Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 515 Inside -> Outside

Reply
Thread Tools

PIX 515 Inside -> Outside

 
 
Guido Bakker
Guest
Posts: n/a
 
      10-30-2003
Hello,

I have the following situation:

A PIX running with inside, dmz & outside. The dmz has a few servers
in it which will grow. Now i'm trying to nat a single machine from the
inside to the outside. Internet works fine, but not when i try to reach
a server in the dmz via the outside address.

When i run a tcpdump i see a packet arrive at the dmz server and a return
packet to the outside interface of the PIX, but it seems to end there.

Any help would be appreciated.

Regards,
Guido Bakker

p.s.

: Saved
: Written by enable_15 at 16:11:54.577 CEST Thu Oct 30 2003
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password ******** encrypted
passwd ******** encrypted
hostname netdmfw1
domain-name sogeti.nl
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.17.2.9 frankenstein
name 10.17.2.3 sales
name 10.17.2.2 hudson
name 10.17.2.1 fraser
name 194.151.67.131 heisenberg2
name 194.151.67.130 rutherford
name 172.17.2.21 magelhaen
name 10.17.0.0 dmz_diemen
name 172.17.0.0 inside_diemen
name 194.151.67.0 outside_diemen
name 10.17.2.4 webmail
name 172.17.1.137 metropolis
name 10.17.2.5 testmail
name 10.17.5.20 mail
name 172.17.5.20 mstdmxb1
name 172.17.5.23 mstdmxb2
name 10.17.5.22 mstdmxf2
name 10.17.5.21 mstdmxf1
name 172.17.5.10 mstdmdc2s
name 172.17.5.9 mstdmdc1s
name 172.17.1.102 aragorn
object-group network webservers
network-object fraser 255.255.255.255
network-object hudson 255.255.255.255
network-object sales 255.255.255.255
network-object webmail 255.255.255.255
network-object testmail 255.255.255.255
object-group service webservices tcp
port-object eq www
port-object eq https
object-group network proxyservers
network-object rutherford 255.255.255.255
network-object heisenberg2 255.255.255.255
object-group service mailservices tcp
port-object eq pop3
port-object eq imap4
port-object eq smtp
object-group network mailfrontends
network-object mstdmxf1 255.255.255.255
network-object mstdmxf2 255.255.255.255
object-group network mailbackends
network-object mstdmxb1 255.255.255.255
network-object mstdmxb2 255.255.255.255
object-group network dcservers
network-object mstdmdc1s 255.255.255.255
network-object mstdmdc2s 255.255.255.255
object-group network webservers_ref_1
network-object 194.151.67.17 255.255.255.255
network-object 194.151.67.18 255.255.255.255
network-object 194.151.67.19 255.255.255.255
network-object 194.151.67.20 255.255.255.255
network-object 194.151.67.21 255.255.255.255
access-list outside_access_in permit tcp any object-group webservers_ref_1 object-group webservices
access-list outside_access_in permit tcp object-group proxyservers 194.151.0.0 255.255.0.0 eq ssh
access-list dmz_access_in permit ip dmz_diemen 255.255.0.0 outside_diemen 255.255.255.0
access-list dmz_access_in permit tcp object-group webservers host magelhaen eq sqlnet
access-list dmz_access_in permit tcp dmz_diemen 255.255.0.0 host frankenstein eq ftp
access-list dmz_access_in permit icmp dmz_diemen 255.255.0.0 inside_diemen 255.255.0.0
