Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

What ip address to use on DMZ interface to disable nat

Status
Not open for further replies.
jdrama

jdrama

IS-IT--Management
Jan 29, 2008
3
0
0
US
This has me perplexed, I have a web server with a public ip of 1.x.x.29 plugged directly into the DMZ portal. all of our public ip's that we have in the 1.x.x.19 - 29, are assigned via conduits on the inside interface to internal web servers and use nat. I do not know what IP address I should assign to the DMZ port, I tried 1.x.x.1 (also tried a completely different 192.168.254.1 address, same thing) just to test it out and that didn't work, I can telnet out on port 80, but cannot download anything.

My ultimate goal is to prevent nat on 1.x.x.29 so l2tp will not break(nat-t is not an option due to the ms client not handling 2 nat-t devices despite what the kb article describes as a fix)

So far I have a
static (DMZ,outside) 1.x.x.1 1.x.x.1 netmask 255.255.255.255 0 0

if you need a full config, I will post it.

Thanks in advance
 
Sort by date Sort by votes
Figured it out, I didn't setup a route statement for the single ip address. Stupid is as stupid does.....
 
Upvote 0 Downvote

PIX Version 8.0(3)
!
interface Ethernet0
nameif outside
security-level 0
ip address 213.xxx.xxx.25 255.255.255.248
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.0.200 255.255.255.0
ospf cost 10
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 30.30.30.100 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any host 213.xxx.xxx.26 eq www
access-list outside_access_in extended permit tcp any host 213.xxx.xxx.27 eq www
access-list inside_access_in extended permit tcp any host 213.xxx.xxx.26 eq www
access-list inside_access_in extended permit tcp any host 213.xxx.xxx.27 eq www
access-list inside_access_in extended permit object-group TCPUDP any any eq www
access-list inside_access_in extended permit object-group TCPUDP any any eq domain
access-list inside_access_in extended permit tcp any any eq smtp
access-list inside_access_in extended permit tcp any any eq pop3
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.128
access-list inside_access_out extended permit tcp any any eq smtp
access-list inside_access_out extended permit tcp any any eq pop3
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
asdm image flash:/asdm-603.bin
arp timeout 14400
global (outside) 101 213.xxx.xxx.28-213.xxx.xxx.29 netmask 255.255.255.248
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (DMZ,outside) 213.xxx.xxx.26 30.30.30.201 netmask 255.255.255.255
static (DMZ,outside) 213.xxx.xxx.27 30.30.30.202 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 213.xxx.xxx.30 1
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
146
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
146
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
124
XLNTech1
XLNTech1
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
161
intel233
intel233
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
51
mcisar
mcisar

Part and Inventory Search

Sponsor

Back
Top