RE: PIX- DMZ [7:74422]
Yes, I would like syntax. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74778&t=74422 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: PIX- DMZ [7:74422]
Yeah! u need to put in the command sets on the PIX . First step you would like to put would be the nat and global commands. Second you would need to specify the routes for the dmz. Pls let me know if you owuld like to know the syntax of the command. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74634&t=74422 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: PIX- DMZ [7:74422]
Most likely, you need to check the access-list applied to your inbound DMZ interface and permit tcp port 80. You also need to verify your nat commands and global commands are set for dmz network too, if you are nating them. zak spaniol wrote: > > I have a server on my DMZ that I want to browse internet with > but can't. Is there any commands I need to put in or take out > in order to browse internet? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74423&t=74422 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
PIX- DMZ [7:74422]
I have a server on my DMZ that I want to browse internet with but can't. Is there any commands I need to put in or take out in order to browse internet? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74422&t=74422 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: PIX Firewall --- DMZ to Inside Access [7:69877]
Try this: pix(config)# access-list permit tcp host 10.1.1.X host 192.168.20.10 eq 7000 pix(config)# access-group in interface where you fill the correct value for "X" in the source IP addess that's needing to access the inside, where is whatever you want to name your access list and is the name you gave the DMZ interface interface in the "nameif" command. Note: Currently all traffic from the DMZ to the outside is allowed. The moment you apply that access list to the DMZ interface all outbound traffic (traffic INTO the DMZ interface and headed to parts anywhere to the outside) will now be blocked. There is an implied "deny any any" at the end of the access list. You will have to then open up ports to the outside that boxes in your DMZ will need to use. If the same box needs WWW access to the outside world you will need a statment like this: pix(config)# access-list permit tcp host 10.1.1.X any eq 80 The "any" is the destination IP address. If it only goes to a specific WWW site you can add "host A.B.C.D" instead of "any". With the statement as written above you've allowed the pix to access any web server anywhere, assuming it's running on port 80. The same can be done with FTP, SMTP, DNS (except if would be "permit udp" instead of "permit tcp") or any other traffic originating from the DMZ. Any traffic already allowed via access lists from the outside to the DMZ will not be affected, only traffic originating in the DMZ. The official line from Cisco is that it's not a good idea to mix static/conduits and access-list/access-groups on the same box. If you're allowing traffic from the outside into your DMZ via static/conduit pairs you may have intermittent troubles using both. I've not experienced it personally. I just know what I've read in all of Cisco's doc's about it. You may need to consider switching to access-list/access-group instead of conduits. The static statements should remian the same. If you were going from the inside to the DMZ you would need a "static" statement defining the inside network to the DMZ but I don't believe you do from a less secure interface to a more secure interface. The two statements above should be all you need to put in your config. Hope this helps (and it wasn't 10,000 times more info than you wanted). Mark Smith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, May 30, 2003 10:26 AM To: [EMAIL PROTECTED] Subject: PIX Firewall --- DMZ to Inside Access [7:69877] Fellows - I have a senario here, I have a PIX firewall with 3 Interfaces , Inside, Outside and DMZ. Machines on the Inside Interface can access Server on DMZ Zone, no problem, I have to facilitate limited access from DMZ zone Servers to Host on Inside Interface. Let take an example, I have a Server on DMZ zone 10.1.1.1 and i need to alow TCP Port 7000 from this Server to a host on Inside zone whoes IP address is 192.168.20.10 I have a raw configuration in my mind since i dont a PIX with 3 Interfaces in my LAB i can not test it. I know i have put an Access List / NAT to do this. Any config welcome. thanks -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69892&t=69877 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall --- DMZ to Inside Access [7:69877]
Define static(s) to translate inside host address(es) to DMZ address(es) like so: static (inside,DMZ) 192.168.10.222 10.2.5.222 netmask 255.255.255.255 0 0 static (inside,DMZ) 192.168.10.230 10.2.5.230 netmask 255.255.255.255 0 0 Configure an access list to permit traffic to the tranlated inside address(es) like so: access-list acl_dmz permit tcp host 192.168.10.15 host 192.168.10.230 eq 143 access-list acl_dmz permit tcp host 192.168.10.15 host 192.168.10.230 eq pop3 Apply your access-list: access-group acl_dmz in interface DMZ Vijay Ramcharan -Original Message- From: Curious [mailto:[EMAIL PROTECTED] Sent: Friday, May 30, 2003 11:26 AM To: [EMAIL PROTECTED] Subject: PIX Firewall --- DMZ to Inside Access [7:69877] Fellows - I have a senario here, I have a PIX firewall with 3 Interfaces , Inside, Outside and DMZ. Machines on the Inside Interface can access Server on DMZ Zone, no problem, I have to facilitate limited access from DMZ zone Servers to Host on Inside Interface. Let take an example, I have a Server on DMZ zone 10.1.1.1 and i need to alow TCP Port 7000 from this Server to a host on Inside zone whoes IP address is 192.168.20.10 I have a raw configuration in my mind since i dont a PIX with 3 Interfaces in my LAB i can not test it. I know i have put an Access List / NAT to do this. Any config welcome. thanks -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69885&t=69877 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Firewall --- DMZ to Inside Access [7:69877]
Fellows - I have a senario here, I have a PIX firewall with 3 Interfaces , Inside, Outside and DMZ. Machines on the Inside Interface can access Server on DMZ Zone, no problem, I have to facilitate limited access from DMZ zone Servers to Host on Inside Interface. Let take an example, I have a Server on DMZ zone 10.1.1.1 and i need to alow TCP Port 7000 from this Server to a host on Inside zone whoes IP address is 192.168.20.10 I have a raw configuration in my mind since i dont a PIX with 3 Interfaces in my LAB i can not test it. I know i have put an Access List / NAT to do this. Any config welcome. thanks -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69877&t=69877 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall 6.2.2 Inside network can not reach DMZ hosts [7:69779]
Charles- I could be wrong, but my interpretation of the doc's covering the Alias command says that you can't have your cake and eat it too. :) What I mean is, I don't believe you can DNS-Doctor and Destination-NAT at the same time. Like I said, I could be wrong. >From what I understand, you need to do your translation with a static command: "Static (inside,dmz) 10.3.3.1 10.1.1.x netmask 255.255.255.255 0 0" ..and then set up your DNS-Doctor Alias. "Alias (inside) 10.1.1.x 10.3.3.1 255.255.255.255" Note: Verify that the DNS server resolves your host/domain name to the global IP address of the web server by issuing an nslookup command. The result of the nslookup on the client PC should be the internal IP address of the server (10.1.1.x), because the DNS reply gets doctored as it passes through the PIX. Also note that, for DNS fixup to work properly, proxy-arp has to be disabled. If you are using the alias command for DNS fixup, disable proxy-arp with the following command after the alias command has been executed. "sysopt noproxyarp internal_interface" If you are also trying to maintain DNS integrity from the outside point of view, I believe the 'DNS' keyword is all that is needed in the following command (to allow the outside world to also reach the DMZ host). "Static (dmz,outside) 10.3.3.1 10.2.2.1 dns netmask 255.255.255.255" Or, taking the concepts from the Alias Doc's, you could do this. "Alias (outside) 10.2.2.1 10.3.3.1 255.255.255.255" ...but I think this might be the older way of doing it. Don't forget your ACL's so that DNS and whatever other services need to be accessed on the DMZ host (one ACL for the Inside, one for the Outside). HTH's -Mark -Original Message- From: Charles Riley [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2003 7:22 AM To: [EMAIL PROTECTED] Subject: PIX Firewall 6.2.2 Inside network can not reach DMZ hosts [7:69756] Hi, all, I have a problem that is making me scream and shout, gonna knock myself out. It has to do with my PIX firewall configuration. The long and short of my problem