wallace1819
MIS
Hi,
I'm new to the pix and although I've been rtfm and googling I can't seem to find the answer to a couple questions I have. Hope you all can help.
My net setup...
|-----|
internet---router---outside| |inside
|-----|
dmz
outside interface = xxx.246.9.60 security0
inside interface = 192.168.0.1 security100
dmz interface = 172.16.0.1 security50
inside network = 192.168.0.0/25
dmz network = 172.16.0.0/25
one server in dmz = 172.16.0.2 (public address xxx.xxx.9.42)
I have a pix 515E with software 6.3(2)
Relvent config stuff...
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
global (outside) 1 interface
static (DMZ,outside) xxx.xxx.9.42 172.16.0.2 netmask 255.255.255.255
Policy:
-traffic from inside to outside should appear as comming from outside interface
-No connections started from dmz and outside to inside
-inside can connect to dmz
Question 1:
IP traffic works fine..but icmp is giving me problems. I need to be able to ping from the inside to outside and dmz. I add the following for the dmz ...
static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.255
and an acl allowing echo-reply from dmz to inside. ping works from inside to dmz. That above command how ever causes the hair on the back of my neck to stand up! Is there a reason I should not be doing that???
Question 2:
If I add...
static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.255.255
and an acl allowing echo-reply from outside to inside. ping works from inside to outside, but now ip traffic from inside to outside no longer appears as comming from the outside interface. How do I allow echo-reply from the outside and keep ip traffic appering as if comming from the outside interface???
Question 3:
When i use the static command...
static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.255
people on the inside can access the server in the dmz using 172.16.0.2 address but not using the xxx.xxx.9.42 address. Can i set the pix up to allow inside users to be able to use either address?
thx for the help,
wallace