cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
664
Views
0
Helpful
2
Replies

Verify DMZ Config

rai
Level 1
Level 1

My ISP points their DNS server to 216.202.205.253 which will point back to our webserver (192.168.0.2). Here are the parameters of my pix 515

outside: 216.202.205.250

inside: 128.1.1.10

DMZ: 192.168.0.1

Here is my proposed DMZ config:

global (DMZ) 1 192.168.10-192.168.0.254

static (DMZ, outside) 216.202.205.253 192.168.0.2 netmask 255.255.255.255 1010

conduit permit tcp host 216.202.205.253 eq www any

nat (inside) 1 0.0.0.0 0.0.0.0 0

nat (DMZ) 1 192.168.0.0 255.255.255.0

Could anyone verify if this is a good config? Please advise. Thanks.

2 Replies 2

saluko
Level 1
Level 1

Why do you need the "nat (DMZ) 1 192.168.0.0 255.255.255.0 " command??

and also the "global (DMZ) 1 192.168.10-192.168.0.254" Firstly this is not a registered address and secondly you dont need dmz to make an outbound connection, do you?

Also why do you want to NAT the inside address when it's already a legal ip address or is it not registered. In that case you will need the corresponding global address i.e global (outside) 1 .......

rdennis
Level 1
Level 1

It looks good to me but the prob I have with it is the conduit statement you would be better served usin access-list rather than conduit