is that the inside network can only reach inside hosts and outside networks: it can not reach any host on on the DMZ, depsite the fact that there are numerous statics and alias configured to permit it to do so. I have a 515 6.2 with the following networks configured: Inside 10.1.1.0/24 Outside 10.2.2.0/24 DMZ 10.3.3.0/24 First, we have names for ServerA located on the DMZ network: name 10.3.3.1 SERVERA_DMZ name 10.2.2.1 SERVERA_OUTSIDE ServerA actually is addressed with 10.3.3.1 because it is on the DMZ; the 10.2.2.1 is its outside address (as well as being its registed DNS name). If an inside networker DNS queries for SERVERA, the following commands are supposed to swap the outside address for the DMZ address. IN other words, intercept the DNS repy and change it so that the inside network will then establish a session to 10.3.3.1 (dmz address), not to 10.2.2.1 (outside nat'ed address) alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 Initial DNS tests shows that this is not happening: the inside network DNS requeries are getting outside addresses. Compounding the problem is translation process itself. The below states that when Inside networks go to the DMZ network, PAT their address to 10.3.3.9, excepting those sessions listed in ACL 100 (which upon checking do not affect the tranlation in this particular case). nat (inside) 0 access-list 100 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 global (DMZ) 1 10.3.3.9 netmask 255.255.255.0 So, in a happy world, the inside network should DNS query for SERVERA, the PIX should intercept replies and change to a DMZ address (alias), and NAT should then translate as appropriate. In the words of Larry King, it ain't happening, gang...and I don't know why. I beseech, oh, Group of Infinite Wisdom, for you assistance. As a closer, my problems started when I upgraded to 6.3.1...what a mistake. I have since downgraded it back to 6.2, and have checked and rechecked the config...there are no commands missing. TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69779&t=69779 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Firewall 6.2.2 Inside network can not reach DMZ hosts [7:69756]
Hi, all, I have a problem that is making me scream and shout, gonna knock myself out. It has to do with my PIX firewall configuration. The long and short of my problem is that the inside network can only reach inside hosts and outside networks: it can not reach any host on on the DMZ, depsite the fact that there are numerous statics and alias configured to permit it to do so. I have a 515 6.2 with the following networks configured: Inside 10.1.1.0/24 Outside 10.2.2.0/24 DMZ 10.3.3.0/24 First, we have names for ServerA located on the DMZ network: name 10.3.3.1 SERVERA_DMZ name 10.2.2.1 SERVERA_OUTSIDE ServerA actually is addressed with 10.3.3.1 because it is on the DMZ; the 10.2.2.1 is its outside address (as well as being its registed DNS name). If an inside networker DNS queries for SERVERA, the following commands are supposed to swap the outside address for the DMZ address. IN other words, intercept the DNS repy and change it so that the inside network will then establish a session to 10.3.3.1 (dmz address), not to 10.2.2.1 (outside nat'ed address) alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 Initial DNS tests shows that this is not happening: the inside network DNS requeries are getting outside addresses. Compounding the problem is translation process itself. The below states that when Inside networks go to the DMZ network, PAT their address to 10.3.3.9, excepting those sessions listed in ACL 100 (which upon checking do not affect the tranlation in this particular case). nat (inside) 0 access-list 100 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 global (DMZ) 1 10.3.3.9 netmask 255.255.255.0 So, in a happy world, the inside network should DNS query for SERVERA, the PIX should intercept replies and change to a DMZ address (alias), and NAT should then translate as appropriate. In the words of Larry King, it ain't happening, gang...and I don't know why. I beseech, oh, Group of Infinite Wisdom, for you assistance. As a closer, my problems started when I upgraded to 6.3.1...what a mistake. I have since downgraded it back to 6.2, and have checked and rechecked the config...there are no commands missing. TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69756&t=69756 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: With PIX unable to reach DMZ from LAN [7:55608]
You can have multiple NAT statements. NAT 0 will stop nat for whatever is defined in the access list. We have a 515 with a DMZ interface. Our inside network is 10.50.0.0/16 and our dmz network is 172.16.1.0/24. Here is an example from our PIX. access-list 101 permit ip 10.50.0.0 255.255.0.0 10.50.0.0 255.255.0.0 access-list 101 permit ip 10.50.0.0 255.255.0.0 172.16.1.0 255.255.255.0 access-list 101 permit ip 172.16.1.0 255.255.255.0 10.50.0.0 255.255.0.0 ip address inside 10.50.1.2 255.255.0.0 ip address dmz 172.16.1.1 255.255.255.0 ip local pool vpn-pool 10.50.8.1-10.50.8.50 global (outside) 1 x.x.x.196-x.x.x.248 netmask 255.255.255.x global (outside) 1 x.x.x.195 netmask 255.255.255.x nat (inside) 0 access-list 101 nat (dmz) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Theodore Stout Sent: Tuesday, October 15, 2002 4:28 AM To: [EMAIL PROTECTED] Subject: RE: With PIX unable to reach DMZ from LAN [7:55608] But doesn't NAT 0 stop nat for whatever is defined afterwards? If I remember right, and I just might not, I used it when I wanted to avoid NAT on VPN traffic. I would defined VPN traffic with an access-list and then use NAT 0 to tell the PIX to not NAT/PAT VPN traffic. Dude, I still can't figure out why Gurugrasad's config won't work. Got me totally bummed out. Theo "Jay Dunn" Sent by: [EMAIL PROTECTED] 10/15/2002 05:59 PM Please respond to "Jay Dunn" To: [EMAIL PROTECTED] cc: Subject:RE: With PIX unable to reach DMZ from LAN [7:55608] Lookup NAT 0 in the PIX command summary (sorry, I don't have a link). The PIX will perform NATing on a packet as soon as it enters an interface. This can create problems when 2 interfaces receive their NAT addresses from the same pool. Create an access list permitting ip between the inside and dmz subnets and then apply it with NAT 0. This will eliminate NATing. This should allow the inside to establish full communication with the dmz. You will still need the appropriate conduits for dmz to inside communication. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Guruprasad Sanjeevi Sent: Tuesday, October 15, 2002 12:33 AM To: [EMAIL PROTECTED] Subject: RE: With PIX unable to reach DMZ from LAN [7:55608] Hi theo, and all, I am giving the configuration. global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224 global (perimeter) 1 192.168.23.10-192.168.23.20 nat (inside) 1 192.168.11.0 255.255.255.0 0 0 nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0 0 0 - If I am not wrong , this command enables the communication between LAN and DMZ, but here it fails.. conduit permit tcp host 66.x.x.x eq x any conduit permit icmp host 192.168.11.x any conduit permit tcp host 66.x.x.x eq x any conduit permit tcp host 66.x.x.x eq sqlnet any route outside 0.0.0.0 0.0.0.0 66.x.x.x 1 I What is that companion command ? Please help Regards Guruprasad -Original Message- From: Theodore Stout [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 10:21 AM To: Guruprasad Sanjeevi Subject: Re: With PIX unable to reach DMZ from LAN [7:55608] you will need to explictedly grant permission for the DMZ to communicate to the Internal since lower security interfaces are automatically blocked Higher ones. Can you access from the Outside? Try it and see. Can you print out the config without the real IPs? You need to have a companion command to the Static command and I would like to see if you have it. Cheers, Theo "Guruprasad Sanjeevi" Sent by: [EMAIL PROTECTED] 10/15/2002 03:29 AM GMT Please respond to "Guruprasad Sanjeevi" To: [EMAIL PROTECTED] cc: bcc: Subject: With PIX unable to reach DMZ from LAN [7:55608] Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of t
Re: With PIX unable to reach DMZ from LAN [7:55608]
