Hosts on the Demilitarized Zone (DMZ) network need to pass traffic through the PIX Firewall to connect to devices on another DMZ network. For the purposes of this example, all devices on both of the DMZ interfaces need to use their native addresses.
Configure a static translation and access for the workstations on the DMZ to reach the other DMZ network.
Note: The static Network Address Translation (NAT) that is required is for the entire DMZ network with the highest security. The Access Control List (ACL) will not defer from the standard, but will be applied to the DMZ interface with the lowest security.
In this example, the DMZ with the higher security is called DMZ1 and its network will be 10.10.1.0. The DMZ with the lower security will be called DMZ2 and its network will be 10.10.2.0. All the traffic will pass between the two DMZ networks.
Issue the following commands to configure static NAT:
What the above statement is saying is that when traffic hits the PIX from DMZ2 and is destined for DMZ1's network (10.10.1.0), to translate that address to itself. Any traffic that passes through a PIX must be translated. To satisfy this requirement, configure the PIX to translate any address in this range to itself. This is a one-to-one translation. Because this example uses the same range twice, if traffic destined for 10.10.1.19 hits the PIX, when it is sent out of the DZ1 interface it will remain destined for 10.10.1.19. It does not reassign it a random IP address in the range.
The ACL to permit traffic from the DMZ2 network to the DMZ1 network must be configured. For the example, you will permit all traffic to pass between the two interfaces. However, this may not always be the best choice depending on the security policy you must follow. If you are in doubt on what to allow, it is best to allow only necessary traffic.
Issue the following commands to configure the ACL:
pixfirewall (config t)# access-list dmz2dmz permit ip any any pixfirewall (config t)# access-group dmz2dmz in interface DMZ2
After these commands have been issued, you should be able to pass the specified traffic. If there is any problem with passing traffic at that point, issue the clear xlate command.
Note: Issuing this command will temporarily drop active connections. It should re-establish within 10 seconds.
Trying to ping the gateway on FTD from a DMZ vm on that network but unable to. Tried pinging from FTD to the vm IP and still nothing. I configured ICMP settings (under FMC > Platform settings > ICMP) to permit all ipv4 between the outside and D...
Hello all--I'm trying to configure an ASA transparent mode service insertion into an ACI fabric using PBR. I believe I have all of the config on the ACI side done correctly. That is, I have no faults on the tenant and when I go into the invent...