Hosts on the Demilitarized Zone (DMZ) network need to pass traffic through the PIX Firewall to connect to devices on another DMZ network. For the purposes of this example, all devices on both of the DMZ interfaces need to use their native addresses.
Configure a static translation and access for the workstations on the DMZ to reach the other DMZ network.
Note: The static Network Address Translation (NAT) that is required is for the entire DMZ network with the highest security. The Access Control List (ACL) will not defer from the standard, but will be applied to the DMZ interface with the lowest security.
In this example, the DMZ with the higher security is called DMZ1 and its network will be 10.10.1.0. The DMZ with the lower security will be called DMZ2 and its network will be 10.10.2.0. All the traffic will pass between the two DMZ networks.
Issue the following commands to configure static NAT:
What the above statement is saying is that when traffic hits the PIX from DMZ2 and is destined for DMZ1's network (10.10.1.0), to translate that address to itself. Any traffic that passes through a PIX must be translated. To satisfy this requirement, configure the PIX to translate any address in this range to itself. This is a one-to-one translation. Because this example uses the same range twice, if traffic destined for 10.10.1.19 hits the PIX, when it is sent out of the DZ1 interface it will remain destined for 10.10.1.19. It does not reassign it a random IP address in the range.
The ACL to permit traffic from the DMZ2 network to the DMZ1 network must be configured. For the example, you will permit all traffic to pass between the two interfaces. However, this may not always be the best choice depending on the security policy you must follow. If you are in doubt on what to allow, it is best to allow only necessary traffic.
Issue the following commands to configure the ACL:
pixfirewall (config t)# access-list dmz2dmz permit ip any any pixfirewall (config t)# access-group dmz2dmz in interface DMZ2
After these commands have been issued, you should be able to pass the specified traffic. If there is any problem with passing traffic at that point, issue the clear xlate command.
Note: Issuing this command will temporarily drop active connections. It should re-establish within 10 seconds.
Is there any issue w/ the following configuration:object-group network obj_myinternal_ips network-object host 172.16.23.20 network-objecthost 172.16.23.100 object network obj_myexternal network-object host 192.168.23.200 ...
Hi there, I want to migrate Cisco ASA 5505 to Cisco FTD with Firepower Device Manager (FDM). I know that you can use Cisco's Migration Tool if you are migrating to Cisco FTD with Firepower Management Center (FMC). Is there any "easy" way to migr...
Hi all, Below in the configuration in ASA0, still unable to ping to outside interface gi/2, pls help interface GigabitEthernet1/1nameif insidesecurity-level 0ip address 192.168.1.1 255.255.255.0!interface GigabitEthernet1/2nameif outsidesecurity...
Hi, I am trying to take a configuration back-up on my Primary Admin Node.I see that the backup generation is stuck on 10%, it has been this way for about 5 days now.The ise node is still operating without any issues. I have tried to stop the bac...
Hi All,My company has purchased Firepower 2100 series firewall with ASA image 9.10.1. My query is related to CLI and GUI. Is it the CLI Commands and GUI steps/view will be same as normal ASA and manage by ASDM. Any help will be appreciated