PIX DMZ Config help - Firewalls

This is a discussion on PIX DMZ Config help - Firewalls ; Hi, Here is what I am trying to do. I have a PIX with 3 interfaces, inside, outside & DMZ. I have a server connected to the DMZ interface, the server can ping the DMZ interface Ok. I have a ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: PIX DMZ Config help

  1. PIX DMZ Config help

    Hi,

    Here is what I am trying to do.

    I have a PIX with 3 interfaces, inside, outside & DMZ.

    I have a server connected to the DMZ interface, the server can ping
    the DMZ interface Ok.

    I have a server on the inside interface that I would like to access
    the DMZ server.

    The inside server is on 192.168.1.x, the DMZ interface and DMZ server
    are on 192.168.2.x.

    I have added a 192.168.2.x IP to the inside server and added this
    route to my PIX:

    static (inside,DMZ0 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0 0.

    Is this right or am I missing something as the inside server cannot
    ping the DMZ server.

    Regards
    Paul.


  2. Re: PIX DMZ Config help

    you need

    static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

    This way your inside subnet is translated for itself on the DMZ. In other
    words
    it make the inside subnet visible to your DMZ.

    The way you put it doesn't accomplish anything . What you are saying to the
    PIX is translate the inside address of 192.168.2.0 for itself on the DMZ.
    But you don't have any device on the inside at 192.168.2.0.



    "Bob" wrote in message
    news:1194286059.446075.134160@y27g2000pre.googlegr oups.com...
    > Hi,
    >
    > Here is what I am trying to do.
    >
    > I have a PIX with 3 interfaces, inside, outside & DMZ.
    >
    > I have a server connected to the DMZ interface, the server can ping
    > the DMZ interface Ok.
    >
    > I have a server on the inside interface that I would like to access
    > the DMZ server.
    >
    > The inside server is on 192.168.1.x, the DMZ interface and DMZ server
    > are on 192.168.2.x.
    >
    > I have added a 192.168.2.x IP to the inside server and added this
    > route to my PIX:
    >
    > static (inside,DMZ0 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0 0.
    >
    > Is this right or am I missing something as the inside server cannot
    > ping the DMZ server.
    >
    > Regards
    > Paul.
    >




  3. Re: PIX DMZ Config help

    mcaissie wrote:
    > you need
    >
    > static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
    >
    > This way your inside subnet is translated for itself on the DMZ. In other
    > words
    > it make the inside subnet visible to your DMZ.



    right, but you might also need a nonat access-list between the two lans:
    nat (inside) 0 access-list no-nat

    and a rule like:

    access-list no-nat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


    good explanation for all types of pix nats here:

    http://tazforum.thetazzone.com/viewtopic.php?t=3616

    M

  4. Re: PIX DMZ Config help

    You can try adding
    static (inside,DMZ0 192.168.2.0 192.168.1.0 netmask 255.255.255.0 0 0)

    Let's see, the problem solves or not?




    On Nov 5, 11:07 pm, Bob wrote:
    > Hi,
    >
    > Here is what I am trying to do.
    >
    > I have a PIX with 3 interfaces, inside, outside & DMZ.
    >
    > I have a server connected to the DMZ interface, the server can ping
    > the DMZ interface Ok.
    >
    > I have a server on the inside interface that I would like to access
    > the DMZ server.
    > static (inside,DMZ0 192.168.2.0 192.168.1.0 netmask 255.255.255.0 0 0.



    > The inside server is on 192.168.1.x, the DMZ interface and DMZ server
    > are on 192.168.2.x.
    >
    > I have added a 192.168.2.x IP to the inside server and added this
    > route to my PIX:
    >
    > static (inside,DMZ0 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0 0.
    >
    > Is this right or am I missing something as the inside server cannot
    > ping the DMZ server.
    >
    > Regards
    > Paul.




+ Reply to Thread