Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > static route question

Reply
Thread Tools

static route question

 
 
John Doe
Guest
Posts: n/a
 
      09-07-2004
Hi,
What's the correct way to do this?

OUTSIDE: Security 0
DMZ: Security 10
INSIDE: Security 100

I have a machien on INSIDE that I want to be able to talk to and from
the DMZ freely (it's a domain controller). Normally I would do a
static map, but my understanding is you are not supposed to do static
maps going from higher (inside) to lower (dmz) interfaces.. .so what's
the correct way to do this, as I really don't want to PAT/NAT it.

I also already have (inside) being natted to go (outside):

global (outside) 1 63.174.xxx.xx netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0

With this configuration I can get from the DMZ to the INSIDE, but not
the other way around. What do I need to do to get the static map to
work that way?
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-07-2004
In article <(E-Mail Removed)>,
John Doe <(E-Mail Removed)> wrote:
:What's the correct way to do this?

:OUTSIDE: Security 0
MZ: Security 10
:INSIDE: Security 100

:I have a machien on INSIDE that I want to be able to talk to and from
:the DMZ freely (it's a domain controller).

The "correct way" to do that is to have the domain controller in the
DMZ. Otherwise your implication is that you trust a Microsoft
Domain Controller as much as you trust all of your internal machines.
That's not an arrangement that I would consider... wise.


:Normally I would do a
:static map, but my understanding is you are not supposed to do static
:maps going from higher (inside) to lower (dmz) interfaces..

You can if you want, but it's an esoteric feature that you probably
didn't mean to be asking about.

You have a situation suitable for a normal static: you have machines
on a lower security level wanting to access machines on a higher security
level, just as is the case for most every installations.


:I also already have (inside) being natted to go (outside):

:global (outside) 1 63.174.xxx.xx netmask 255.255.255.0
:nat (inside) 1 0.0.0.0 0.0.0.0 0 0
:nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
:static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0

:With this configuration I can get from the DMZ to the INSIDE, but not
:the other way around. What do I need to do to get the static map to
:work that way?


It isn't clear from what you have said as to whether 172.16.1/24
is the DMZ IP address range or the inside IP address range.
If you use the inside IP address range in that static (inside, dmz)
statement, then hosts on the dmz would be able to refer to internal
hosts [all of them!] by their internal IPs, and would be granted access
to those hosts based upon the access-group applied to the dmz interface.

There is another form that you can use for your purposes instead of static:

access-list inside2dmz permit ip INSIDENET INSIDEMASK DMZNET DMZMASK
nat (inside) 0 access-list inside2dmz

Notice that this access-list should be written from the perspective
of the higher security interface.

You can refine this access list if appropriate:

access-list inside2dmz permit ip host PDCIP DMZNET DMZMASK
nat (inside) 0 access-list inside2dmz

would only turn off address translation between the PDC and the DMZ,
while continuing to use whatever other address translation had been
established for the rest of the inside hosts. In the case of the
configuration excerpt you show, that would mean no communication
between those other hosts and the DMZ -- not unless you add additional
static's, or add more to the inside2dmz access-list, or you add a
global (dmz) statement.
--
Ceci, ce n'est pas une idée.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
question for static route -- default route bensonlei@yahoo.com.hk Cisco 1 04-01-2009 11:27 AM
question for static route -- default route bensonlei@yahoo.com.hk Cisco 0 04-01-2009 04:04 AM
What is the default precedence: local-route, static-route,OSPF-route? ilan.berco@gmail.com Cisco 9 08-07-2008 05:42 PM
Need to route SMTP traffic through static interface (not default route) perimere Cisco 0 03-27-2007 09:19 PM
Can netwrok run static route and dynamic route the same time? Bruce Cao Cisco 3 12-06-2005 02:15 AM



Advertisments