access-list inside_access_in permit ip host aragorn any
access-list inside_access_in permit ip host metropolis dmz_diemen 255.255.0.0
access-list inside_access_in permit ip host frankenstein dmz_diemen 255.255.0.0
pager lines 24
logging on
logging trap warnings
logging host inside frankenstein format emblem
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 194.151.67.11 255.255.255.248
ip address inside 172.17.0.252 255.255.240.0
ip address dmz 10.17.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location frankenstein 255.255.255.255 inside
pdm location fraser 255.255.255.255 dmz
pdm location hudson 255.255.255.255 dmz
pdm location sales 255.255.255.255 dmz
pdm location rutherford 255.255.255.255 outside
pdm location heisenberg2 255.255.255.255 outside
pdm location magelhaen 255.255.255.255 inside
pdm location outside_diemen 255.255.255.0 outside
pdm location webmail 255.255.255.255 dmz
pdm location 172.16.0.0 255.240.0.0 inside
pdm location inside_diemen 255.255.0.0 inside
pdm location metropolis 255.255.255.255 inside
pdm location testmail 255.255.255.255 dmz
pdm location mail 255.255.255.255 dmz
pdm location mstdmxb1 255.255.255.255 inside
pdm location mstdmxb2 255.255.255.255 inside
pdm location mstdmxf1 255.255.255.255 dmz
pdm location mstdmxf2 255.255.255.255 dmz
pdm location mstdmdc1s 255.255.255.255 inside
pdm location mstdmdc2s 255.255.255.255 inside
pdm location aragorn 255.255.255.255 inside
pdm location 194.151.67.16 255.255.255.240 outside
pdm group webservers dmz
pdm group proxyservers outside
pdm group mailfrontends dmz
pdm group mailbackends inside
pdm group dcservers inside
pdm group webservers_ref_1 outside reference webservers
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 aragorn 255.255.255.255 0 0
static (dmz,outside) 194.151.67.17 fraser netmask 255.255.255.255 0 0
static (dmz,outside) 194.151.67.18 hudson netmask 255.255.255.255 0 0
static (dmz,outside) 194.151.67.19 sales netmask 255.255.255.255 0 0
static (inside,dmz) frankenstein frankenstein netmask 255.255.255.255 0 0
static (inside,dmz) magelhaen magelhaen netmask 255.255.255.255 0 0
static (dmz,outside) 194.151.67.20 webmail netmask 255.255.255.255 0 0
static (inside,dmz) metropolis metropolis netmask 255.255.255.255 0 0
static (dmz,outside) 194.151.67.21 testmail netmask 255.255.255.255 0 0
static (dmz,outside) 194.151.67.5 mail netmask 255.255.255.255 0 0
static (inside,dmz) mstdmxb1 mstdmxb1 netmask 255.255.255.255 0 0
static (inside,dmz) mstdmxb2 mstdmxb2 netmask 255.255.255.255 0 0
static (inside,dmz) mstdmdc1s mstdmdc1s netmask 255.255.255.255 0 0
static (inside,dmz) mstdmdc2s mstdmdc2s netmask 255.255.255.255 0 0
static (inside,dmz) aragorn aragorn netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 194.151.67.9 1
route inside 172.16.0.0 255.240.0.0 172.17.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server frankenstein source inside prefer
http server enable
http inside_diemen 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection timewait
service resetinbound
telnet timeout 5
ssh inside_diemen 255.255.0.0 inside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:********
: end

