Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX515 inside needs to access dmz1 host 1

Status
Not open for further replies.
Guest_imported

Guest_imported

New member
Jan 1, 1970
0
0
0
(Please note, IP addresses have been changed to protect the innocent.)

I need help routing traffic from the inside interface of our PIX515 to a host in the DMZ. When using the hostname, our DNS will return the proper internal address of the webserver, 192.168.2.18

For some reason though, clients on our inside interface of the PIX are not allowed to access that webserver.

PIX Interfaces
Outside = 123.23.45.67
Inside = 192.168.1.8
DMZ = 192.168.2.78

host = 192.168.2.18

Would the following lines effect this change?

static (inside,dmz1) 192.168.2.18 192.168.1.0 netmask 255.255.255.0 0 0
conduit permit tcp host 192.168.49.18 eq http any

If not, am I close? What would be the proper commands? I'm mostly self-taught/FAQ-taught, with just a loose grip on the routing thing.
 
Sort by date Sort by votes
static (inside,dmz1) 192.168.2.18 192.168.2.18 netmask 255.255.255.255 0 0
OR
static (inside,dmz1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0 0

And as far as conduits go, your dmz should have a security level that is less than your inside. Since conduits are only needed when you go from a lower security interfaceto a higher security interface, you shouldn't need a conduit to get to the web server from the inside of your network. This assuming that you are filtering using the outbound command on the PIX. Hope this was helpful.
 
Upvote 0 Downvote
Do you have Nat Turned on ? I allow inside users to originate to dmz and outside, so I have nat turned on with NAT 1 <inside network add here> i'm able to access dmz hosts just fine w/o any statics.

Now, I don't allow DMZ hosts (exposed to inet) to originate connections except to 1 host in the inside interface so I have a static statement there.

You only need static statements when you go from lower security to higher security; thus, you shouldn't need a static from inside to dmz.

Iota

P.S. If still no luck, post your config chopping out passwords and outside int ips.
 
Upvote 0 Downvote
generally the DMZ has a higher security than the inside network (see PIX documentation and network examples), you therefore need a static from one to the other and the global statement. And as for the

'conduit permit tcp host 192.168.49.18 eq http any'

statement surely it needs the netmask in their as well?
 
Upvote 0 Downvote
Reaper?? I've always understood it that the inside interface should have the highest security level possible since it is the most protected. The less protected/more open, the lower the security.

All references to Cisco Sample Configs I've seen always show the outside at 0, the inside at 100, and dmz(s) inbetween.

-Iota
 
Upvote 0 Downvote
Key Cisco PIX points to remember:

- Connections originated from high security to low security require:
nat and global
- Connection originated from low security to high security require:
static and (conduit or accces-list). Try to use access-list as conduit is expected to be phased out.

So for your example the following would be required:
- Inside (security 100) to DMZ (security 50?), therefore its a high to low security connection. Therefore use nat and global.
- I'm assuming you can access the Internet, and therefore already have a nat (inside) 1 192.168.1.0 255.255.255.0
- Therefore all thats left is to define the DMZ global by:
global (dmz) 1 192.168.2.200-192.168.2.250
- To add PAT in case you run out of NAT IP addresses on the DMZ add:
global (dmz) 1 192.168.2.251

I've assumed that the IP range 192.168.2.200 to 192.168.2.250 (and .251 for PAT) are available for use, and that NAT to DMZ is to be used. Using the ID 0, with a suitable nat command stops NAT occuring.

If you wanted to have no NAT to the DMZ from the inside the following would do it I think:
nat (inside) 0 192.168.1.0 255.255.255.0

Enjoy
 
Upvote 0 Downvote
whoops....*ahem* just a little bit of backtracking now going on,....of course your right, i misinterpreted the post, ok i didnt read it properly! :) Yea the inside interface has a value of 100 and all the others are less. So im a plonker and have handed in my PIX manual as punishment!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
139
Johnkite
Johnkite
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
169
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
49
gbayi_omo
gbayi_omo
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
54
kythri
kythri

Part and Inventory Search

Sponsor

Back
Top