static route question

Discussion in 'Cisco' started by John Doe, Sep 7, 2004.

  1. John Doe

    John Doe Guest

    Hi,
    What's the correct way to do this?

    OUTSIDE: Security 0
    DMZ: Security 10
    INSIDE: Security 100

    I have a machien on INSIDE that I want to be able to talk to and from
    the DMZ freely (it's a domain controller). Normally I would do a
    static map, but my understanding is you are not supposed to do static
    maps going from higher (inside) to lower (dmz) interfaces.. .so what's
    the correct way to do this, as I really don't want to PAT/NAT it.

    I also already have (inside) being natted to go (outside):

    global (outside) 1 63.174.xxx.xx netmask 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0

    With this configuration I can get from the DMZ to the INSIDE, but not
    the other way around. What do I need to do to get the static map to
    work that way?
     
    John Doe, Sep 7, 2004
    #1
    1. Advertising

  2. In article <>,
    John Doe <> wrote:
    :What's the correct way to do this?

    :OUTSIDE: Security 0
    :DMZ: Security 10
    :INSIDE: Security 100

    :I have a machien on INSIDE that I want to be able to talk to and from
    :the DMZ freely (it's a domain controller).

    The "correct way" to do that is to have the domain controller in the
    DMZ. Otherwise your implication is that you trust a Microsoft
    Domain Controller as much as you trust all of your internal machines.
    That's not an arrangement that I would consider... wise.


    :Normally I would do a
    :static map, but my understanding is you are not supposed to do static
    :maps going from higher (inside) to lower (dmz) interfaces..

    You can if you want, but it's an esoteric feature that you probably
    didn't mean to be asking about.

    You have a situation suitable for a normal static: you have machines
    on a lower security level wanting to access machines on a higher security
    level, just as is the case for most every installations.


    :I also already have (inside) being natted to go (outside):

    :global (outside) 1 63.174.xxx.xx netmask 255.255.255.0
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    :nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
    :static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0

    :With this configuration I can get from the DMZ to the INSIDE, but not
    :the other way around. What do I need to do to get the static map to
    :work that way?


    It isn't clear from what you have said as to whether 172.16.1/24
    is the DMZ IP address range or the inside IP address range.
    If you use the inside IP address range in that static (inside, dmz)
    statement, then hosts on the dmz would be able to refer to internal
    hosts [all of them!] by their internal IPs, and would be granted access
    to those hosts based upon the access-group applied to the dmz interface.

    There is another form that you can use for your purposes instead of static:

    access-list inside2dmz permit ip INSIDENET INSIDEMASK DMZNET DMZMASK
    nat (inside) 0 access-list inside2dmz

    Notice that this access-list should be written from the perspective
    of the higher security interface.

    You can refine this access list if appropriate:

    access-list inside2dmz permit ip host PDCIP DMZNET DMZMASK
    nat (inside) 0 access-list inside2dmz

    would only turn off address translation between the PDC and the DMZ,
    while continuing to use whatever other address translation had been
    established for the rest of the inside hosts. In the case of the
    configuration excerpt you show, that would mean no communication
    between those other hosts and the DMZ -- not unless you add additional
    static's, or add more to the inside2dmz access-list, or you add a
    global (dmz) statement.
    --
    Ceci, ce n'est pas une idée.
     
    Walter Roberson, Sep 7, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bruce Cao
    Replies:
    3
    Views:
    4,504
    Barry Margolin
    Dec 6, 2005
  2. perimere
    Replies:
    0
    Views:
    1,123
    perimere
    Mar 27, 2007
  3. Replies:
    9
    Views:
    5,130
    Scott Perry
    Aug 7, 2008
  4. Replies:
    1
    Views:
    802
    Trendkill
    Apr 1, 2009
  5. Replies:
    0
    Views:
    538
Loading...

Share This Page