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-30-2003
In article <(E-Mail Removed)>,
Guido Bakker <(E-Mail Removed)> wrote:
:A PIX running with inside, dmz & outside. The dmz has a few servers
:in it which will grow. Now i'm trying to nat a single machine from the
:inside to the outside. Internet works fine, but not when i try to reach
:a server in the dmz via the outside address.


IX Version 6.3(3)
:ip address outside 194.151.67.11 255.255.255.248
:ip address inside 172.17.0.252 255.255.240.0
:ip address dmz 10.17.0.1 255.255.0.0
:global (outside) 1 interface
:nat (inside) 1 aragorn 255.255.255.255 0 0
:static (dmz,outside) 194.151.67.17 fraser netmask 255.255.255.255 0 0
:static (dmz,outside) 194.151.67.18 hudson netmask 255.255.255.255 0 0
:static (dmz,outside) 194.151.67.19 sales netmask 255.255.255.255 0 0

194.151.67.17, 194.151.67.18, 194.151.67.19 are not in the same
subnet range as the outside address, which as a mask of 255.255.255.248.
This situation is okay provided that you are *routing* those
addresses to the PIX outside address.


Which dmz address are you trying to reach from where?
What you wrote was ambiguous: are you trying to reach (say) 'sales'
from the outside using its 194.151.67.19 address, or are you
trying to reach (say) 'sales' from the inside using its 194.151.67.19
address?

If you are trying to reach it from the inside using its
outside address, then you will have trouble doing so, but the
'alias' command might help in that case.

If you are trying to reach it from the outside, then I do not
immediately see a problem with the configuration, but I will
go back and re-check a detail that's now off of my screen.
--
Rome was built one paycheck at a time. -- Walter Roberson
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-30-2003
In article <(E-Mail Removed)>,
Guido Bakker <(E-Mail Removed)> wrote:
IX Version 6.3(3)

:name 10.17.0.0 dmz_diemen
:name 172.17.0.0 inside_diemen
:name 194.151.67.0 outside_diemen

:access-list dmz_access_in permit ip dmz_diemen 255.255.0.0 outside_diemen 255.255.255.0
:access-list dmz_access_in permit tcp object-group webservers host magelhaen eq sqlnet
:access-list dmz_access_in permit tcp dmz_diemen 255.255.0.0 host frankenstein eq ftp
:access-list dmz_access_in permit icmp dmz_diemen 255.255.0.0 inside_diemen 255.255.0.0

:global (outside) 1 interface
:nat (inside) 1 aragorn 255.255.255.255 0 0
:static (dmz,outside) 194.151.67.17 fraser netmask 255.255.255.255 0 0
:static (dmz,outside) 194.151.67.18 hudson netmask 255.255.255.255 0 0
:static (dmz,outside) 194.151.67.19 sales netmask 255.255.255.255 0 0

:static (dmz,outside) 194.151.67.20 webmail netmask 255.255.255.255 0 0

:static (dmz,outside) 194.151.67.21 testmail netmask 255.255.255.255 0 0
:static (dmz,outside) 194.151.67.5 mail netmask 255.255.255.255 0 0

:access-group dmz_access_in in interface dmz

I notice that you have not explicit UDP access for dmz_access_in .
Are your DNS servers in the outside_diemen ?

I also notice that you permit all of dmz_diemen/16 to go out to
outside_diemen, but that you have only static'd those 6 hosts.
If there are any other hosts in dmz_diemen/16 then you need to
add a 'nat' statement, such as

nat (dmz) 1 dmz_diemen 255.255.0.0

If there are no other hosts in the dmz, then I would suggest that
it would be a little better to code

access-list dmz_access_in permit ip object-group webservers outside_diemen 255.255.255.0

instead of the current line permitting all of dmz_diemen to go out.
[But this won't solve your problem: it is just something I noticed.]
--
Everyone has a "Good Cause" for which they are prepared to Spam.
-- Roberson's Law of the Internet
 
Reply With Quote
 
Guido Bakker
Guest
Posts: n/a
 
      10-30-2003
On Thu, 30 Oct 2003 16:26:58 +0000, Walter Roberson wrote:

> In article <(E-Mail Removed)>,
> Guido Bakker <(E-Mail Removed)> wrote:
> :A PIX running with inside, dmz & outside. The dmz has a few servers
> :in it which will grow. Now i'm trying to nat a single machine from the
> :inside to the outside. Internet works fine, but not when i try to reach
> :a server in the dmz via the outside address.
>
>
> IX Version 6.3(3)
> :ip address outside 194.151.67.11 255.255.255.248
> :ip address inside 172.17.0.252 255.255.240.0
> :ip address dmz 10.17.0.1 255.255.0.0
> :global (outside) 1 interface
> :nat (inside) 1 aragorn 255.255.255.255 0 0
> :static (dmz,outside) 194.151.67.17 fraser netmask 255.255.255.255 0 0
> :static (dmz,outside) 194.151.67.18 hudson netmask 255.255.255.255 0 0
> :static (dmz,outside) 194.151.67.19 sales netmask 255.255.255.255 0 0
>
> 194.151.67.17, 194.151.67.18, 194.151.67.19 are not in the same
> subnet range as the outside address, which as a mask of 255.255.255.248.
> This situation is okay provided that you are *routing* those
> addresses to the PIX outside address.


I added the following on our atm router:

ip route 194.151.67.16 255.255.255.240 FastEthernet0/0

The FastEthernet0/0 is connected to the same switch as the pix.

> Which dmz address are you trying to reach from where? What you wrote was
> ambiguous: are you trying to reach (say) 'sales' from the outside using
> its 194.151.67.19 address, or are you trying to reach (say) 'sales' from
> the inside using its 194.151.67.19 address?


I'm trying to reach "sales" from the inside, everything from the internet
works fine. One execption on that though, there seems to be a slow down on
loading of images sometimes.

So, i'm at aragorn, pointing my default route to 172.17.0.252 and trying
to reach sales (194.151.67.19).

> If you are trying to reach it from the inside using its outside address,
> then you will have trouble doing so, but the 'alias' command might help
> in that case.


What's the reason for this? And are there other possibilities then alias?

> If you are trying to reach it from the outside, then I do not
> immediately see a problem with the configuration, but I will go back and
> re-check a detail that's now off of my screen.


Reaching from the outside works fine except for that slow down sometimes.
But a double-check on the configuration would be great, i'm only just
starting to learn the PIX.

Regards and thanks for your help so far,
Guido Bakker
 
Reply With Quote
 
Guido Bakker
Guest
Posts: n/a
 
      10-30-2003
On Thu, 30 Oct 2003 16:40:01 +0000, Walter Roberson wrote:

> In article <(E-Mail Removed)>,
> Guido Bakker <(E-Mail Removed)> wrote:
> IX Version 6.3(3)
>
> :name 10.17.0.0 dmz_diemen
> :name 172.17.0.0 inside_diemen
> :name 194.151.67.0 outside_diemen
>
> :access-list dmz_access_in permit ip dmz_diemen 255.255.0.0 outside_diemen 255.255.255.0
> :access-list dmz_access_in permit tcp object-group webservers host magelhaen eq sqlnet
> :access-list dmz_access_in permit tcp dmz_diemen 255.255.0.0 host frankenstein eq ftp
> :access-list dmz_access_in permit icmp dmz_diemen 255.255.0.0 inside_diemen 255.255.0.0
>
> :global (outside) 1 interface
> :nat (inside) 1 aragorn 255.255.255.255 0 0
> :static (dmz,outside) 194.151.67.17 fraser netmask 255.255.255.255 0 0
> :static (dmz,outside) 194.151.67.18 hudson netmask 255.255.255.255 0 0
> :static (dmz,outside) 194.151.67.19 sales netmask 255.255.255.255 0 0
>
> :static (dmz,outside) 194.151.67.20 webmail netmask 255.255.255.255 0 0
>
> :static (dmz,outside) 194.151.67.21 testmail netmask 255.255.255.255 0 0
> :static (dmz,outside) 194.151.67.5 mail netmask 255.255.255.255 0 0
>
> :access-group dmz_access_in in interface dmz
>
> I notice that you have not explicit UDP access for dmz_access_in .
> Are your DNS servers in the outside_diemen ?


Yes, at the moment they are. I'm building a newer dmz and slowly moving
everything into new subnets.

> I also notice that you permit all of dmz_diemen/16 to go out to
> outside_diemen, but that you have only static'd those 6 hosts. If there
> are any other hosts in dmz_diemen/16 then you need to add a 'nat'
> statement, such as
> nat (dmz) 1 dmz_diemen 255.255.0.0


There will be more in the dmz_diemen, such as a frontends for the mail
cluster, cvs server, smtps, dns and customer projects. All depending on
the PIX performance. I'm planning to static every host atm.

> If there are no other hosts in the dmz, then I would suggest that it
> would be a little better to code
>
> access-list dmz_access_in permit ip object-group webservers
> outside_diemen 255.255.255.0


> instead of the current line permitting all of dmz_diemen to go out. [But
> this won't solve your problem: it is just something I noticed.]


Every pointer is greatly appreciated.

Regards,
Guido Bakker
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      10-30-2003
In article <(E-Mail Removed)>,
Guido Bakker <(E-Mail Removed)> wrote:
:I'm trying to reach "sales" from the inside, everything from the internet
:works fine. One execption on that though, there seems to be a slow down on
:loading of images sometimes.

:So, i'm at aragorn, pointing my default route to 172.17.0.252 and trying
:to reach sales (194.151.67.19).

:> If you are trying to reach it from the inside using its outside address,
:> then you will have trouble doing so, but the 'alias' command might help
:> in that case.

:What's the reason for this? And are there other possibilities then alias?

You have defined the correspondance between 'sales' (10.17.2.3)
and 194.151.67.19 by means of a static (dmz,outside) command.
That correspondance is only in effect when packets arrive at
the outside interface. By the time the packet gets "inside" the PIX,
it has been re-written to use the inside IP address 10.17.2.3.

When you try to send from the inside to 194.151.67.19, the
packet will reach the inside interface, and then the PIX is going to
look for a route to the destination. There is no specific route for
194.151.67.16/28 as you have not created one and none of the
interfaces is numbered in that range. The route that is going to
apply is thus the default route, 0.0.0.0 0.0.0.0, which is going
to send the packet out the outside interface. As it goes out,
NAT is going to leave the -destination- address the same, but is
going to re-write the source address according to your nat/global
pair. The packet is then going to reach your router, which is going
to send it back to the PIX unchanged (a 'redirect'), but the PIX is
going to recognize that it sent the packet out itself and is
going to drop the packet.

If what you need to do is send from 'aragorn' to 'sales'
*by IP address*, then you are going to need to use the
'aiias' command or else you are going to need to use horrible hacks
[such as a loopback interface on the router that nat's the packet
before sending it back to the PIX.]

If what you need to do is send from 'aragorn' to 'sales'
*by hostname*, then there are some DNS manipulations you can use.
The 'alias' command can be used for some of those DNS manipulations.
See also the new 'dns' parameter to the 'static' command; it is not
very well documented in the Command Reference, though.
--
Perposterous!! Where would all the calculators go?!
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      10-30-2003
In article <(E-Mail Removed)>,
Guido Bakker <(E-Mail Removed)> wrote:
:On Thu, 30 Oct 2003 16:40:01 +0000, Walter Roberson wrote:
:> If there are no other hosts in the dmz, then I would suggest that it
:> would be a little better to code

:Every pointer is greatly appreciated.

As a general principle, it is better to structure your PIX configuration
to use layers of security. For example, instead of allowing
everything inside to be nat'd via a nat (inside) 1 0 0 statement,
only nat the hosts that actually exist and are allowed to go
out: that way, if someone adds a system on to the network without
telling you, or if a virus gets in and starts forging IP addresses,
then those addresses will not get out no matter what the access list
say.

The next layer of security would be to set your access-lists to only
permit traffic from hosts that exist and are allowed out -- or at least
to specifically deny traffic to hosts that are not known to be
allowed out. This way, if your 'nat' is accidently more general
than is needed, the hosts will be stopped by the access-list.

These are principles; in practice, if you have a lot of hosts, then
keeping the configuration up-to-date naming all those hosts is
going to be error-prone, and the resulting configuration may be
too big to be easily understood object-group's help a lot in
making the configuration understandable, I find.
--
And the wind keeps blowing the angel / Backwards into the future /
And this wind, this wind / Is called / Progress.
-- Laurie Anderson
 
Reply With Quote
 
Guido Bakker
Guest
Posts: n/a
 
      10-31-2003
http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<bnrhsc$6ni$(E-Mail Removed)>...
> In article <(E-Mail Removed)>,
> Guido Bakker <(E-Mail Removed)> wrote:
> :I'm trying to reach "sales" from the inside, everything from the internet
> :works fine. One execption on that though, there seems to be a slow down on
> :loading of images sometimes.
>
> :So, i'm at aragorn, pointing my default route to 172.17.0.252 and trying
> :to reach sales (194.151.67.19).
>
> :> If you are trying to reach it from the inside using its outside address,
> :> then you will have trouble doing so, but the 'alias' command might help
> :> in that case.
>
> :What's the reason for this? And are there other possibilities then alias?
>
> If what you need to do is send from 'aragorn' to 'sales'
> *by IP address*, then you are going to need to use the
> 'aiias' command or else you are going to need to use horrible hacks
> [such as a loopback interface on the router that nat's the packet
> before sending it back to the PIX.]
>
> If what you need to do is send from 'aragorn' to 'sales'
> *by hostname*, then there are some DNS manipulations you can use.
> The 'alias' command can be used for some of those DNS manipulations.
> See also the new 'dns' parameter to the 'static' command; it is not
> very well documented in the Command Reference, though.


I was very happy the following worked:

alias (inside) 194.151.67.19 sales 255.255.255.255

But when i reloaded PDM it complained alias is deprecated and that i
need to use bi-directional or outside nat. And that this can replace
alias. But i have struggled with this and could not convert the above
alias command. What's the way to do this? Or do i miss something else?

Regards,
Guido Bakker
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      10-31-2003
In article <(E-Mail Removed) >,
Guido Bakker <(E-Mail Removed)> wrote:
:I was very happy the following worked:

:alias (inside) 194.151.67.19 sales 255.255.255.255

:But when i reloaded PDM it complained alias is deprecated and that i
:need to use bi-directional or outside nat. And that this can replace
:alias. But i have struggled with this and could not convert the above
:alias command. What's the way to do this? Or do i miss something else?

Ah, yes, outside nat should work for that case. I believe
you would configure that this way:

global (inside) 2 194.151.67.19
nat (dmz) 2 sales 255.255.255.255 outside


However, I think that in the long term you might be happier with

static (dmz, inside) 194.151.67.19 sales netmask 255.255.255.255

Notice that I have reversed the order of the interfaces compared
to a regular 'static' command. Normally, static lists the higher
security interface and then the lower security one within the (),
but I have given the lower security interface first here. That
has been supported since 6.2 [but sometimes the documentation
of it has gotten broken; I had them fix it a couple of months ago.]
--
Cannot open .signature: Permission denied
 
Reply With Quote
 
Guido Bakker
Guest
Posts: n/a
 
      10-31-2003
On Fri, 31 Oct 2003 11:34:40 +0000, Walter Roberson wrote:

> In article <(E-Mail Removed) >,
> Guido Bakker <(E-Mail Removed)> wrote:
> :I was very happy the following worked:
>
> :alias (inside) 194.151.67.19 sales 255.255.255.255
>
> :But when i reloaded PDM it complained alias is deprecated and that i
> :need to use bi-directional or outside nat. And that this can replace
> :alias. But i have struggled with this and could not convert the above
> :alias command. What's the way to do this? Or do i miss something else?
>
> Ah, yes, outside nat should work for that case. I believe
> you would configure that this way:
>
> global (inside) 2 194.151.67.19
> nat (dmz) 2 sales 255.255.255.255 outside
>
>
> However, I think that in the long term you might be happier with
>
> static (dmz, inside) 194.151.67.19 sales netmask 255.255.255.255
>
> Notice that I have reversed the order of the interfaces compared
> to a regular 'static' command. Normally, static lists the higher
> security interface and then the lower security one within the (),
> but I have given the lower security interface first here. That
> has been supported since 6.2 [but sometimes the documentation
> of it has gotten broken; I had them fix it a couple of months ago.]


Yes, the static works great. I tried the same, but from outside to dmz.
Thanks for your help again, i'm most greatful. Are there any limitations
on this implementation?

Regards,
Guido Bakker
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC? Scott Townsend Cisco 8 02-22-2006 09:59 PM
PIX 515 - inside to outside needs access rules. Why? Bill Adams Cisco 4 09-25-2004 08:42 PM
Problem with inside to inside traffic after upgrading PIX 515 Cisco 5 06-15-2004 06:34 AM
allow outside to access inside pix 515 gregg Cisco 3 12-05-2003 04:23 PM



Advertisments