PIX configuration question

Discussion in 'Cisco' started by Eric DuMond, Oct 28, 2003.

  1. Eric DuMond

    Eric DuMond Guest

    I have a Pix 515 firewall running ver 6.3(2). I have a total of 4
    interfaces: outside, inside, dmz0, dmz1. I am using routable class C
    addresses on dmz0 and dmz1. My inside ip addresses are 172.16.x.x/24
    (non routable). My problem is that the inside network (security 100)
    cannot access the two dmz's (security 50 dmz1 and security 49 dmz2),
    but can access the outside world my inside network is using PAT. the
    PIX can see all devices but my inside cannot. I think it is routing
    but what route?

    Thanks in advance,

    Eric
    Eric DuMond, Oct 28, 2003
    #1
    1. Advertising

  2. In article <>,
    Eric DuMond <> wrote:
    :I have a Pix 515 firewall running ver 6.3(2).

    Upgrading to 6.3(3) is definitely recommended. 6.3(2) cannot save
    "nat 0" commands from the running configuration to the stored
    configuration, so they are lost when you reboot.

    :I have a total of 4
    :interfaces: outside, inside, dmz0, dmz1. I am using routable class C
    :addresses on dmz0 and dmz1. My inside ip addresses are 172.16.x.x/24
    :(non routable). My problem is that the inside network (security 100)
    :cannot access the two dmz's (security 50 dmz1 and security 49 dmz2),
    :but can access the outside world my inside network is using PAT. the
    :pIX can see all devices but my inside cannot. I think it is routing
    :but what route?

    Your inside network is using PAT? Do you have a global (dmz1)
    and a global (dmz2) statement to make your inside network
    PAT to -those- interfaces? You probably have global (outside)
    to make the inside interface PAT to the outside, but have perhaps
    neglected to make it PAT to the other interfaces.
    --
    Studies show that the average reader ignores 106% of all statistics
    they see in .signatures.
    Walter Roberson, Oct 28, 2003
    #2
    1. Advertising

  3. Eric DuMond

    Eric DuMond Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bnm3cv$kqf$>...
    > In article <>,
    > Eric DuMond <> wrote:
    > :I have a Pix 515 firewall running ver 6.3(2).
    >
    > Upgrading to 6.3(3) is definitely recommended. 6.3(2) cannot save
    > "nat 0" commands from the running configuration to the stored
    > configuration, so they are lost when you reboot.
    >
    > :I have a total of 4
    > :interfaces: outside, inside, dmz0, dmz1. I am using routable class C
    > :addresses on dmz0 and dmz1. My inside ip addresses are 172.16.x.x/24
    > :(non routable). My problem is that the inside network (security 100)
    > :cannot access the two dmz's (security 50 dmz1 and security 49 dmz2),
    > :but can access the outside world my inside network is using PAT. the
    > :pIX can see all devices but my inside cannot. I think it is routing
    > :but what route?
    >
    > Your inside network is using PAT? Do you have a global (dmz1)
    > and a global (dmz2) statement to make your inside network
    > PAT to -those- interfaces? You probably have global (outside)
    > to make the inside interface PAT to the outside, but have perhaps
    > neglected to make it PAT to the other interfaces.


    You are correct I have one global statement and that is for the NAT
    PAT relationship. So are you then saying that I need to also add a
    global statement like so:
    "global (dmz1) 199.x.x.x netmask x.x.x.x "
    Do I also need the a NAT id to tie it to?

    Thanks,

    Eric
    Eric DuMond, Oct 28, 2003
    #3
  4. In article <>,
    Eric DuMond <> wrote:
    :You are correct I have one global statement and that is for the NAT
    :pAT relationship. So are you then saying that I need to also add a
    :global statement like so:
    :"global (dmz1) 199.x.x.x netmask x.x.x.x "
    :Do I also need the a NAT id to tie it to?

    For each nat (inside) ID statement you have, you need
    a corresponding global (INTERFACE) ID statement in order to allow
    that particular inside nat ID to work with that INTERFACE.

