PIX DMZ Config help

PIX DMZ Config help

am 05.11.2007 19:07:39 von Bob

Hi,

Here is what I am trying to do.

I have a PIX with 3 interfaces, inside, outside & DMZ.

I have a server connected to the DMZ interface, the server can ping
the DMZ interface Ok.

I have a server on the inside interface that I would like to access
the DMZ server.

The inside server is on 192.168.1.x, the DMZ interface and DMZ server
are on 192.168.2.x.

I have added a 192.168.2.x IP to the inside server and added this
route to my PIX:

static (inside,DMZ0 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0 0.

Is this right or am I missing something as the inside server cannot
ping the DMZ server.

Regards
Paul.

Re: PIX DMZ Config help

am 05.11.2007 21:10:53 von mcaissie

you need

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

This way your inside subnet is translated for itself on the DMZ. In other
words
it make the inside subnet visible to your DMZ.

The way you put it doesn't accomplish anything . What you are saying to the
PIX is translate the inside address of 192.168.2.0 for itself on the DMZ.
But you don't have any device on the inside at 192.168.2.0.



"Bob" wrote in message
news:1194286059.446075.134160@y27g2000pre.googlegroups.com.. .
> Hi,
>
> Here is what I am trying to do.
>
> I have a PIX with 3 interfaces, inside, outside & DMZ.
>
> I have a server connected to the DMZ interface, the server can ping
> the DMZ interface Ok.
>
> I have a server on the inside interface that I would like to access
> the DMZ server.
>
> The inside server is on 192.168.1.x, the DMZ interface and DMZ server
> are on 192.168.2.x.
>
> I have added a 192.168.2.x IP to the inside server and added this
> route to my PIX:
>
> static (inside,DMZ0 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0 0.
>
> Is this right or am I missing something as the inside server cannot
> ping the DMZ server.
>
> Regards
> Paul.
>

Re: PIX DMZ Config help

am 06.11.2007 09:31:16 von Mak

mcaissie wrote:
> you need
>
> static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
>
> This way your inside subnet is translated for itself on the DMZ. In other
> words
> it make the inside subnet visible to your DMZ.


right, but you might also need a nonat access-list between the two lans:
nat (inside) 0 access-list no-nat

and a rule like:

access-list no-nat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


good explanation for all types of pix nats here:

http://tazforum.thetazzone.com/viewtopic.php?t=3616

M

Re: PIX DMZ Config help

am 08.11.2007 08:29:29 von poal

You can try adding
static (inside,DMZ0 192.168.2.0 192.168.1.0 netmask 255.255.255.0 0 0)

Let's see, the problem solves or not?




On Nov 5, 11:07 pm, Bob wrote:
> Hi,
>
> Here is what I am trying to do.
>
> I have a PIX with 3 interfaces, inside, outside & DMZ.
>
> I have a server connected to the DMZ interface, the server can ping
> the DMZ interface Ok.
>
> I have a server on the inside interface that I would like to access
> the DMZ server.
> static (inside,DMZ0 192.168.2.0 192.168.1.0 netmask 255.255.255.0 0 0.


> The inside server is on 192.168.1.x, the DMZ interface and DMZ server
> are on 192.168.2.x.
>
> I have added a 192.168.2.x IP to the inside server and added this
> route to my PIX:
>
> static (inside,DMZ0 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0 0.
>
> Is this right or am I missing something as the inside server cannot
> ping the DMZ server.
>
> Regards
> Paul.