11-26-2002 12:22 PM - edited 03-09-2019 01:12 AM
Hosts on an internal subnet that is 2 hops away are unable to connect to our DMZ. Here's the network layout...
192.168.50.0<DMZ<---PIX<---192.168.0.0<---192.168.3.0
Hosts on the 192.168.3.0 cannot access the 192.168.50.0 hosts on the DMZ unless aided by a proxy server on the 192.168.0.0 LAN.
Do I need to add route commands?
11-26-2002 12:29 PM
Yes thats correct, you will need to add a route for the remote network pointing to the next hop on the pix. You will also need some type of nat translation set up and access-list applied to the interface to allow communications.
Kurtis Durrett
11-26-2002 02:28 PM
That doesn't explain why users in the 192.168.0.0 network can access the DMZ. It was my understanding that access is allowed by default when going from a higher security interface, to a lower security interface. Why would I need an access-list for going the opposite direction?
11-26-2002 03:02 PM
You don't, I think kdurret just got mixed up with what interface the 192.168.0.0 and 192.168.3.0 networks were on, seeing as you didn't actually mention whether they were inside or outside.
If the 192.168.0.0 and 192.168.3.0 networks are on a higher security interface than the DMZ, then you should be OK, although check that your nat/global statement for those interfaces do actually allow the 192.168.3.0 network to be NAT'd. For example, check you don't have something like:
nat (inside) 1 192.168.0.0 255.255.255.0
global (dmz) 1 x.x.x.x
cause this won't NAT the 192.168.3.0 network.
Other than that, just add a route to the 192.168.3.0 network pointing to the next hop away and you should be fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide