Options
Access inside network from DMZ
fid500
Member Posts: 71 ■■□□□□□□□□
I have been trying for a while now to access my inside lan from dmz and been having some issues. my setup is a follow
(the diagram may look distorted. the 2950 switch is connected to the dmz interface on pix)
Lan_Inside
>firewall (515)
>DSL
|
|
|
2950 switch
|
|
|
1760 Router
|
|
|
3550 Switch
|
|
Remote_LAN
Inside Lan : 192.168.192.0 /24
Pix DMZ int 20.1.1.1 / 24
Router F0 int 20.1.1.2 /24
Remote Lan : 173.16.1.0 /24
I tried with both nat exempt and static nat, but that did not work. The only way I can get access to the inside lan from remote lan is if I add an access list on the inside interface in the out direction permitting traffic from remote lan to inside as shown below.
access-list inside_access_out extended permit ip RemoteLan 255.255.255.0 INSIDE-network 255.255.255.0
my pix config is as follow
Result of the command: "show run"
interface Ethernet1
description Inside Network
nameif inside
security-level 100
ip address 192.168.192.1 255.255.255.0
ospf cost 10
!
interface Ethernet2
duplex full
nameif DMZ
security-level 50
ip address 20.1.1.1 255.255.255.0
!
object-group network INSIDE-LAN
network-object INSIDE-network 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list inside_nat0_outbound extended permit ip INSIDE-network 255.255.255.0 RemoteLan 255.255.255.0
access-list inside_access_in extended permit ip INSIDE-network 255.255.255.0 any
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_2 RemoteLan 255.255.255.0 any
access-list inside_access_out extended permit ip RemoteLan 255.255.255.0 INSIDE-network 255.255.255.0
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 RemoteLan 255.255.255.0
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group DMZ_access_in in interface DMZ
route DMZ RemoteLan 255.255.255.0 20.1.1.1 1
can someone please tell me what I am doing wrong?
(the diagram may look distorted. the 2950 switch is connected to the dmz interface on pix)
Lan_Inside
>firewall (515)
>DSL
|
|
|
2950 switch
|
|
|
1760 Router
|
|
|
3550 Switch
|
|
Remote_LAN
Inside Lan : 192.168.192.0 /24
Pix DMZ int 20.1.1.1 / 24
Router F0 int 20.1.1.2 /24
Remote Lan : 173.16.1.0 /24
I tried with both nat exempt and static nat, but that did not work. The only way I can get access to the inside lan from remote lan is if I add an access list on the inside interface in the out direction permitting traffic from remote lan to inside as shown below.
access-list inside_access_out extended permit ip RemoteLan 255.255.255.0 INSIDE-network 255.255.255.0
my pix config is as follow
Result of the command: "show run"
interface Ethernet1
description Inside Network
nameif inside
security-level 100
ip address 192.168.192.1 255.255.255.0
ospf cost 10
!
interface Ethernet2
duplex full
nameif DMZ
security-level 50
ip address 20.1.1.1 255.255.255.0
!
object-group network INSIDE-LAN
network-object INSIDE-network 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list inside_nat0_outbound extended permit ip INSIDE-network 255.255.255.0 RemoteLan 255.255.255.0
access-list inside_access_in extended permit ip INSIDE-network 255.255.255.0 any
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_2 RemoteLan 255.255.255.0 any
access-list inside_access_out extended permit ip RemoteLan 255.255.255.0 INSIDE-network 255.255.255.0
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 RemoteLan 255.255.255.0
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group DMZ_access_in in interface DMZ
route DMZ RemoteLan 255.255.255.0 20.1.1.1 1
can someone please tell me what I am doing wrong?
Comments
-
Options
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
It doesn't look like your diagram matches the described flow, I'll go with the description.
What are your logs telling you?
Depending on your software version see if you can run 'show asp drop frame' and 'show asp drop flow'. If you can then run 'clear asp drop flow/frame', try your connection and then run the show commands again. This should give you some pointers on which ASP process is killing it.
I'd change your route to the Remotelan from the PIX int to the next hop as it's relying on proxy arp this way. It shouldn't be the cause of your issue but it's worth ruling out.
Remove the outbound list and run a packet-tracer to check just where it's failing (since from what you've described it should work minus the outbound list).
something like:
packet-tracer input DMZ tcp (IP of DMZ host) 12345 (IP of INSIDE host) 80
It should tell you just where it's falling down. Post the results here if you're not sure (and of course scrub if this is production).We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? -
Optionsfid500
Member Posts: 71 ■■□□□□□□□□
Ahriakin
Thanks for your reply. I will test your suggestions once I get home. And no, this is not a production environemnt, It s my home lab. -
Options
ilcram19-2
Banned Posts: 436
Ahriakin
Thanks for your reply. I will test your suggestions once I get home. And no, this is not a production environemnt, It s my home lab.
let me ask you this are you natting in the 1760? can the PIX get to the natted ip ? or the ip that u are using to nat the remote network on th inside network? if so add a route to the remotelan over the 1760 ip address