«

Hi NG,

i got following problem to solve:

I got one single public ip address where by i PAT all my internal
192.168.X.Y networks.
I got one DMZ interface using 192.168.2.X.
I got internal hosts as example 192.168.3.X.

now with the following config, my hosts from the internal network as well as
the dmz hosts can get out to 0.0.0.0 without a problem.

My current problem is, that i cannot connect from my internal 192.168.3.X
network via my outside PAT address on to services with are hostet in the DMZ
(192.168.2.X)
what is the correct "static" config for connecting from inside via PAT
address into my DMZ ?

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 192.168.2.0 255.255.255.0
static (dmz,outside) tcp interface www 192.168.2.XX www netmask
255.255.255.255 <-- DMZ Host

thank you

colin

UPDATES:

with following config applied:

static (dmz,inside) PUBLIC_IP PUBLIC_IP netmask 255.255.255.255

i get following log messages:
#"portmap translation creation failed for tcp src inside: 192.168.3.XY/xxx
dst dmzUBLIC_IP/80"
the funny thing is, that within the log file i see the source IP of the
PUBLIC_IP, but no destination....
now without the "static" config the log entry looks like this:
#"TCP access denied by ACL from 192.168.3.X/xxx to inside PUBLIC_IP/80"
and the same, an empty destination field... even when i put the following
acl's in place, i get that previous TCP denied message, i actually expected
to
see from witch ACL name the packet got denied/accepted..


access-list outside_access_in extended permit tcp any any range 1 65535 log
access-list outside_access_in extended permit udp any any range 1 65535 log
access-list outside_access_in extended permit ip any any log
access-list outside_access_in extended permit icmp any any log

access-list outside_access_out extended permit tcp any any range 1 65535 log
access-list outside_access_out extended permit udp any any range 1 65535 log
access-list outside_access_out extended permit ip any any log
access-list outside_access_out extended permit icmp any any log

access-list dmz_access_in extended permit tcp any any range 1 65535 log
access-list dmz_access_in extended permit udp any any range 1 65535 log
access-list dmz_access_in extended permit ip any any log
access-list dmz_access_in extended permit icmp any any log

access-list dmz_access_out extended permit tcp any any range 1 65535 log
access-list dmz_access_out extended permit udp any any range 1 65535 log
access-list dmz_access_out extended permit ip any any log
access-list dmz_access_out extended permit icmp any any log

access-list inside_access_in extended permit tcp any any range 1 65535 log
access-list inside_access_in extended permit udp any any range 1 65535 log
access-list inside_access_in extended permit ip any any log
access-list inside_access_in extended permit icmp any any log

access-list inside_access_out extended permit tcp any any range 1 65535 log
access-list inside_access_out extended permit udp any any range 1 65535 log
access-list inside_access_out extended permit ip any any log
access-list inside_access_out extended permit icmp any any log

access-group outside_access_in in interface outside
access-group outside_access_out out interface outside

access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz

access-group inside_access_in in interface inside
access-group inside_access_out out interface inside













"Colin Cant" <> schrieb im Newsbeitrag
news:498dcdfc$0$146$.. .
> Hi NG,
>
> i got following problem to solve:
>
> I got one single public ip address where by i PAT all my internal
> 192.168.X.Y networks.
> I got one DMZ interface using 192.168.2.X.
> I got internal hosts as example 192.168.3.X.
>
> now with the following config, my hosts from the internal network as well
> as the dmz hosts can get out to 0.0.0.0 without a problem.
>
> My current problem is, that i cannot connect from my internal 192.168.3.X
> network via my outside PAT address on to services with are hostet in the
> DMZ (192.168.2.X)
> what is the correct "static" config for connecting from inside via PAT
> address into my DMZ ?
>
> global (outside) 1 interface
> nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 1 0.0.0.0 0.0.0.0
> nat (dmz) 1 192.168.2.0 255.255.255.0
> static (dmz,outside) tcp interface www 192.168.2.XX www netmask
> 255.255.255.255 <-- DMZ Host
>
> thank you
>
> colin
>
>
>

In the message <498dcdfc$0$146$> Colin Cant
wrote:

| Hi NG,
|
| i got following problem to solve:
|
| I got one single public ip address where by i PAT all my internal
| 192.168.X.Y networks.
| I got one DMZ interface using 192.168.2.X.
| I got internal hosts as example 192.168.3.X.
|
| now with the following config, my hosts from the internal network as well as
| the dmz hosts can get out to 0.0.0.0 without a problem.
|
| My current problem is, that i cannot connect from my internal 192.168.3.X
| network via my outside PAT address on to services with are hostet in the DMZ
| (192.168.2.X)
| what is the correct "static" config for connecting from inside via PAT
| address into my DMZ ?
|
| global (outside) 1 interface
| nat (inside) 0 access-list inside_nat0_outbound
| nat (inside) 1 0.0.0.0 0.0.0.0
| nat (dmz) 1 192.168.2.0 255.255.255.0
| static (dmz,outside) tcp interface www 192.168.2.XX www netmask
| 255.255.255.255 <-- DMZ Host

Why don't you connect to the DMZ address instead of the public address?

If it is because you don't have an inside DNS server and the dns name is
resolved to the public address then you can sort this out using dns
doctoring:
http://www.cisco.com/en/US/products/...807968c8.shtml

good guess, its indeed about dns..
thx i will have a look at it and try it.

> Why don't you connect to the DMZ address instead of the public address?
>
> If it is because you don't have an inside DNS server and the dns name is
> resolved to the public address then you can sort this out using dns
> doctoring:
> http://www.cisco.com/en/US/products/...807968c8.shtml