Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

lan to dmz 1

Status
Not open for further replies.
jaku00

jaku00

IS-IT--Management
Nov 10, 2003
10
0
0
FI
Hi

I have n00b question, how I get working global ip's from lan to dmz? Internal ip's working quite well.
 
Sort by date Sort by votes
Well you have to create ACLs for this. For example if you have internal net. 192.168.1.0/24 & the DMZ is 172.168.4.0/24 the ACLs go source then destination.
Example: access-list in2dmz permit ip 192.168.1.0 255.255.255.0 172.168.4.0 255.255.255.0
Then: access-group in2dmz in interface dmz
This allows all IP from network to network to flow.

Thanks
Mike
 
Upvote 0 Downvote
What about if I need external ip working in lan.
Example: external ip 145.145.145.145 nated 10.0.0.5, so if I try ping 145.145.145.145 it's not working in local lan
 
Upvote 0 Downvote
I don't think you'll ever be able to ping your NATed addresses from the inside. It's just how the PIX works.

The NAT statement translate the IP's for you, based on your GLOBAL statements configuration.

eg.
nat (inside) 0 <- a 0 here means it won't use NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0 <- This statement will NAT anything from the inside to the outside
nat (inside) 2 access-list NAT_this <- Any match to this ACL will be NATed according to your GLOBAL statement

global (outside) 1 interface <- will give all your inside IP's a common outside IP (the PIX outside interface IP)

global (dmz) 2 145.145.145.145 <- Matches found in the NAT_this ACL will NAT into this single address, and pass it on to the DMZ.

I hope this is accurate, and that it gives you an explanation to what you were asking jaku00 :)
Good luck!

A firm beleiver of "Keep it Simple" philosophy
Cheers
/T
 
Upvote 0 Downvote
ARe you trying to let hosts on your internal lan access the DMZ or on an external interface?

The security level for the lower than the security level for your inside interface so you will not need a access rule. If you want to let hosts on a lower security level interface access your dmz server, you will need an access rule.

If you do not need translation of the source address 145.145.145.145 then you need to add 145.145.145.145 to your nat 0 statement.
 
Upvote 0 Downvote
First I’m trying internal LAN access to DMZ and when I ping 10.0.0.5 its reply. Only thing I’m need is global ip's working inside to DMZ. Inside interface use translation.
Is it possible to make nat 0 statement for DMZ only?

thnx your reply
 
Upvote 0 Downvote
Is it possible to make nat 0 statement for DMZ only?
Click to expand...
Yes, it is.

Code: 
ip address inside 192.168.1.0 255.255.255.0
ip address DMZ 10.10.10.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list nonat
This will prevent NAT from being used between your inside LAN and your DMZ

A firm beleiver of "Keep it Simple" philosophy
Cheers
/T
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
139
Johnkite
Johnkite
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
54
kythri
kythri
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
116
nnaarrnn
nnaarrnn
shmideo
  • Locked
  • Question
How to set up a wireless LAN on X5 interface TZ500
Replies
1
Views
56
shmideo
shmideo

Part and Inventory Search

Sponsor

Back
Top