Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DMZ IP schema

Status
Not open for further replies.
Zahundas

Zahundas

IS-IT--Management
Sep 9, 2002
19
0
0
CA
Hi,

I have a PIX 515E. I am looking to setup four DMZs. For DMZ1 I would like to use global IP addresses (we have a full class C) - no NAT and/or PAT, and all the machines located here should be available to the outside world using these IPs. All the hosts on the inside should be able to access the DMZ1 servers unrestricted. All other traffic is going out through NAT using another global IP from the same range.
These are the lines I am looking to add for DMZ1, and the permissions here are just for a web server using port 80.

name 172.168.10.6 SERVER1
nameif ethernet2 DMZ1 security90
ip address DMZ1 172.168.10.5 255.255.255.0
nat (dmz1) 0
access-list dmz1 permit tcp any any eq www
access-group dmz1 in interface DMZ2

Do I still have to use maps for the servers in DMZ1 to outside? Please let me know if I am missing anything.

Regards,
Zahundas
 
Sort by date Sort by votes
no you won't..

You'll just need to specify this..

nat (dmz1) 0 0.0.0.0 0.0.0.0 0 0

Then of course you'll need to NAT the other interfaces.. so

nat (dmz2) 1 <internal net> <netmask> 0 0
nat (dmz3) 1 <internal net> <netmask> 0 0
nat (dmz4) 1 <internal net> <netmask> 0 0
nat (inside) 1 <internal net> <netmask> 0 0

Since the inside interface has the lower security level of all the interfaces, it will automatically have unrestricted access to dmz1, unless an access-list is created on interface inside.. in which case you would just need to implement an access list such as..

access-list inside_out permit ip <inside net> <netmask> <dmz1 net> <netmask>


Computer/Network Technician
CCNA
 
Upvote 0 Downvote
Well, I've tried it and it does not work. The outside interface IP address and the DMZ1 ip address can't be on the same subnet. The error message I'm getting is: "Sorry not allowed to enter IP address on sma network as interface 0". Any ideeas?

What I'm trying to do is to have the machines from DMZ1 to get out and be accessible from the net without NAT and/or PAT. I have a class C of IPs, I'm using one IP for the global statement, one for the outside PIX IP, and I want to have a chunk of IPs from the same class assigned to DMZ1.

Thanks,
Zahundas
 
Upvote 0 Downvote
that's correct.. you can't have the same network connected to two seperate interfaces..

is it necessary to make every machine have the same represented IP on the internet?

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
Yes, I have to connect all the servers to the net. What I'm trying here is to overcome the limitations of overlaping between NAT for the whole subnet and PAT just for a few machines. If I will move 5 servers on a DMZ and use a separate global pool of 5 IPs for the DMZ it should be fine. Can I have a global pool defined just for the DMZ?

Thanks,
Zahundas
 
Upvote 0 Downvote
How about something like this, assuming your IP addresses were 100.100.100.0/255.255.255.0

OUTSIDE: 100.100.100.1/255.255.255.240
DMZ: 100.100.100.17/255.255.255.240
INSIDE: PAT/NAT

On your upstream router:

ip route 100.100.100.0 255.255.255.240 100.100.100.1
ip route 100.100.100.16 255.255.255.240 100.100.100.1

- barry
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
148
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
126
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
150
Johnkite
Johnkite
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
55
kythri
kythri
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
62
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top