HI here are some of the tips: - From Higher ASA to Lower ASA --> You need NAT and Global - From Lower ASA to Higher ASA --> You need Conduit/Access-List and Static Best Regards, HATO >From: "mike greenberg" >Reply-To: "mike greenberg" >To: [EMAIL PROTECTED] >Subject: Re: With PIX unable to reach DMZ from LAN [7:55608] >Date: Tue, 15 Oct 2002 10:26:14 GMT > >This is a simple solution. Do this: >static (inside,perimeter) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 >This will make the pix acts like a router with traffic from 192.168.11.0 to >communicate with 192.168.23.0; however, you have to make access-list to >allow >network 192.168.23.0 to talk back to 192.168.11.0 because perimeter has >lower >security level than the inside interface. > > Guruprasad Sanjeevi wrote:Hi group, > >I am trying to configure PIX .It has 3 Ethernet Interface and three >networks are used. > >LAN (inside) : 192.168.11.0 >DMZ (perimeter)) : 192.168.23.0 >Outside:66.x.x.x > >Problem : users from Inside and Perimeter network are able to browse, but >the inside and Perimeter network cannot talk to each other. I have given >the >static command like this > >Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 > >What other command is required on the PIX to enable communication from >INSIDE network to DMZ(perimeter) and vice-versa. > >Please help > >Thanks >Guruprasad > >[GroupStudy.com removed an attachment of type application/ms-tnef which had >a name of winmail.dat] >Do you Yahoo!? >Faith Hill - Exclusive Performances, Videos, & more >faith.yahoo.com _ Get a speedy connection with MSN Broadband. Join now! http://resourcecenter.msn.com/access/plans/freeactivation.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55659&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: With PIX unable to reach DMZ from LAN [7:55608]
This is a simple solution. Do this: static (inside,perimeter) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 This will make the pix acts like a router with traffic from 192.168.11.0 to communicate with 192.168.23.0; however, you have to make access-list to allow network 192.168.23.0 to talk back to 192.168.11.0 because perimeter has lower security level than the inside interface. Guruprasad Sanjeevi wrote:Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] Do you Yahoo!? Faith Hill - Exclusive Performances, Videos, & more faith.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55624&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: With PIX unable to reach DMZ from LAN [7:55608]
But doesn't NAT 0 stop nat for whatever is defined afterwards? If I remember right, and I just might not, I used it when I wanted to avoid NAT on VPN traffic. I would defined VPN traffic with an access-list and then use NAT 0 to tell the PIX to not NAT/PAT VPN traffic. Dude, I still can't figure out why Gurugrasad's config won't work. Got me totally bummed out. Theo "Jay Dunn" Sent by: [EMAIL PROTECTED] 10/15/2002 05:59 PM Please respond to "Jay Dunn" To: [EMAIL PROTECTED] cc: Subject:RE: With PIX unable to reach DMZ from LAN [7:55608] Lookup NAT 0 in the PIX command summary (sorry, I don't have a link). The PIX will perform NATing on a packet as soon as it enters an interface. This can create problems when 2 interfaces receive their NAT addresses from the same pool. Create an access list permitting ip between the inside and dmz subnets and then apply it with NAT 0. This will eliminate NATing. This should allow the inside to establish full communication with the dmz. You will still need the appropriate conduits for dmz to inside communication. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Guruprasad Sanjeevi Sent: Tuesday, October 15, 2002 12:33 AM To: [EMAIL PROTECTED] Subject: RE: With PIX unable to reach DMZ from LAN [7:55608] Hi theo, and all, I am giving the configuration. global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224 global (perimeter) 1 192.168.23.10-192.168.23.20 nat (inside) 1 192.168.11.0 255.255.255.0 0 0 nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0 0 0 - If I am not wrong , this command enables the communication between LAN and DMZ, but here it fails.. conduit permit tcp host 66.x.x.x eq x any conduit permit icmp host 192.168.11.x any conduit permit tcp host 66.x.x.x eq x any conduit permit tcp host 66.x.x.x eq sqlnet any route outside 0.0.0.0 0.0.0.0 66.x.x.x 1 I What is that companion command ? Please help Regards Guruprasad -Original Message- From: Theodore Stout [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 10:21 AM To: Guruprasad Sanjeevi Subject: Re: With PIX unable to reach DMZ from LAN [7:55608] you will need to explictedly grant permission for the DMZ to communicate to the Internal since lower security interfaces are automatically blocked Higher ones. Can you access from the Outside? Try it and see. Can you print out the config without the real IPs? You need to have a companion command to the Static command and I would like to see if you have it. Cheers, Theo "Guruprasad Sanjeevi" Sent by: [EMAIL PROTECTED] 10/15/2002 03:29 AM GMT Please respond to "Guruprasad Sanjeevi" To: [EMAIL PROTECTED] cc: bcc: Subject: With PIX unable to reach DMZ from LAN [7:55608] Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] &i=55608&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55621&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: With PIX unable to reach DMZ from LAN [7:55608]
Lookup NAT 0 in the PIX command summary (sorry, I don't have a link). The PIX will perform NATing on a packet as soon as it enters an interface. This can create problems when 2 interfaces receive their NAT addresses from the same pool. Create an access list permitting ip between the inside and dmz subnets and then apply it with NAT 0. This will eliminate NATing. This should allow the inside to establish full communication with the dmz. You will still need the appropriate conduits for dmz to inside communication. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Guruprasad Sanjeevi Sent: Tuesday, October 15, 2002 12:33 AM To: [EMAIL PROTECTED] Subject: RE: With PIX unable to reach DMZ from LAN [7:55608] Hi theo, and all, I am giving the configuration. global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224 global (perimeter) 1 192.168.23.10-192.168.23.20 nat (inside) 1 192.168.11.0 255.255.255.0 0 0 nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0 0 0 - If I am not wrong , this command enables the communication between LAN and DMZ, but here it fails.. conduit permit tcp host 66.x.x.x eq x any conduit permit icmp host 192.168.11.x any conduit permit tcp host 66.x.x.x eq x any conduit permit tcp host 66.x.x.x eq sqlnet any route outside 0.0.0.0 0.0.0.0 66.x.x.x 1 I What is that companion command ? Please help Regards Guruprasad -Original Message- From: Theodore Stout [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 10:21 AM To: Guruprasad Sanjeevi Subject: Re: With PIX unable to reach DMZ from LAN [7:55608] you will need to explictedly grant permission for the DMZ to communicate to the Internal since lower security interfaces are automatically blocked Higher ones. Can you access from the Outside? Try it and see. Can you print out the config without the real IPs? You need to have a companion command to the Static command and I would like to see if you have it. Cheers, Theo "Guruprasad Sanjeevi" Sent by: [EMAIL PROTECTED] 10/15/2002 03:29 AM GMT Please respond to "Guruprasad Sanjeevi" To: [EMAIL PROTECTED] cc: bcc: Subject: With PIX unable to reach DMZ from LAN [7:55608] Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] &i=55608&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55620&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: With PIX unable to reach DMZ from LAN [7:55608]
Well I will take it that you didn't include the "ip address x.x.x.x x.x.x.x" commands for convience. I was looking for the NAT commands. They look okay. I can't identify one problem with this although I have to admit that last year I had the same problem. Your global perimeter and nat perimeter ip ranges are a bit strange. Why do you give one a range yet the other no range and they might possibly overlap? Try eliminating the Conduit commands. I assume that you are in a testing phase and are pinging from 192.168.11.x to 66.x.x.x. Again, this shouldn't affect anything because you are able to browse and therefore you should be able to access the DMZ just the same way as the outside interface. You don't have any thing here to permit traffic originating from the DMZ to access your Interal LAN. Keep on going, I got to go to Starbucks for a while. Theo "Guruprasad Sanjeevi" 10/15/2002 02:34 PM To: "'Theodore Stout'" cc: Subject:RE: With PIX unable to reach DMZ from LAN [7:55608] Hi theo, and all, I am giving the configuration. global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224 global (perimeter) 1 192.168.23.10-192.168.23.20 nat (inside) 1 192.168.11.0 255.255.255.0 0 0 nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0 0 0 ? If I am not wrong , this command enables the communication between LAN and DMZ, but here it fails?. conduit permit tcp host 66.x.x.x eq x any conduit permit icmp host 192.168.11.x any conduit permit tcp host 66.x.x.x eq x any conduit permit tcp host 66.x.x.x eq sqlnet any route outside 0.0.0.0 0.0.0.0 66.x.x.x 1 I What is that companion command ? Please help Regards Guruprasad -Original Message- From: Theodore Stout [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 10:21 AM To: Guruprasad Sanjeevi Subject: Re: With PIX unable to reach DMZ from LAN [7:55608] you will need to explictedly grant permission for the DMZ to communicate to the Internal since lower security interfaces are automatically blocked Higher ones. Can you access from the Outside? Try it and see. Can you print out the config without the real IPs? You need to have a companion command to the Static command and I would like to see if you have it. Cheers, Theo "Guruprasad Sanjeevi" Sent by: [EMAIL PROTECTED] 10/15/2002 03:29 AM GMT Please respond to "Guruprasad Sanjeevi" To: [EMAIL PROTECTED] cc: bcc: Subject: With PIX unable to reach DMZ from LAN [7:55608] Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55615&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: With PIX unable to reach DMZ from LAN [7:55608]
Nothing Are you trying to test with ping? The you need an acl applied to the perimeter interface to allow the echo-replies. If you have no acl applied to inside and perimeter interfaces, tcp sessions should be flowing - try to telnet from inside to the perimeter for instance -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Guruprasad Sanjeevi Sent: Monday, October 14, 2002 11:30 PM To: [EMAIL PROTECTED] Subject: With PIX unable to reach DMZ from LAN [7:55608] Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55614&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: With PIX unable to reach DMZ from LAN [7:55608]
Hi theo, and all, I am giving the configuration. global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224 global (perimeter) 1 192.168.23.10-192.168.23.20 nat (inside) 1 192.168.11.0 255.255.255.0 0 0 nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0 0 0 - If I am not wrong , this command enables the communication between LAN and DMZ, but here it fails.. conduit permit tcp host 66.x.x.x eq x any conduit permit icmp host 192.168.11.x any conduit permit tcp host 66.x.x.x eq x any conduit permit tcp host 66.x.x.x eq sqlnet any route outside 0.0.0.0 0.0.0.0 66.x.x.x 1 I What is that companion command ? Please help Regards Guruprasad -Original Message- From: Theodore Stout [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 10:21 AM To: Guruprasad Sanjeevi Subject: Re: With PIX unable to reach DMZ from LAN [7:55608] you will need to explictedly grant permission for the DMZ to communicate to the Internal since lower security interfaces are automatically blocked Higher ones. Can you access from the Outside? Try it and see. Can you print out the config without the real IPs? You need to have a companion command to the Static command and I would like to see if you have it. Cheers, Theo "Guruprasad Sanjeevi" Sent by: [EMAIL PROTECTED] 10/15/2002 03:29 AM GMT Please respond to "Guruprasad Sanjeevi" To: [EMAIL PROTECTED] cc: bcc: Subject: With PIX unable to reach DMZ from LAN [7:55608] Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] &i=55608&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55613&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
With PIX unable to reach DMZ from LAN [7:55608]
Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55608&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX .. Basic Inside to DMZ Question ... [7:55447]
you need another access list from inside to dmz to permit ip any any ( or specific ports and addresses ) - make sure you have a global or static between inside and dmz . Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55534&t=55447 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX .. Basic Inside to DMZ Question ... [7:55447]
Thanks for your input guy's ... I found a Switch in the DMZ that had an IP default-gateway, pointing to a Novell box with an interface on both the Inside and DMZ LAN's ... As soon as I changed the IP def-gateway I could telnet around the DMZ switches and routers .. Regards Paul ... - Original Message - From: "Paul" To: Sent: Saturday, October 12, 2002 1:14 PM Subject: PIX .. Basic Inside to DMZ Question ... [7:55447] > Hi, > > I have the DMZ as security 50, and the Inside as security 100. I have an > access-list applied to the DMZ and the Inside for permit IP any any. > > My problem is that I cannot Telnet to any routers/switches on the DMZ from > the > Inside LAN. Ping and Traceroute work !!! (ICMP permit inside/dmz any). > > How can I get round this ??? Am I missing something real basic here ??? > I can't trash the PIX and start over as I have regular VPN, NAT and Global > traffic > > Any input welcome .. > > Kind regards .. > > Paul ... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55449&t=55447 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX .. Basic Inside to DMZ Question ... [7:55447]
Hi, I have the DMZ as security 50, and the Inside as security 100. I have an access-list applied to the DMZ and the Inside for permit IP any any. My problem is that I cannot Telnet to any routers/switches on the DMZ from the Inside LAN. Ping and Traceroute work !!! (ICMP permit inside/dmz any). How can I get round this ??? Am I missing something real basic here ??? I can't trash the PIX and start over as I have regular VPN, NAT and Global traffic Any input welcome .. Kind regards .. Paul ... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55447&t=55447 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX (DMZ) Nat0 Q. [7:53478]
Hey guys, had a quick question on the PIX FW. When implementing a DMZ what would be the tangible benefit of using the traditional: NAT outside to DMZ inside, create ACLs. As opposed to making a NAT 0 statement in the firewall? Either way you are going to be using ACL's on the firewall to permit/deny traffic? Either way the server that you want "exposed" is going to be on a different VLAN? The only thing that I can think of is if you have say, a limited # of IP's on the outside (I know we all do) but more in the range of 1 External IP and you had 5 machines on the inside, running different services (FTP, WWW, SSH) whatever, then you would need to do the traditional DMZ, and NAT back. Does putting the NAT 0 statement disable the firewall from doing fix-ups to the NAT0'ed address? I just don't see the need for the traditional way of DMZ'ing if NAT 0 is going to accomplish the same thing without all the extra configuration. Comments? Just trying to get a grip on it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53478&t=53478 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Exchange 5.5 in DMZ [7:52126]
More specifically: OWA pages can be accessed through SSL channel (40-bit key, according to the USA export laws for non-financial institutions). Communication between OWA server and servers located in the intranet zone is restricted to: one BDC server TCP : 135,138 UDP : 137 Exchange servers TCP : 135, 4410, 4411 ACE servers TCP : 5500 ECHO Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: Kevin O'Gilvie [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 27, 2002 7:46 AM To: [EMAIL PROTECTED] Subject: Exchange 5.5 in DMZ [7:52126] Dear All, What is the correct way to set up exchange in the DMZ.. I know how to set it up in the inside interface but that is a security risk. I would like to put IMC and OWA on the DMZ. And keep the Mail Server on the inside Thanks, Kevin _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52138&t=52126 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Exchange 5.5 in DMZ [7:52126]
We set up exactly what you're trying to do for a client in Chile for a Mobile Office product we deployed, use the blueprint below for starters. (watch out for word wrap) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/exchange/exchange55/plan/ekmgem.asp Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: Kevin O'Gilvie [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 27, 2002 7:46 AM To: [EMAIL PROTECTED] Subject: Exchange 5.5 in DMZ [7:52126] Dear All, What is the correct way to set up exchange in the DMZ.. I know how to set it up in the inside interface but that is a security risk. I would like to put IMC and OWA on the DMZ. And keep the Mail Server on the inside Thanks, Kevin _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52137&t=52126 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Exchange 5.5 in DMZ [7:52126]
Dear All, What is the correct way to set up exchange in the DMZ.. I know how to set it up in the inside interface but that is a security risk. I would like to put IMC and OWA on the DMZ. And keep the Mail Server on the inside Thanks, Kevin _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52126&t=52126 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX DMZ IP address unload [7:37666]
