Hi..
There is nothing big,Just remember one rule,
1)When traffic is allowed to flow from higher security interface to lower
you have to use global and nat.
2)When traffic is allowed to flow from lower to higher then you have to use
static and access-list.
In your case you have to allow access from high to low so add one more
global command with the address used for natting and also a nat command with
respect to that.
the command which you have to write is
global(dmz) 1 172.22.100.1-172.22.100.10.
This should solve your problem.The range which I have givenin global is just
an example and these addresses would be used ny pix to nat internal hosts
when they would be accessing the dmz.You dont need to add nat as you have
already defined that.
Hope this helps.
Regds
Tribavan Raina
Network Consultant
TechTonics Group Limited
Level 31 Grand Plimmer Tower
2-6 Gilmer Terrace
PO Box 11 199
Wellington
Ph: +64 4 385 2628
Fax: +64 4 385 2400
www.techtonics.co.nz
-----Original Message-----
From: Tai Ngo [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 18 September 2001 4:05 p.m.
To: [EMAIL PROTECTED]
Subject: Pix and DMZ [7:20333]
Hi All,
I am having a problem configuring the Pix's DMZ interface specifically
getting it to talk to the inside and also having the inside talking to
it. Here's the scenario:
I have 3 interfaces on a Pix 520 running 6.0(1). I have a inside
interface which is on the 192.168.1.0 network, dmz which is on
172.22.100.0 network, and outside which is 62.20.100.x Class C network.
I want inside boxes to be able to access a pc on the dmz called DMZPC
with ip address of 172.22.100.100. I also want the DMZPC to be able to
access machines on the inside of the network. All interfaces on the Pix
uses x.x.x.1 for their respective ip addresses.
Currently, my box on the DMZ can access the Internet and the Internet
can access it via a "static (dmz,outside) 62.20.100.131 172.22.100.131
netmask 255.255.255.255 0 0" command.
Here's the output from a show route on my Pix:
outside 0.0.0.0 0.0.0.0 62.20.99.2 1 OTHER static(that's the ip address
of the router on the outside that gets forwarded to our ISP)
outside 62.20.100.0 255.255.255.0 62.20.100.1 1 CONNECT static
dmz 172.22.100.0 255.255.255.0 172.22.100.1 1 CONNECT static
inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
Other commands in my configuration that might be important:
global (outside) 1 62.20.100.7 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
I have read the Cisco Pix manual and tried the using the syntax in the
manual but I am now more confused than when I started. Can someone
provide me the configuration lines I need to get it working? Any help
or tips would be greatly appreciated.
Thanks!
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=20342&t=20333
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