    I notice that the form you suggest you might use is the single IP
    form of global, which is used for PAT. If you are going to use PAT
    anyhow, you might as well PAT to the interface address:

    global (dmz1) 1 interface

    Do NOT use the actual interface IP: use the word 'interface' for this
    case.
    --
    Positrons can be described as electrons traveling backwards in time.
    Certainly many Usenet arguments about the past become clearer when they
    are re-interpreted as uncertainty about the future.
    -- Walter Roberson
    Walter Roberson, Oct 28, 2003
    #4
  5. Eric DuMond

    Eric DuMond Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bnmjs9$s36$>...
    > In article <>,
    > Eric DuMond <> wrote:
    > :You are correct I have one global statement and that is for the NAT
    > :pAT relationship. So are you then saying that I need to also add a
    > :global statement like so:
    > :"global (dmz1) 199.x.x.x netmask x.x.x.x "
    > :Do I also need the a NAT id to tie it to?
    >
    > For each nat (inside) ID statement you have, you need
    > a corresponding global (INTERFACE) ID statement in order to allow
    > that particular inside nat ID to work with that INTERFACE.
    >
    > I notice that the form you suggest you might use is the single IP
    > form of global, which is used for PAT. If you are going to use PAT
    > anyhow, you might as well PAT to the interface address:
    >
    > global (dmz1) 1 interface
    >
    > Do NOT use the actual interface IP: use the word 'interface' for this
    > case.



    First of all I would like to thank you for taking the time to help
    out, your assistance is greatly appriciated.

    Well I have only one NAT statement and that is the NAT (inside) 1
    0.0.0.0 0.0.0.0 and that one is tied to my global (outside) 1
    199.x.x.x 255.255.255.255 (PAT). So are you saying that I need
    additional global statements so that the inside network can see the
    other networks? For example global (dmz1) 1 inside and global (dmz2) 1
    inside.

    Thanks again,

    Eric
    Eric DuMond, Oct 29, 2003
    #5
  6. In article <>,
    Eric DuMond <> wrote:
    :Well I have only one NAT statement and that is the NAT (inside) 1
    :0.0.0.0 0.0.0.0 and that one is tied to my global (outside) 1
    :199.x.x.x 255.255.255.255 (PAT). So are you saying that I need
    :additional global statements so that the inside network can see the
    :eek:ther networks? For example global (dmz1) 1 inside and global (dmz2) 1
    :inside.

    Yes. For example,

    global (dmz1) 1 interface
    global (dmz2) 1 interface

    If you do not have these 'global' statements, then the only way
    to reach dmz1 or dmz2 would be to use 'static' statements or
    'nat 0' statements.
    --
    "Infinity is like a stuffed walrus I can hold in the palm of my hand.
    Don't do anything with infinity you wouldn't do with a stuffed walrus."
    -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ.
    Walter Roberson, Oct 29, 2003
    #6
  7. Eric DuMond

    Eric DuMond Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bnoju5$pn4$>...
    > In article <>,
    > Eric DuMond <> wrote:
    > :Well I have only one NAT statement and that is the NAT (inside) 1
    > :0.0.0.0 0.0.0.0 and that one is tied to my global (outside) 1
    > :199.x.x.x 255.255.255.255 (PAT). So are you saying that I need
    > :additional global statements so that the inside network can see the
    > :eek:ther networks? For example global (dmz1) 1 inside and global (dmz2) 1
    > :inside.
    >
    > Yes. For example,
    >
    > global (dmz1) 1 interface
    > global (dmz2) 1 interface
    >
    > If you do not have these 'global' statements, then the only way
    > to reach dmz1 or dmz2 would be to use 'static' statements or
    > 'nat 0' statements.


    That seems to have done the trick my inside network can now see the
    two DMZ's Thank you again for taking the time out to help me.

    Eric
    Eric DuMond, Oct 29, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard

    PIX to PIX to PIX meshed VPN

    Richard, Nov 13, 2003, in forum: Cisco
    Replies:
    1
    Views:
    597
    Richard
    Nov 15, 2003
  2. Remco Bressers
    Replies:
    1
    Views:
    504
    Jyri Korhonen
    Nov 21, 2003
  3. Bill F
    Replies:
    1
    Views:
    433
    Walter Roberson
    Nov 25, 2003
  4. jester
    Replies:
    1
    Views:
    1,760
    Vivek
    Dec 20, 2005
  5. Replies:
    0
    Views:
    793
Loading...

Share This Page