Cisco PIX DMZ to DMZ Access

Discussion in 'Cisco' started by Network-Guy, Sep 23, 2005.

  1. Network-Guy

    Network-Guy Guest

    I'm trying to setup my PIX to allow access from a lower security level
    DMZ to a higher security level DMZ.

    I have created the ACL's, but so far have not had any luck.

    Do I need a route statement or a static mapping between the DMZ's in
    order to get this to work?
    Network-Guy, Sep 23, 2005
    #1
    1. Advertising

  2. In article <>,
    Network-Guy <> wrote:
    :I'm trying to setup my PIX to allow access from a lower security level
    :DMZ to a higher security level DMZ.

    :I have created the ACL's, but so far have not had any luck.

    :Do I need a route statement or a static mapping between the DMZ's in
    :eek:rder to get this to work?

    The usual rules for "lower security to higher security" apply:
    acl on the lower security interface plus a static mapping between
    the two interfaces. The static mapping can be a "static" statement
    or it can be a nat (HIGHERSECURITYDMZ) 0 access-list ACLNAME
    (in which case proxy arp will be disabled.)
    --
    University of Calgary researcher Christopher Auld has found that
    milk is the most "rational addiction" amongst the several studied.
    Walter Roberson, Sep 23, 2005
    #2
    1. Advertising

  3. "Walter Roberson" <-cnrc.gc.ca> wrote in message nat
    (HIGHERSECURITYDMZ) 0 access-list ACLNAME
    > (in which case proxy arp will be disabled.)


    how come NAT excemption disables proxy arp ?
    Martin Bilgrav, Sep 23, 2005
    #3
  4. In article <XA_Ye.68745$>,
    Martin Bilgrav <> wrote:

    :"Walter Roberson" <-cnrc.gc.ca> wrote in message
    : nat (HIGHERSECURITYDMZ) 0 access-list ACLNAME
    :> (in which case proxy arp will be disabled.)

    :how come NAT excemption disables proxy arp ?

    It is defined that way.

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1032129

    The nat 0 access-list command disables NAT, specifically proxy ARPing,
    for the IP addresses specified by the ACL referenced by acl_id.
    --
    Watch for our new, improved .signatures -- Wittier! Profounder! and
    with less than 2 grams of Trite!
    Walter Roberson, Sep 23, 2005
    #4
  5. Martin Bilgrav, Sep 23, 2005
    #5
  6. Network-Guy

    Darren Green Guest


    > :"Walter Roberson" <-cnrc.gc.ca> wrote in message
    > : nat (HIGHERSECURITYDMZ) 0 access-list ACLNAME
    > :> (in which case proxy arp will be disabled.)
    >
    > :how come NAT excemption disables proxy arp ?
    >
    > It is defined that way.
    >
    > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1032129
    >
    > The nat 0 access-list command disables NAT, specifically proxy ARPing,
    > for the IP addresses specified by the ACL referenced by acl_id.
    > --
    > Watch for our new, improved .signatures -- Wittier! Profounder! and
    > with less than 2 grams of Trite!


    Out of interest, I saw a config recently where the PIX Inside + DMZ
    statements read something like:

    static (inside, DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

    Objectective being that clients on the internal LAN received the same IP
    address when accessing the DMZ. The inbound access-group statement was on
    the DMZ interface but the LAN clients couldn't reach their DMZ server (can't
    remember the IP address). I wondered if this had anything to do with the
    Proxy Arp comment that you made Walter.

    Everyting else looked ok.

    Darren
    Darren Green, Sep 24, 2005
    #6
  7. "Darren Green" <> wrote in message
    >
    > static (inside, DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
    >
    > Objectective being that clients on the internal LAN received the same IP
    > address when accessing the DMZ.


    The above means do not use NAT, when going inside-to-DMZ

    > The inbound access-group statement was on
    > the DMZ interface but the LAN clients couldn't reach their DMZ server

    (can't
    > remember the IP address). I wondered if this had anything to do with the
    > Proxy Arp comment that you made Walter.


    Nope, as this is for nat commands in conjuction with 0 and ACL


    >
    > Everyting else looked ok.
    >
    > Darren
    >
    >
    Martin Bilgrav, Sep 25, 2005
    #7
  8. In article <XTBZe.68890$>,
    Martin Bilgrav <> wrote:

    >"Darren Green" <> wrote in message


    >> static (inside, DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0


    >> Objectective being that clients on the internal LAN received the same IP
    >> address when accessing the DMZ.


    >The above means do not use NAT, when going inside-to-DMZ


    Cisco phrases it as if NAT were still active in this case, but
    with each IP and port being mapped to itself. And for the nat 0 access-list
    case they phrase it as NAT being disabled. Cisco's phrasing
    could, I think, use some improvements in this matter.
    --
    Many food scientists have reported chocolate to be the single most
    craved food. -- Northwestern University, 2001
    Walter Roberson, Sep 25, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    1,648
  2. JohnC
    Replies:
    9
    Views:
    821
    Walter Roberson
    Dec 7, 2004
  3. Todd Eddy
    Replies:
    0
    Views:
    489
    Todd Eddy
    Sep 15, 2006
  4. morten
    Replies:
    4
    Views:
    1,166
    Tilman Schmidt
    Sep 4, 2007
  5. Jack
    Replies:
    0
    Views:
    647
Loading...

Share This Page