Can't access from DMZ LAN, to INSIDE LAN, HELP!!! 1

macfoxx · May 19, 2007

Hi folks
Maybe someone help me!
I have PIX 515E (6.3) I have 3 networks Outside, Inside and DMZ. Everything works fine, computers from inside LAN can access to Internet and DMZ, computers from DMZ can access to Internet, but I need to establish for two computers ip address 192.168.0.10 and 192.168.0.11 from DMZ access to all computers in Inside LAN 10.13.27.0 , I tried make nat 0 but it doesn't work, this is my configuration, maybe someone will find my mistake.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
name 192.168.0.10 VDSL1
name 192.168.0.11 VDSL2
access-list inside_outbound_nat0_acl permit ip 10.13.27.0 255.255.255.0 192.168.100.0 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 10.13.27.0 255.255.255.0 192.168.200.0 255.255.255.224
access-list DMZ_access_in remark implicit outbound
access-list DMZ_access_in permit ip host VDSL1 10.13.27.0 255.255.255.0
access-list DMZ_access_in permit ip host VDSL2 10.13.27.0 255.255.255.0
access-list DMZ_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.240
access-list DMZ_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.100.0 255.255.255.240
access-list inbound permit tcp any host xxx.xxx.xxx.xxx eq www
access-list inbound permit udp any host xxx.xxx.xxx.xxx eq domain
access-list inbound permit tcp any host xxx.xxx.xxx.xxx eq domain
access-list inbound permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list inbound permit tcp any host xxx.xxx.xxx.xxx eq 2222
access-list inbound permit tcp any host xxx.xxx.xxx.xxx eq pop3
access-list inbound permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-list inbound permit tcp any host xxx.xxx.xxx.xxx eq ftp-data
access-list outside_cryptomap_dyn_60 permit ip any 192.168.100.0 255.255.255.240
access-list outside_cryptomap_dyn_40 permit ip any 192.168.100.0 255.255.255.240
access-list sudetyvpn_splitTunnelAcl permit ip 10.13.27.0 255.255.255.0 any
access-list sudetyvpn_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
access-list outside_cryptomap_dyn_80 permit ip any 192.168.200.0 255.255.255.224
pager lines 24
icmp permit any inside
icmp permit any DMZ
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 10.13.27.2 255.255.255.0
ip address DMZ 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.100.1-192.168.100.10
ip local pool sudetyvpn-pool 192.168.200.1-192.168.200.30
pdm location 80.53.112.178 255.255.255.255 outside
pdm location VDSL1 255.255.255.255 DMZ
pdm location 192.168.0.2 255.255.255.255 DMZ
pdm location 83.14.65.58 255.255.255.255 outside
pdm location 80.53.112.179 255.255.255.255 inside
pdm location 80.53.112.179 255.255.255.255 outside
pdm location 80.53.112.182 255.255.255.255 inside
pdm location 80.53.112.182 255.255.255.255 outside
pdm location 87.207.41.74 255.255.255.255 outside
pdm location 192.168.0.11 255.255.255.255 DMZ
pdm location 10.13.27.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (DMZ) 0 access-list DMZ_outbound_nat0_acl
nat (DMZ) 10 0.0.0.0 0.0.0.0 0 0
static (DMZ,outside) tcp xxx.xxx.xxx.xxx

http://www 192.168.0.2

http://www netmask

255.255.255.255 0 0
static (DMZ,outside) tcp xxx.xxx.xxx.xxx domain 192.168.0.2 domain netmask 255.255.255.255 0 0
static (DMZ,outside) tcp xxx.xxx.xxx.xxx smtp 192.168.0.2 smtp netmask 255.255.255.255 0 0
static (DMZ,outside) udp xxx.xxx.xxx.xxx domain 192.168.0.2 domain netmask 255.255.255.255 0 0
static (DMZ,outside) tcp xxx.xxx.xxx.xxx 2222 192.168.0.2 ssh netmask 255.255.255.255 0 0
static (DMZ,outside) tcp xxx.xxx.xxx.xxx pop3 192.168.0.2 pop3 netmask 255.255.255.255 0 0
static (DMZ,outside) tcp xxx.xxx.xxx.xxx ftp 192.168.0.2 ftp netmask 255.255.255.255 0 0
static (DMZ,outside) tcp xxx.xxx.xxx.xxx ftp-data 192.168.0.2 ftp-data netmask 255.255.255.255 0 0
static (inside,DMZ) 10.13.27.0 10.13.27.0 netmask 255.255.255.0 0 0
access-group inbound in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

texnut · May 22, 2007

Just a thought, but have you tried assigning your DMZ_access_in ACL rules to the inside interface rather than the DMZ interface?

psmv · May 22, 2007

Hi macfoxx, U need to add a static command for getting access from low security level to high security level.

ie, to access from DMZ to Inside / Outside to DMZ / Outside to Inside etc.

I think this will help you:

static (inside,DMZ) 192.168.0.10 192.168.0.10 netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.0.10 192.168.0.11 netmask 255.255.255.255 0 0

and give ACL also.

All the best..

macfoxx · May 23, 2007

thanks psmv you have right.
I changed slightly your advice but it's works, I had problem because I need to connect to device on inside LAN witch have default gateway to other router not to pix. But one-to-one nat resolved all problems.

Mac

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Can't access from DMZ LAN, to INSIDE LAN, HELP!!! 1

macfoxx

Technical User

texnut

IS-IT--Management

psmv

Technical User

macfoxx

Technical User

Similar threads

Part and Inventory Search

Sponsor