problem at nat in pix

sword1sword1 Member Posts: 9 ■□□□□□□□□□
in CCNP Security
hi
first review the syntax

ip address outside60.181.111.210 255.255.255.252
ip address inside 192.168.253.1 255.255.255.0
ip address dmz 60.181.111.193 255.255.255.240

nat (dmz) 0 60.181.111.192 255.255.255.240
nat (inside) 2 192.168.250.128 255.255.255.192
global (outside) 2 60.181.111.194

this is the running configuration which is allowing the internal host to communicate from inside to outside interface. But boss told me to enable access from inside to dmz also, for that i added the following command

nat (dmz) 0 60.181.111.192 255.255.255.240
nat (inside) 2 192.168.250.128 255.255.255.192
global (outside) 2 60.181.111.194
global (dmz) 2 60.181.111.195

The dmz's public IPs stop browsing to outside. why?

and i also addedd the ping trace command

access-list icmp_acl permit icmp any any
access-group icmp_acl in interface dmz

any idea and if i am wrong than what is the appropriate approach of the command
Thank you
· Share on FacebookShare on Twitter

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Still working on my coffee but straight off your Global (Outside) IP looks wrong, it's in your DMZ range and not the outside IP.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • garv221garv221 Member Posts: 1,914
    hmmmmmmmm. Early for me as well. Played wii all night. Maybe this will help to get internet access from the Dmz.

    nat (dmz) 0 0.0.0.0 0.0.0.0
    global (outside) 0 60.181.111.192 255.255.255.240


    To get access from "inside" to "dmz" you need an acl on the DMZ allowing "inside" access to the Dmz. What are the local addresses?


    I will take a look back later and think through it again.
    · Share on FacebookShare on Twitter
  • crazy_jaycrazy_jay Member Posts: 7 ■□□□□□□□□□
    You will have to do something like this:

    If your inside subnets are, for example, 192.168.1.0/24 and your internal DMZ subnet is 10.10.10.0/24 then you need to do the following:

    static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0


    access-list dmz extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

    access-group dmz in interface dmz

    This should do it.
    · Share on FacebookShare on Twitter
  • sword1sword1 Member Posts: 9 ■□□□□□□□□□
    inside ip 192.168.253.0/24
    outside 60.181.111.210/30
    dmz ip 60.181.111.192/28


    now answering in more detail is that the existing commands was working great. The defined inside(private ip) and dmz(public ip) user were accessing internet successfully.

    The enhacment which i have to do was that the inside user should access outside as well as dmz. for that i addedd the blue lined command(previously talked) on the existing command,actually the following command

    nat (inside) 2 192.168.250.128 255.255.255.192
    global (outside) 2 60.181.111.194

    is allowing the inside user to the outside world(patting) and i thought that if i add the

    global (dmz) 2 60.181.111.195

    it will allow the inside user to access the dmz as well, because NAT is used to allow traffic from high security interface(inside) to lower security interface (dmz).
    And access list is used to allow traffic from low sec interface to high sec int

    i think i have to add a NAT command with a new NAT "ID" that is

    nat (inside) 3 192.168.250.128 255.255.255.192
    global (dmz) 3 60.181.111.195

    what do you people say abt this?
    Thank you
    · Share on FacebookShare on Twitter
  • crazy_jaycrazy_jay Member Posts: 7 ■□□□□□□□□□
    Check out this link. It shows the standard configuration for a server to be access internally (inside interface) as well as from the outside.

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml
    · Share on FacebookShare on Twitter
Sign In or Register to comment.