RE: With PIX unable to reach DMZ from LAN [7:55608]
You can have multiple NAT statements. NAT 0 will stop nat for whatever
is defined in the access list. We have a 515 with a DMZ interface. Our
inside network is 10.50.0.0/16 and our dmz network is 172.16.1.0/24.
Here is an example from our PIX.
access-list 101 permit ip 10.50.0.0 255.255.0.0 10.50.0.0 255.255.0.0
access-list 101 permit ip 10.50.0.0 255.255.0.0 172.16.1.0 255.255.255.0
access-list 101 permit ip 172.16.1.0 255.255.255.0 10.50.0.0 255.255.0.0
ip address inside 10.50.1.2 255.255.0.0
ip address dmz 172.16.1.1 255.255.255.0
ip local pool vpn-pool 10.50.8.1-10.50.8.50
global (outside) 1 x.x.x.196-x.x.x.248 netmask 255.255.255.x
global (outside) 1 x.x.x.195 netmask 255.255.255.x
nat (inside) 0 access-list 101
nat (dmz) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
Jay Dunn
IPI*GrammTech, Ltd.
www.ipi-gt.com
Nunquam Facilis Est
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Theodore Stout
Sent: Tuesday, October 15, 2002 4:28 AM
To: [EMAIL PROTECTED]
Subject: RE: With PIX unable to reach DMZ from LAN [7:55608]
But doesn't NAT 0 stop nat for whatever is defined afterwards?
If I remember right, and I just might not, I used it when I wanted to
avoid NAT on VPN traffic. I would defined VPN traffic with an
access-list
and then use NAT 0 to tell the PIX to not NAT/PAT VPN traffic.
Dude, I still can't figure out why Gurugrasad's config won't work. Got
me
totally bummed out.
Theo
"Jay Dunn"
Sent by: [EMAIL PROTECTED]
10/15/2002 05:59 PM
Please respond to "Jay Dunn"
To: [EMAIL PROTECTED]
cc:
Subject: RE: With PIX unable to reach DMZ from LAN
[7:55608]
Lookup NAT 0 in the PIX command summary (sorry, I don't have a link).
The PIX will perform NATing on a packet as soon as it enters an
interface. This can create problems when 2 interfaces receive their NAT
addresses from the same pool. Create an access list permitting ip
between the inside and dmz subnets and then apply it with NAT 0. This
will eliminate NATing. This should allow the inside to establish full
communication with the dmz. You will still need the appropriate conduits
for dmz to inside communication.
Jay Dunn
IPI*GrammTech, Ltd.
www.ipi-gt.com
Nunquam Facilis Est
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Guruprasad Sanjeevi
Sent: Tuesday, October 15, 2002 12:33 AM
To: [EMAIL PROTECTED]
Subject: RE: With PIX unable to reach DMZ from LAN [7:55608]
Hi theo, and all,
I am giving the configuration.
global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224
global (perimeter) 1 192.168.23.10-192.168.23.20
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0
static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0
0
static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0
0
static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask
255.255.255.0 0 0 - If I am not wrong , this command enables the
communication between LAN and DMZ, but here it fails..
conduit permit tcp host 66.x.x.x eq x any
conduit permit icmp host 192.168.11.x any
conduit permit tcp host 66.x.x.x eq x any
conduit permit tcp host 66.x.x.x eq sqlnet any
route outside 0.0.0.0 0.0.0.0 66.x.x.x 1
I
What is that companion command ? Please help
Regards
Guruprasad
-Original Message-
From: Theodore Stout [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 15, 2002 10:21 AM
To: Guruprasad Sanjeevi
Subject: Re: With PIX unable to reach DMZ from LAN [7:55608]
you will need to explictedly grant permission for the DMZ to communicate
to the Internal since lower security interfaces are automatically
blocked Higher ones.
Can you access from the Outside? Try it and see.
Can you print out the config without the real IPs? You need to have a
companion command to the Static command and I would like to see if you
have it.
Cheers,
Theo
"Guruprasad Sanjeevi"
Sent by: [EMAIL PROTECTED]
10/15/2002 03:29 AM GMT
Please respond to "Guruprasad Sanjeevi"
To: [EMAIL PROTECTED]
cc:
bcc:
Subject: With PIX unable to reach DMZ from LAN [7:55608]
Hi group,
I am trying to configure PIX .It has 3 Ethernet Interface and three
networks are used.
LAN (inside) : 192.168.11.0
DMZ (perimeter)) : 192.168.23.0
Outside:66.x.x.x
Problem : users from Inside and Perimeter network are able to browse,
but
the inside and Perimeter network cannot talk to each other. I have given
the
static command like this
Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0
What other command is required on the PIX to enable communication from
INSIDE network to DMZ(perimeter) and vice-versa.
Please help
Thanks
Guruprasad
[GroupStudy.com removed an attachment of t
Re: With PIX unable to reach DMZ from LAN [7:55608]
HI here are some of the tips: - From Higher ASA to Lower ASA --> You need NAT and Global - From Lower ASA to Higher ASA --> You need Conduit/Access-List and Static Best Regards, HATO >From: "mike greenberg" >Reply-To: "mike greenberg" >To: [EMAIL PROTECTED] >Subject: Re: With PIX unable to reach DMZ from LAN [7:55608] >Date: Tue, 15 Oct 2002 10:26:14 GMT > >This is a simple solution. Do this: >static (inside,perimeter) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 >This will make the pix acts like a router with traffic from 192.168.11.0 to >communicate with 192.168.23.0; however, you have to make access-list to >allow >network 192.168.23.0 to talk back to 192.168.11.0 because perimeter has >lower >security level than the inside interface. > > Guruprasad Sanjeevi wrote:Hi group, > >I am trying to configure PIX .It has 3 Ethernet Interface and three >networks are used. > >LAN (inside) : 192.168.11.0 >DMZ (perimeter)) : 192.168.23.0 >Outside:66.x.x.x > >Problem : users from Inside and Perimeter network are able to browse, but >the inside and Perimeter network cannot talk to each other. I have given >the >static command like this > >Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 > >What other command is required on the PIX to enable communication from >INSIDE network to DMZ(perimeter) and vice-versa. > >Please help > >Thanks >Guruprasad > >[GroupStudy.com removed an attachment of type application/ms-tnef which had >a name of winmail.dat] >Do you Yahoo!? >Faith Hill - Exclusive Performances, Videos, & more >faith.yahoo.com _ Get a speedy connection with MSN Broadband. Join now! http://resourcecenter.msn.com/access/plans/freeactivation.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55659&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: With PIX unable to reach DMZ from LAN [7:55608]
This is a simple solution. Do this: static (inside,perimeter) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 This will make the pix acts like a router with traffic from 192.168.11.0 to communicate with 192.168.23.0; however, you have to make access-list to allow network 192.168.23.0 to talk back to 192.168.11.0 because perimeter has lower security level than the inside interface. Guruprasad Sanjeevi wrote:Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] Do you Yahoo!? Faith Hill - Exclusive Performances, Videos, & more faith.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55624&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: With PIX unable to reach DMZ from LAN [7:55608]
But doesn't NAT 0 stop nat for whatever is defined afterwards?
If I remember right, and I just might not, I used it when I wanted to
avoid NAT on VPN traffic. I would defined VPN traffic with an access-list
and then use NAT 0 to tell the PIX to not NAT/PAT VPN traffic.
Dude, I still can't figure out why Gurugrasad's config won't work. Got me
totally bummed out.
Theo
"Jay Dunn"
Sent by: [EMAIL PROTECTED]
10/15/2002 05:59 PM
Please respond to "Jay Dunn"
To: [EMAIL PROTECTED]
cc:
Subject: RE: With PIX unable to reach DMZ from LAN [7:55608]
Lookup NAT 0 in the PIX command summary (sorry, I don't have a link).
The PIX will perform NATing on a packet as soon as it enters an
interface. This can create problems when 2 interfaces receive their NAT
addresses from the same pool. Create an access list permitting ip
between the inside and dmz subnets and then apply it with NAT 0. This
will eliminate NATing. This should allow the inside to establish full
communication with the dmz. You will still need the appropriate conduits
for dmz to inside communication.
Jay Dunn
IPI*GrammTech, Ltd.
www.ipi-gt.com
Nunquam Facilis Est
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Guruprasad Sanjeevi
Sent: Tuesday, October 15, 2002 12:33 AM
To: [EMAIL PROTECTED]
Subject: RE: With PIX unable to reach DMZ from LAN [7:55608]
Hi theo, and all,
I am giving the configuration.
global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224
global (perimeter) 1 192.168.23.10-192.168.23.20
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0
static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0
0
static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0
0
static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask
255.255.255.0 0 0 - If I am not wrong , this command enables the
communication between LAN and DMZ, but here it fails..
conduit permit tcp host 66.x.x.x eq x any
conduit permit icmp host 192.168.11.x any
conduit permit tcp host 66.x.x.x eq x any
conduit permit tcp host 66.x.x.x eq sqlnet any
route outside 0.0.0.0 0.0.0.0 66.x.x.x 1
I
What is that companion command ? Please help
Regards
Guruprasad
-Original Message-
From: Theodore Stout [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 15, 2002 10:21 AM
To: Guruprasad Sanjeevi
Subject: Re: With PIX unable to reach DMZ from LAN [7:55608]
you will need to explictedly grant permission for the DMZ to communicate
to the Internal since lower security interfaces are automatically
blocked Higher ones.
Can you access from the Outside? Try it and see.
Can you print out the config without the real IPs? You need to have a
companion command to the Static command and I would like to see if you
have it.
Cheers,
Theo
"Guruprasad Sanjeevi"
Sent by: [EMAIL PROTECTED]
10/15/2002 03:29 AM GMT
Please respond to "Guruprasad Sanjeevi"
To: [EMAIL PROTECTED]
cc:
bcc:
Subject: With PIX unable to reach DMZ from LAN [7:55608]
Hi group,
I am trying to configure PIX .It has 3 Ethernet Interface and three
networks are used.
LAN (inside) : 192.168.11.0
DMZ (perimeter)) : 192.168.23.0
Outside:66.x.x.x
Problem : users from Inside and Perimeter network are able to browse,
but
the inside and Perimeter network cannot talk to each other. I have given
the
static command like this
Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0
What other command is required on the PIX to enable communication from
INSIDE network to DMZ(perimeter) and vice-versa.
Please help
Thanks
Guruprasad
[GroupStudy.com removed an attachment of type application/ms-tnef which
had
a name of winmail.dat]
&i=55608&t=55608
--
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
=
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55621&t=55608
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: With PIX unable to reach DMZ from LAN [7:55608]
Lookup NAT 0 in the PIX command summary (sorry, I don't have a link). The PIX will perform NATing on a packet as soon as it enters an interface. This can create problems when 2 interfaces receive their NAT addresses from the same pool. Create an access list permitting ip between the inside and dmz subnets and then apply it with NAT 0. This will eliminate NATing. This should allow the inside to establish full communication with the dmz. You will still need the appropriate conduits for dmz to inside communication. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Guruprasad Sanjeevi Sent: Tuesday, October 15, 2002 12:33 AM To: [EMAIL PROTECTED] Subject: RE: With PIX unable to reach DMZ from LAN [7:55608] Hi theo, and all, I am giving the configuration. global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224 global (perimeter) 1 192.168.23.10-192.168.23.20 nat (inside) 1 192.168.11.0 255.255.255.0 0 0 nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0 0 0 - If I am not wrong , this command enables the communication between LAN and DMZ, but here it fails.. conduit permit tcp host 66.x.x.x eq x any conduit permit icmp host 192.168.11.x any conduit permit tcp host 66.x.x.x eq x any conduit permit tcp host 66.x.x.x eq sqlnet any route outside 0.0.0.0 0.0.0.0 66.x.x.x 1 I What is that companion command ? Please help Regards Guruprasad -Original Message- From: Theodore Stout [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 10:21 AM To: Guruprasad Sanjeevi Subject: Re: With PIX unable to reach DMZ from LAN [7:55608] you will need to explictedly grant permission for the DMZ to communicate to the Internal since lower security interfaces are automatically blocked Higher ones. Can you access from the Outside? Try it and see. Can you print out the config without the real IPs? You need to have a companion command to the Static command and I would like to see if you have it. Cheers, Theo "Guruprasad Sanjeevi" Sent by: [EMAIL PROTECTED] 10/15/2002 03:29 AM GMT Please respond to "Guruprasad Sanjeevi" To: [EMAIL PROTECTED] cc: bcc: Subject: With PIX unable to reach DMZ from LAN [7:55608] Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] &i=55608&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55620&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: With PIX unable to reach DMZ from LAN [7:55608]
Well I will take it that you didn't include the "ip address x.x.x.x
x.x.x.x" commands for convience.
I was looking for the NAT commands. They look okay. I can't identify one
problem with this although I have to admit that last year I had the same
problem.
Your global perimeter and nat perimeter ip ranges are a bit strange. Why
do you give one a range yet the other no range and they might possibly
overlap?
Try eliminating the Conduit commands. I assume that you are in a testing
phase and are pinging from 192.168.11.x to 66.x.x.x. Again, this
shouldn't affect anything because you are able to browse and therefore you
should be able to access the DMZ just the same way as the outside
interface.
You don't have any thing here to permit traffic originating from the DMZ
to access your Interal LAN.
Keep on going, I got to go to Starbucks for a while.
Theo
"Guruprasad Sanjeevi"
10/15/2002 02:34 PM
To: "'Theodore Stout'"
cc:
Subject:RE: With PIX unable to reach DMZ from LAN [7:55608]
Hi theo, and all,
I am giving the configuration.
global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224
global (perimeter) 1 192.168.23.10-192.168.23.20
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0
static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0
static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0
static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0
0 0 ? If I am not wrong , this command enables the communication between
LAN and DMZ, but here it fails?.
conduit permit tcp host 66.x.x.x eq x any
conduit permit icmp host 192.168.11.x any
conduit permit tcp host 66.x.x.x eq x any
conduit permit tcp host 66.x.x.x eq sqlnet any
route outside 0.0.0.0 0.0.0.0 66.x.x.x 1
I
What is that companion command ? Please help
Regards
Guruprasad
-Original Message-
From: Theodore Stout [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 15, 2002 10:21 AM
To: Guruprasad Sanjeevi
Subject: Re: With PIX unable to reach DMZ from LAN [7:55608]
you will need to explictedly grant permission for the DMZ to communicate
to the Internal since lower security interfaces are automatically blocked
Higher ones.
Can you access from the Outside? Try it and see.
Can you print out the config without the real IPs? You need to have a
companion command to the Static command and I would like to see if you
have it.
Cheers,
Theo
"Guruprasad Sanjeevi"
Sent by: [EMAIL PROTECTED]
10/15/2002 03:29 AM GMT
Please respond to "Guruprasad Sanjeevi"
To: [EMAIL PROTECTED]
cc:
bcc:
Subject: With PIX unable to reach DMZ from LAN [7:55608]
Hi group,
I am trying to configure PIX .It has 3 Ethernet Interface and three
networks are used.
LAN (inside) : 192.168.11.0
DMZ (perimeter)) : 192.168.23.0
Outside:66.x.x.x
Problem : users from Inside and Perimeter network are able to browse, but
the inside and Perimeter network cannot talk to each other. I have given
the
static command like this
Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0
What other command is required on the PIX to enable communication from
INSIDE network to DMZ(perimeter) and vice-versa.
Please help
Thanks
Guruprasad
[GroupStudy.com removed an attachment of type application/ms-tnef which
had
a name of winmail.dat]
=
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55615&t=55608
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: With PIX unable to reach DMZ from LAN [7:55608]
Hi theo, and all, I am giving the configuration. global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224 global (perimeter) 1 192.168.23.10-192.168.23.20 nat (inside) 1 192.168.11.0 255.255.255.0 0 0 nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0 0 0 - If I am not wrong , this command enables the communication between LAN and DMZ, but here it fails.. conduit permit tcp host 66.x.x.x eq x any conduit permit icmp host 192.168.11.x any conduit permit tcp host 66.x.x.x eq x any conduit permit tcp host 66.x.x.x eq sqlnet any route outside 0.0.0.0 0.0.0.0 66.x.x.x 1 I What is that companion command ? Please help Regards Guruprasad -Original Message- From: Theodore Stout [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 10:21 AM To: Guruprasad Sanjeevi Subject: Re: With PIX unable to reach DMZ from LAN [7:55608] you will need to explictedly grant permission for the DMZ to communicate to the Internal since lower security interfaces are automatically blocked Higher ones. Can you access from the Outside? Try it and see. Can you print out the config without the real IPs? You need to have a companion command to the Static command and I would like to see if you have it. Cheers, Theo "Guruprasad Sanjeevi" Sent by: [EMAIL PROTECTED] 10/15/2002 03:29 AM GMT Please respond to "Guruprasad Sanjeevi" To: [EMAIL PROTECTED] cc: bcc: Subject: With PIX unable to reach DMZ from LAN [7:55608] Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] &i=55608&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55613&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