What response do you get from 'no ip address dmz'? Can't think of anything else except a bit of a long winded way around it, but copy the config, remove the 4 port card. Boot up the box. Power it down and re-insert the card. But...just out of interest - why are you bothered...or is it just out of interest that you want to know? Cheers, Gaz ""Hartnell, George"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Typical problem. Hopefully an easy answer. The manual says so, but > > I've configured interface 3 on a 6 port 515 for a dmz. I needed to change > that segment back to its original "127.0.0.1 255.255.255.255" ip address > assignment. Failover goes just ducky back to 0.0.0.0. I get the infamous > "Sorry, not allowed to enter IP address on same network as interface n." > n=3 in this case. > > The problem, as stated in the manual, goes like this. "...you may not be > permitted to enter subsequent IP addresses if another interface's address is > in the same range as the first. ... To fix this problem, reenter the first > command specifying the correct network mask." > > Sure. I've reentered every 'ip address (interfacename)' on the box, and I > still get the "Sorry" story on that dmz. The best I can get is the dmz > interface (interface #2) to a '127.0.0.1 255.0.0.0' designation. Interfaces > 3 and 4 are unchanged at 127.0.0.1 255.255.255.255. Interface 5 is a > failover 100Mb. Fortunately, I won't need to heat up the dmz until next > week, and performance is unaffected. > > Sooo, "show ip" looks similar to the below: > > ip address outside w.x.y.z 255.255.255.0 > ip address inside w.a.b.c 255.255.255.0 > ip address dmz 127.0.0.1 255.0.0.0 ip address intf3 127.0.0.1 255.255.255.255 ip address intf4 127.0.0.1 255.255.255.255 > ip address intf5 10.10.10.42 255.255.255.252 > > Of course I want dmz to now look like intf3 and 4. But no! The "Sorry" > line continues. > > What's a poor administrator to do? Yup, tried the TAC, yup, 'clear xlate', > too. Yup, got rid of all the 'static's, 'routes' and access-groups relating > to the dmz. Stumped. So far. > > Any words of illumination? I'm at rev. 5.3(1) at the moment. Again, this > interface is 'shutdown', and I anticipate no problems with a live > reconfigure to another ip segment, but it is bothersome that I cannot get it > to return to its original loopback address. > > Best, G. > VP OGC Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37677&t=37666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX DMZ IP address unload [7:37666]
Typical problem. Hopefully an easy answer. The manual says so, but I've configured interface 3 on a 6 port 515 for a dmz. I needed to change that segment back to its original "127.0.0.1 255.255.255.255" ip address assignment. Failover goes just ducky back to 0.0.0.0. I get the infamous "Sorry, not allowed to enter IP address on same network as interface n." n=3 in this case. The problem, as stated in the manual, goes like this. "...you may not be permitted to enter subsequent IP addresses if another interface's address is in the same range as the first. ... To fix this problem, reenter the first command specifying the correct network mask." Sure. I've reentered every 'ip address (interfacename)' on the box, and I still get the "Sorry" story on that dmz. The best I can get is the dmz interface (interface #2) to a '127.0.0.1 255.0.0.0' designation. Interfaces 3 and 4 are unchanged at 127.0.0.1 255.255.255.255. Interface 5 is a failover 100Mb. Fortunately, I won't need to heat up the dmz until next week, and performance is unaffected. Sooo, "show ip" looks similar to the below: ip address outside w.x.y.z 255.255.255.0 ip address inside w.a.b.c 255.255.255.0 ip address dmz 127.0.0.1 255.0.0.0 <- bummer here ip address intf3 127.0.0.1 255.255.255.255 <-- conflict here ip address intf4 127.0.0.1 255.255.255.255 ip address intf5 10.10.10.42 255.255.255.252 Of course I want dmz to now look like intf3 and 4. But no! The "Sorry" line continues. What's a poor administrator to do? Yup, tried the TAC, yup, 'clear xlate', too. Yup, got rid of all the 'static's, 'routes' and access-groups relating to the dmz. Stumped. So far. Any words of illumination? I'm at rev. 5.3(1) at the moment. Again, this interface is 'shutdown', and I anticipate no problems with a live reconfigure to another ip segment, but it is bothersome that I cannot get it to return to its original loopback address. Best, G. VP OGC Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37666&t=37666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX DMZ Issue [7:26419]
I have a problem with DMZ configuration. Here is the scenerio. DMZ port has UNIX Sendmail Server. IP Address 206.2.34.1 Internal Port has Exchange Server. IP Address 206.6.182.75 Here is what I did to make it work. static (dmz,outside) 155.254.128.7 206.2.34.1 netmask 255.255.255.255 0 0 static (inside,dmz) 206.6.182.75 206.6.182.75 netmask 255.255.255.255 0 0 conduit permit tcp host 155.254.128.7 eq smtp any conduit permit tcp host 206.6.182.75 eq smtp host 206.2.34.1. This is the basic configuration, Customer has an NIS (UNIX) server which is on Internal network at the address 206.6.181.1 and contains all the databases for various applications including the Sendmail server on a dmz port. The sendmail server on dmz port can't come online until it contacts the NIS server on Internal network, and because of the PIX it will not allow polling to work from dmz port to the internal port unless some static mappings and conduit permissions are allowed. How do I reslove this issue with three things. First Sendmail server to contact NIS server at Internal port and then to deliver emails to exchange box. Regards, Abbas Ali, AVVID, CCDP, CCNP, MCSE Network Engineer II Tel: 714.428.3367 Pager: 714.748.4817 Email: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26419&t=26419 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix and DMZ [7:20333]
Hi.. There is nothing big,Just remember one rule, 1)When traffic is allowed to flow from higher security interface to lower you have to use global and nat. 2)When traffic is allowed to flow from lower to higher then you have to use static and access-list. In your case you have to allow access from high to low so add one more global command with the address used for natting and also a nat command with respect to that. the command which you have to write is global(dmz) 1 172.22.100.1-172.22.100.10. This should solve your problem.The range which I have givenin global is just an example and these addresses would be used ny pix to nat internal hosts when they would be accessing the dmz.You dont need to add nat as you have already defined that. Hope this helps. Regds Tribavan Raina Network Consultant TechTonics Group Limited Level 31 Grand Plimmer Tower 2-6 Gilmer Terrace PO Box 11 199 Wellington Ph: +64 4 385 2628 Fax: +64 4 385 2400 www.techtonics.co.nz -Original Message- From: Tai Ngo [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 18 September 2001 4:05 p.m. To: [EMAIL PROTECTED] Subject: Pix and DMZ [7:20333] Hi All, I am having a problem configuring the Pix's DMZ interface specifically getting it to talk to the inside and also having the inside talking to it. Here's the scenario: I have 3 interfaces on a Pix 520 running 6.0(1). I have a inside interface which is on the 192.168.1.0 network, dmz which is on 172.22.100.0 network, and outside which is 62.20.100.x Class C network. I want inside boxes to be able to access a pc on the dmz called DMZPC with ip address of 172.22.100.100. I also want the DMZPC to be able to access machines on the inside of the network. All interfaces on the Pix uses x.x.x.1 for their respective ip addresses. Currently, my box on the DMZ can access the Internet and the Internet can access it via a "static (dmz,outside) 62.20.100.131 172.22.100.131 netmask 255.255.255.255 0 0" command. Here's the output from a show route on my Pix: outside 0.0.0.0 0.0.0.0 62.20.99.2 1 OTHER static(that's the ip address of the router on the outside that gets forwarded to our ISP) outside 62.20.100.0 255.255.255.0 62.20.100.1 1 CONNECT static dmz 172.22.100.0 255.255.255.0 172.22.100.1 1 CONNECT static inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static Other commands in my configuration that might be important: global (outside) 1 62.20.100.7 netmask 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 I have read the Cisco Pix manual and tried the using the syntax in the manual but I am now more confused than when I started. Can someone provide me the configuration lines I need to get it working? Any help or tips would be greatly appreciated. Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20342&t=20333 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Pix and DMZ [7:20333]
Hi All, I am having a problem configuring the Pix's DMZ interface specifically getting it to talk to the inside and also having the inside talking to it. Here's the scenario: I have 3 interfaces on a Pix 520 running 6.0(1). I have a inside interface which is on the 192.168.1.0 network, dmz which is on 172.22.100.0 network, and outside which is 62.20.100.x Class C network. I want inside boxes to be able to access a pc on the dmz called DMZPC with ip address of 172.22.100.100. I also want the DMZPC to be able to access machines on the inside of the network. All interfaces on the Pix uses x.x.x.1 for their respective ip addresses. Currently, my box on the DMZ can access the Internet and the Internet can access it via a "static (dmz,outside) 62.20.100.131 172.22.100.131 netmask 255.255.255.255 0 0" command. Here's the output from a show route on my Pix: outside 0.0.0.0 0.0.0.0 62.20.99.2 1 OTHER static(that's the ip address of the router on the outside that gets forwarded to our ISP) outside 62.20.100.0 255.255.255.0 62.20.100.1 1 CONNECT static dmz 172.22.100.0 255.255.255.0 172.22.100.1 1 CONNECT static inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static Other commands in my configuration that might be important: global (outside) 1 62.20.100.7 netmask 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 I have read the Cisco Pix manual and tried the using the syntax in the manual but I am now more confused than when I started. Can someone provide me the configuration lines I need to get it working? Any help or tips would be greatly appreciated. Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20333&t=20333 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: inside, outside and dmz [7:17627]
It's just a terminology issue. A few years back, it was common to place world accessible servers between the screening router (typically the router with the upstream ISP connection) and the firewall. This was mostly due to a lack of non-proxy firewalls. With a true proxy or Application Layer Gateway (ALG) firewall, its difficult to allow inbound services. (this was before the days of NAT/PAT and stateful inspection) More recent designs use 3-legged firewalls and place world accessible servers on the 3rd interface or "protected DMZ" interface of the firewall. This allows for firewall filtering of traffic to the P-DMZ and also for filtering of traffic from the P-DMZ to the internal network. This helps prevent compromise of the server to begin with, and in the event of a compromise of the server it prevents the server from attacking the internal network. (hopefully) Since this is how most designs are done, the terminology "protected DMZ" has fallen out of use and most people simply use the term DMZ when they mean "protected DMZ". I don't see many designs that call for placing servers on a truly unprotected segment outside a firewall. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Farhan Ahmed Sent: Tuesday, August 28, 2001 10:38 PM To: [EMAIL PROTECTED] Subject: inside, outside and dmz [7:17627] comments below, isnt it better to keep mailservers and other servers inside and allowing only the ports that are required from outside , instead of putting them into dmz and allow more ports ,in the case of microsoft exchange servers web servers with database connection etc... what is the real benefit? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17945&t=17627 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
inside, outside and dmz [7:17627]
comments below, isnt it better to keep mailservers and other servers inside and allowing only the ports that are required from outside , instead of putting them into dmz and allow more ports ,in the case of microsoft exchange servers web servers with database connection etc... what is the real benefit? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17627&t=17627 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DMZ relocation [7:15597]
I believe one could also use policy-based routing. See Building Scalable Cisco Networks, Cisco Press. Original Message Follows From: "Aki Anttila" Reply-To: "Aki Anttila" To: [EMAIL PROTECTED] Subject: Re: DMZ relocation [7:15597] Date: Fri, 10 Aug 2001 08:14:12 -0400 At 07:59 10.8.2001 -0400, you wrote: >Is this possible, without bringing up a test network? Can one IP address be >routed differently then the routes currently in my EIGRP route table, that >are being advertised through-out the network? Any documentation on this >would be greatly appreciated. I am not 100% sure I understood your question but how about making a static host route pointing to LAN interface and redistrbuting this to EIGRP process? Aki _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=15599&t=15597 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DMZ relocation [7:15597]
At 07:59 10.8.2001 -0400, you wrote: >Is this possible, without bringing up a test network? Can one IP address be >routed differently then the routes currently in my EIGRP route table, that >are being advertised through-out the network? Any documentation on this >would be greatly appreciated. I am not 100% sure I understood your question but how about making a static host route pointing to LAN interface and redistrbuting this to EIGRP process? Aki Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=15598&t=15597 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
DMZ relocation [7:15597]
Good Morning Group, I am in the process of relocating our DMZ to our new facility. For connectivity to the various WAN connections I have the routes returning through the old building. I would ideally like to re-direct a single machine from our LAN, which is running EIGRP, through our new DMZ to the various locations, without redirecting the entire group until stability is verified. Is this possible, without bringing up a test network? Can one IP address be routed differently then the routes currently in my EIGRP route table, that are being advertised through-out the network? Any documentation on this would be greatly appreciated. Thanks in advance for your assistance. Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=15597&t=15597 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DMZ Basics [7:10970]
Funny you should ask that, I just got through looking at an article in Network Computing on DMZ's. Check it out at http://www.networkcomputing.com/1214/1214ws1.html Also just a few opinions. First you really won't need the proxy/firewall if you get the PIX. Second you will see a big speed increase if traffic doesn't have to got through the proxy/firewall. Third VPN traffic can terminate on the PIX or pass through to a VPN concentrator (probably over kill). Just my 2 cents worth. Scott On Wed, 4 Jul 2001 06:49:59 -0400, Sammi wrote: > Hello all, > > I'd like to setup a DMZ in the near future and am still pondering > purchase of a PIX box. > Our interface to the outside world is through a Cisco 1600. > > So the DMZ would go: > > 1600 -> PIX -> ? -> ISA box (microsoft proxy/firewall) > > I know I don't want the PIX talking directly to the ISA, but not too > clear what I'm going to put in between, and why (functionality). Our > webpages are hosted off site by a third party, I would want to keep my > mail server inside right? I would like to set up VPN in the future, > should it go through the box between the firewalls? > The DMZ doesn't simply double the challenge does it? As in "ok, you > got through one firewall, now try the next". > > Any enlightenment greatly appreciated. ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=12036&t=10970 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DMZ Basics [7:10970]
On 8 Jul 2001 09:19:45 -0400, [EMAIL PROTECTED] ("shella kevin") wrote: >Can you help me understand what is DMZ ... any good documentation I printed off some links from here: http://www.google.com/search?q=dmz+basics&hl=en&safe=off Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=11384&t=10970 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DMZ Basics [7:10970]
Can you help me understand what is DMZ ... any good documentation ?>From: "Sammi" >Reply-To: "Sammi" >To: [EMAIL PROTECTED] >Subject: DMZ Basics [7:10970] >Date: Wed, 4 Jul 2001 06:49:59 -0400 > >Hello all, > >I'd like to setup a DMZ in the near future and am still pondering >purchase of a PIX box. >Our interface to the outside world is through a Cisco 1600. > >So the DMZ would go: > >1600 -> PIX -> ? -> ISA box (microsoft proxy/firewall) > >I know I don't want the PIX talking directly to the ISA, but not too >clear what I'm going to put in between, and why (functionality). Our >webpages are hosted off site by a third party, I would want to keep my >mail server inside right? I would like to set up VPN in the future, >should it go through the box between the firewalls? >The DMZ doesn't simply double the challenge does it? As in "ok, you >got through one firewall, now try the next". > >Any enlightenment greatly misconduct and Nondisclosure violations to [EMAIL PROTECTED] Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=11320&t=10970 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DMZ Basics [7:10970]
The PIX is extremely versatile. 1. E-Mail Server You can put your mail server on the inside but I would suggest putting a smtp gateway on the DMZ. Have you MX record pointing to that device. 2. 1600 - PIX - ? - ISA I'm not sure why you would want to put something between the PIX and the Proxy server. You can do NAT at the PIX or the Proxy. You can set the Proxy for Authentication or set up a Radius or TACAS+ server to let the PIX do it. I would leave you configuration as it is with clients pointing to the Proxy for Internet Access and the Proxy go through the PIX. By default the PIX lets all trafic out. You can put an access list on the PIX and only allow traffic out from the Proxy Server and possibly you mail server. ""Sammi"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello all, > > I'd like to setup a DMZ in the near future and am still pondering > purchase of a PIX box. > Our interface to the outside world is through a Cisco 1600. > > So the DMZ would go: > > 1600 -> PIX -> ? -> ISA box (microsoft proxy/firewall) > > I know I don't want the PIX talking directly to the ISA, but not too > clear what I'm going to put in between, and why (functionality). Our > webpages are hosted off site by a third party, I would want to keep my > mail server inside right? I would like to set up VPN in the future, > should it go through the box between the firewalls? > The DMZ doesn't simply double the challenge does it? As in "ok, you > got through one firewall, now try the next". > > Any enlightenment greatly appreciated. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=11009&t=10970 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
DMZ Basics [7:10970]
Hello all, I'd like to setup a DMZ in the near future and am still pondering purchase of a PIX box. Our interface to the outside world is through a Cisco 1600. So the DMZ would go: 1600 -> PIX -> ? -> ISA box (microsoft proxy/firewall) I know I don't want the PIX talking directly to the ISA, but not too clear what I'm going to put in between, and why (functionality). Our webpages are hosted off site by a third party, I would want to keep my mail server inside right? I would like to set up VPN in the future, should it go through the box between the firewalls? The DMZ doesn't simply double the challenge does it? As in "ok, you got through one firewall, now try the next". Any enlightenment greatly appreciated. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=10970&t=10970 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 2600 help , dmz, [7:256]
your basic configuration looks like it will work just fine, Mo, except for a few details that you'll want to implement - you have default pointed to s1/0:0, and the DMZ is behind fast0/0 somewhere. to avoid asymmetrical routing, you'll want anything that comes in via s1/1:0 to go back out s1/1:0 - therefore, find a solution to re-route traffic properly - possibly a route-map that sends the x.x.252.0 0.0.0.255 outbound traffic to the s1/1:0 interface. You also want to add an access list to the s1/0:0 interface that reflects the security policy of the customer - minimally restricting ICMP and only allowing the services that are required into the Corporate network, a pre-firewall firewall. -e- - Original Message - From: Moahzam Durrani To: Sent: Wednesday, April 11, 2001 12:49 PM Subject: 2600 help , dmz, [7:256] > we have a 2620 with two built in dsu/csu. At the moment we are using 1 T1 > from an ISP for internet access. We have another T1 available from a > differnt ISP. We want to hang some servers on our DMZ so that the any one > outside could access a web server. I am using RIP as a protocol. My concern > is that I hope users inside will not experience problem browsing the > internet. Ie there wont bew a confusion for routing between the two ISP . > Corporate users should not browse the net through serial 1/1 . Oh yeah the > ip adress configured for the DMZ has a network adress of x.x.252.0 > 255.255.255.0 below is a config, is something missing ? . If any one could > suggest anything ps let me know, id appreciate it . > > > > > ontroller T1 1/0 > framing esf > linecode b8zs > channel-group 0 timeslots 1-24 speed 64 > description T1 TO CONCENTRIC > ! > controller T1 1/1 > framing esf > linecode b8zs > channel-group 0 timeslots 1-24 speed 64 > description T1 to FIRST INTERNET ALLIANCE > ! > ! > interface FastEthernet0/0 (corporate) > ip address x.x .245.1 255.255.255.0 > no ip directed-broadcast > no ip mroute-cache > speed 100 > full-duplex > ! > interface Serial1/0:0 > description concentric > ip z.z.z.56 255.255.255.0 > no ip directed-broadcast > encapsulation ppp > no fair-queue > ! > interface Serial1/1:0 (to be used for DMZ servers only) > description FIRST INTERNET ALLIANCE > ip address a.a.a.26 255.255.255.252 > no ip directed-broadcast > encapsulation ppp > no shutdown > ! > router rip > network x.x.0.0( corporate network) > network y.y.y.0 (another network ) > network z.z.z.0 ( the concentric isp network) > network a.a.a.0 (new ISP Network for DMZ servers) > ! > no ip classless > ip route 0.0.0.0 0.0.0.0 Serial1/0:0 > ip route x.x.0.0 255.255.0.0 x.x.245.10 > Mo Durrani > IS&T > WYSE\EDS > phone:408-473 1246 > [EMAIL PROTECTED] > [EMAIL PROTECTED] > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=470&t=256 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
2600 help , dmz, [7:256]
we have a 2620 with two built in dsu/csu. At the moment we are using 1 T1 from an ISP for internet access. We have another T1 available from a differnt ISP. We want to hang some servers on our DMZ so that the any one outside could access a web server. I am using RIP as a protocol. My concern is that I hope users inside will not experience problem browsing the internet. Ie there wont bew a confusion for routing between the two ISP . Corporate users should not browse the net through serial 1/1 . Oh yeah the ip adress configured for the DMZ has a network adress of x.x.252.0 255.255.255.0 below is a config, is something missing ? . If any one could suggest anything ps let me know, id appreciate it . ontroller T1 1/0 framing esf linecode b8zs channel-group 0 timeslots 1-24 speed 64 description T1 TO CONCENTRIC ! controller T1 1/1 framing esf linecode b8zs channel-group 0 timeslots 1-24 speed 64 description T1 to FIRST INTERNET ALLIANCE ! ! interface FastEthernet0/0 (corporate) ip address x.x .245.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache speed 100 full-duplex ! interface Serial1/0:0 description concentric ip z.z.z.56 255.255.255.0 no ip directed-broadcast encapsulation ppp no fair-queue ! interface Serial1/1:0 (to be used for DMZ servers only) description FIRST INTERNET ALLIANCE ip address a.a.a.26 255.255.255.252 no ip directed-broadcast encapsulation ppp no shutdown ! router rip network x.x.0.0( corporate network) network y.y.y.0 (another network ) network z.z.z.0 ( the concentric isp network) network a.a.a.0 (new ISP Network for DMZ servers) ! no ip classless ip route 0.0.0.0 0.0.0.0 Serial1/0:0 ip route x.x.0.0 255.255.0.0 x.x.245.10 Mo Durrani IS&T WYSE\EDS phone:408-473 1246 [EMAIL PROTECTED] [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=256&t=256 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DMZ
Quite simply its an area between the router and say a firewall that is protecting the inner network. Alot of companies will place mail and internet servers there. They get less protection than those hosts behind the firewall but are available resources to both the internet side and the protected networks. Anyone improve on this please! Karl - Original Message - From: "Adekola, Dennis D" <[EMAIL PROTECTED]> To: "CISCO" <[EMAIL PROTECTED]> Sent: Wednesday, March 28, 2001 8:16 PM Subject: DMZ > Hi all > > I frequently hear the term DMZ (Demilitarized Zone) being thrown around me > > Can anyone please enlighten me > > Cheers > > Dennis > > -- --- > 21st century air travel http://www.britishairways.com > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DMZ
Another rough answer: Ok, the DMZ deals with a 3 part firewall. Basically, there is a LAN that hangs off of your firewall that contains your servers like the e-comm. and mail. Then you have your internal LAN where your users are. In order for your users to get out to the net they have to go through the servers on your DMZ right? Well if somebody out on the net was watching and waiting for you to come out, if they traced you and somehow got past the external FW, they would only reach your servers and not make it into your users LAN because to them the info originated from the servers. That's why it's called the Demilitarized zone...somebody can give a more detailed explanation...this was just Layman's terms...hope I helped. * This has been an Eyez Only streaming e-mail broadcast...We are watching. NetEyez - CCNP, CCDA - Original Message - From: "Adekola, Dennis D" <[EMAIL PROTECTED]> To: "CISCO" <[EMAIL PROTECTED]> Sent: Wednesday, March 28, 2001 2:16 PM Subject: DMZ > Hi all > > I frequently hear the term DMZ (Demilitarized Zone) being thrown around me > > Can anyone please enlighten me > > Cheers > > Dennis > > -- --- > 21st century air travel http://www.britishairways.com > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DMZ
The DMZ is an area of your network that the outside world has access to but is separated by security devices from the rest of your internal network. For example: InsideNetwork <---> Firewall <---> DMZ <-> Firewall/Router <-------> Internet The DMZ would hold your file servers and web servers, for instance. A setup like this allows you to be more specific in your access control. HTH, John >>> "Adekola, Dennis D" <[EMAIL PROTECTED]> 3/28/01 12:16:50 PM >>> Hi all I frequently hear the term DMZ (Demilitarized Zone) being thrown around me Can anyone please enlighten me Cheers Dennis - 21st century air travel http://www.britishairways.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
