Cisco PIX DMZ to DMZ Access

Discussion in 'Cisco' started by Network-Guy, Sep 23, 2005.

  1. Network-Guy

    Network-Guy Guest

    I'm trying to setup my PIX to allow access from a lower security level
    DMZ to a higher security level DMZ.

    I have created the ACL's, but so far have not had any luck.

    Do I need a route statement or a static mapping between the DMZ's in
    order to get this to work?
     
    Network-Guy, Sep 23, 2005
    #1
    1. Advertisements

  2. :I'm trying to setup my PIX to allow access from a lower security level
    :DMZ to a higher security level DMZ.

    :I have created the ACL's, but so far have not had any luck.

    :Do I need a route statement or a static mapping between the DMZ's in
    :eek:rder to get this to work?

    The usual rules for "lower security to higher security" apply:
    acl on the lower security interface plus a static mapping between
    the two interfaces. The static mapping can be a "static" statement
    or it can be a nat (HIGHERSECURITYDMZ) 0 access-list ACLNAME
    (in which case proxy arp will be disabled.)
     
    Walter Roberson, Sep 23, 2005
    #2
    1. Advertisements

  3. how come NAT excemption disables proxy arp ?
     
    Martin Bilgrav, Sep 23, 2005
    #3
  4. Walter Roberson, Sep 23, 2005
    #4
  5. Martin Bilgrav, Sep 23, 2005
    #5
  6. Network-Guy

    Darren Green Guest

    Out of interest, I saw a config recently where the PIX Inside + DMZ
    statements read something like:

    static (inside, DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

    Objectective being that clients on the internal LAN received the same IP
    address when accessing the DMZ. The inbound access-group statement was on
    the DMZ interface but the LAN clients couldn't reach their DMZ server (can't
    remember the IP address). I wondered if this had anything to do with the
    Proxy Arp comment that you made Walter.

    Everyting else looked ok.

    Darren
     
    Darren Green, Sep 24, 2005
    #6
  7. The above means do not use NAT, when going inside-to-DMZ
    Nope, as this is for nat commands in conjuction with 0 and ACL
     
    Martin Bilgrav, Sep 25, 2005
    #7
  8. Cisco phrases it as if NAT were still active in this case, but
    with each IP and port being mapped to itself. And for the nat 0 access-list
    case they phrase it as NAT being disabled. Cisco's phrasing
    could, I think, use some improvements in this matter.
     
    Walter Roberson, Sep 25, 2005
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.