permit source traffic from DMZ to inside

Discussion in 'Cisco' started by frishack, Feb 28, 2005.

  1. frishack

    frishack Guest

    Is it possible to have a nonat entry in a 515 PIX for the DMZ interface
    such that it allows connections from the DMZ to go un-natted into the
    inside interface?

    nat (DMZ) 0 access-list nonat-dmz-is-source

    access-list nonat-dmz-is-source permit ip 192.168.65.0 255.255.255.0
    192.168.1.0 255.255.255.0

    Trying to allow DMZ subnet 192.168.65.0 to source traffic to the inside
    subnet 192.168.1.0

    Or would this be only for IPs in the DMZ to go un-natted to the
    outside?

    -t-
     
    frishack, Feb 28, 2005
    #1
    1. Advertisements

  2. frishack

    david Guest

    you can all u need to define is a static entry for the subnet in the
    dmz or for a host

    ex
    static (inside,DMZ) 10.96.0.0 10.96.0.0 netmask 255.255.0.0 0 0
     
    david, Feb 28, 2005
    #2
    1. Advertisements

  3. frishack

    frishack Guest

    thanks, I'll try this, though it seems to me that I had tried this, and
    it didn't work.

    -t-
     
    frishack, Feb 28, 2005
    #3
  4. :Is it possible to have a nonat entry in a 515 PIX for the DMZ interface
    :such that it allows connections from the DMZ to go un-natted into the
    :inside interface?

    Unless you use reverse/bidirectional nat, connections from lower security
    interfaces to higher security interfaces do not have their source IPs
    natted.

    :nat (DMZ) 0 access-list nonat-dmz-is-source

    :access-list nonat-dmz-is-source permit ip 192.168.65.0 255.255.255.0 192.168.1.0 255.255.255.0

    :Trying to allow DMZ subnet 192.168.65.0 to source traffic to the inside
    :subnet 192.168.1.0

    nat (inside) 0 access-list nonat-dmz

    access-list nonat-dmz permit ip 192.168.1.0 255.255.255.0 192.168.65.0 255.255.255.0

    The ACL is read bidirectionally
     
    Walter Roberson, Mar 1, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.