DMZ
Hi all I frequently hear the term DMZ (Demilitarized Zone) being thrown around me Can anyone please enlighten me Cheers Dennis - 21st century air travel http://www.britishairways.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DMZ
DMZ stands for Demilitarized Zone and is also called a Permiter network. A DMZ adds another layer of security between an external and internal network. The purpose of the DMZ is that if someone is able to break into your network like the WAN router or other device they won't be able to see the traffic passed between hosts on your Internal network, because the intruded upon device is on an external network on a completely different segment than your LAN traffic. Some companies place their mail servers and webservers on a separate segment from their Internal LAN. If the web, mail, or DNS server is compromised, your Internal LAN traffic is still protected from the intruder since the hosts/devices in the DMZ aren't seeing indirect LAN traffic because of the internal router. Sample diagram: { Internet} | | ( + ) External router |__ |__| | Server on DMZ segment | | ( + ) Internal router | -- | | [ ] [ ] | __| Host A|__] Host B On 2 Feb 2001 12:32:36 -0500, [EMAIL PROTECTED] ("Snyder, LeRoy F") wrote: >Could anyone explian the DMZ process in a little >more detial? > >-Original Message- >From: John Chang [mailto:[EMAIL PROTECTED]] >Sent: Sunday, January 28, 2001 4:25 PM >To: [EMAIL PROTECTED] >Subject: DMZ > > >Does anyone know a good book or article on the web that explains DMZ in >great detail? Thank you. > >_ >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > >_ >FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DMZ
Could anyone explian the DMZ process in a little more detial? -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 28, 2001 4:25 PM To: [EMAIL PROTECTED] Subject: DMZ Does anyone know a good book or article on the web that explains DMZ in great detail? Thank you. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DMZ
Donload the pdf file from http://support.intel.com/support/express/routers/9500/dmz.htm Also look at Building Internet Firewalls by Elizabeth D. Zwicky and Brent Chapman, O'Reilly & Associates; ISBN: 1565928717 Larry Osei-Kwaku <[EMAIL PROTECTED]> wrote: > Does anyone know a good book or article on the web > that explains DMZ in > great detail? Thank you. > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > = "Wear a smile and have friends; wear a scowl and have wrinkles." - George Eliot "the greatest glory is not in never falling, but rising up each time we fall." "The greatest man is not he who does not fall but he who falls and rises again to win" __ Do You Yahoo!? Yahoo! Photos - Share your holiday photos online! http://photos.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DMZ
John, http://www.pcwebopedia.com/ will give you a brief description. It is not really too complex. A DMZ is an area of intermediate security between the Internet and the internal network. The idea is to allow access to some resources (Web servers, mail servers, etc) for users coming from the Internet without allowing them full access into your internal network. This link discusses setting up a PIX firewall with a DMZ: http://www.cisco.com/warp/public/110/9.html Dave Swink > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > John Chang > Sent: Sunday, January 28, 2001 3:25 PM > To: [EMAIL PROTECTED] > Subject: DMZ > > > Does anyone know a good book or article on the web that explains DMZ in > great detail? Thank you. > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
DMZ
Does anyone know a good book or article on the web that explains DMZ in great detail? Thank you. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pass-thru DMZ?
A demilitarized zone (DMZ) is to protect your publicly reachable servers behind the firewall. The difference between the more common scenario with two interfaces and the DMZ, where you use three interfaces, is that the third interface is a separate segment to which you connect your publicly reachable servers. This includes for example your web server, mail server, dns and others. You can set up light filtering to your DMZ interface in addition to a more rigorous filtering to the private interface. A DMZ will typically have - - a public interface, which connects to an ISP - a private interface, which connects to your Internal LAN - a DMZ interface, which connects to a separate segment where your publicly reachable servers are. Regards William Kelly Kedar Deshpande wrote: > Hi, > > I think Thats not true..!!DMZ is a region which is which a seperate > network.In our secured network we need that some servers like web servres r > to be accessed from outside .So we keep them in seperate network..normally > connected on seperate interface on FW.but that zone is also very well > proteected by firewall..but less secured than internal interface.. > > regards, > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Jason Centrella > Sent: Tuesday, September 19, 2000 2:38 PM > To: [EMAIL PROTECTED] > Subject: Re: Pass-thru DMZ? > > DMZ stands for demilitarized zone. It usually means that you are can put a > machine or server outside of your firewall. This means that this particular > machine will not be protected by the firewall. > > -Jay > > Dave Malik wrote: > > > I wanted to find out what would be the correct setup/definition of a > > "pass-thru DMZ". I think the PIX experts would probably know this. > > > > Any comments are appreciated. > > > > Regards, > > Dave > > > > _ > > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > > > Share information about yourself, create your own public profile at > > http://profiles.msn.com. > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > http://www.groupstudy.com/list/Associates.html > > _ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pass-thru DMZ?
Hi, I think Thats not true..!!DMZ is a region which is which a seperate network.In our secured network we need that some servers like web servres r to be accessed from outside .So we keep them in seperate network..normally connected on seperate interface on FW.but that zone is also very well proteected by firewall..but less secured than internal interface.. regards, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jason Centrella Sent: Tuesday, September 19, 2000 2:38 PM To: [EMAIL PROTECTED] Subject: Re: Pass-thru DMZ? DMZ stands for demilitarized zone. It usually means that you are can put a machine or server outside of your firewall. This means that this particular machine will not be protected by the firewall. -Jay Dave Malik wrote: > I wanted to find out what would be the correct setup/definition of a > "pass-thru DMZ". I think the PIX experts would probably know this. > > Any comments are appreciated. > > Regards, > Dave > > _ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > Share information about yourself, create your own public profile at > http://profiles.msn.com. > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pass-thru DMZ?
DMZ stands for demilitarized zone. It usually means that you are can put a machine or server outside of your firewall. This means that this particular machine will not be protected by the firewall. -Jay Dave Malik wrote: > I wanted to find out what would be the correct setup/definition of a > "pass-thru DMZ". I think the PIX experts would probably know this. > > Any comments are appreciated. > > Regards, > Dave > > _ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > Share information about yourself, create your own public profile at > http://profiles.msn.com. > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Pass-thru DMZ?
I wanted to find out what would be the correct setup/definition of a "pass-thru DMZ". I think the PIX experts would probably know this. Any comments are appreciated. Regards, Dave _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DMZ using DSL
Linksys sell a real cheap DSL router that connects to your dsl modem Duck - Original Message - From: Frank Wells <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 08, 2000 8:54 AM Subject: DMZ using DSL > Hey folks, > If I wanted to setup a DMZ using DSL as my Internet connection, what kind of > router(s) would you use to give me the three ethernet connections I would > need? > > -- > LAN- --DSL > -- >| >| > DMZ > > Cheers > > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
DMZ using DSL
Hey folks, If I wanted to setup a DMZ using DSL as my Internet connection, what kind of router(s) would you use to give me the three ethernet connections I would need? -- LAN- --DSL -- | | DMZ Cheers Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]