mixed up with what interface the 192.168.0.0 and 192.168.3.0 networks were on, seeing as you didn't actually mention whether they were inside or outside.

If the 192.168.0.0 and 192.168.3.0 networks are on a higher security interface than the DMZ, then you should be OK, although check that your nat/global statement for those interfaces do actually allow the 192.168.3.0 network to be NAT'd. For example, check you don't have something like:

nat (inside) 1 192.168.0.0 255.255.255.0

global (dmz) 1 x.x.x.x

cause this won't NAT the 192.168.3.0 network.

Other than that, just add a route to the 192.168.3.0 network pointing to the next hop away and you should be fine.