problem at nat in pix

hi
first review the syntax

ip address outside60.181.111.210 255.255.255.252
ip address inside 192.168.253.1 255.255.255.0
ip address dmz 60.181.111.193 255.255.255.240

nat (dmz) 0 60.181.111.192 255.255.255.240
nat (inside) 2 192.168.250.128 255.255.255.192
global (outside) 2 60.181.111.194

this is the running configuration which is allowing the internal host to communicate from inside to outside interface. But boss told me to enable access from inside to dmz also, for that i added the following command

nat (dmz) 0 60.181.111.192 255.255.255.240
nat (inside) 2 192.168.250.128 255.255.255.192
global (outside) 2 60.181.111.194
global (dmz) 2 60.181.111.195

The dmz's public IPs stop browsing to outside. why?

and i also addedd the ping trace command

access-list icmp_acl permit icmp any any
access-group icmp_acl in interface dmz

any idea and if i am wrong than what is the appropriate approach of the command

Find more posts tagged with

Comments

Ahriakin

Still working on my coffee but straight off your Global (Outside) IP looks wrong, it's in your DMZ range and not the outside IP.

garv221

hmmmmmmmm. Early for me as well. Played wii all night. Maybe this will help to get internet access from the Dmz.

nat (dmz) 0 0.0.0.0 0.0.0.0
global (outside) 0 60.181.111.192 255.255.255.240

To get access from "inside" to "dmz" you need an acl on the DMZ allowing "inside" access to the Dmz. What are the local addresses?

I will take a look back later and think through it again.

crazy_jay

You will have to do something like this:

If your inside subnets are, for example, 192.168.1.0/24 and your internal DMZ subnet is 10.10.10.0/24 then you need to do the following:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

access-list dmz extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-group dmz in interface dmz

This should do it.

sword1

inside ip 192.168.253.0/24
outside 60.181.111.210/30
dmz ip 60.181.111.192/28

now answering in more detail is that the existing commands was working great. The defined inside(private ip) and dmz(public ip) user were accessing internet successfully.

The enhacment which i have to do was that the inside user should access outside as well as dmz. for that i addedd the blue lined command(previously talked) on the existing command,actually the following command

nat (inside) 2 192.168.250.128 255.255.255.192
global (outside) 2 60.181.111.194

is allowing the inside user to the outside world(patting) and i thought that if i add the

global (dmz) 2 60.181.111.195

it will allow the inside user to access the dmz as well, because NAT is used to allow traffic from high security interface(inside) to lower security interface (dmz).
And access list is used to allow traffic from low sec interface to high sec int

i think i have to add a NAT command with a new NAT "ID" that is

nat (inside) 3 192.168.250.128 255.255.255.192
global (dmz) 3 60.181.111.195

what do you people say abt this?

crazy_jay

Check out this link. It shows the standard configuration for a server to be access internally (inside interface) as well as from the outside.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml