Access inside network from DMZ

fid500fid500 Member Posts: 71 ■■□□□□□□□□
I have been trying for a while now to access my inside lan from dmz and been having some issues. my setup is a follow

(the diagram may look distorted. the 2950 switch is connected to the dmz interface on pix)

>firewall (515)
2950 switch
1760 Router
3550 Switch

Inside Lan : /24
Pix DMZ int / 24
Router F0 int /24
Remote Lan : /24

I tried with both nat exempt and static nat, but that did not work. The only way I can get access to the inside lan from remote lan is if I add an access list on the inside interface in the out direction permitting traffic from remote lan to inside as shown below.

access-list inside_access_out extended permit ip RemoteLan INSIDE-network

my pix config is as follow

Result of the command: "show run"

interface Ethernet1
description Inside Network
nameif inside
security-level 100
ip address
ospf cost 10
interface Ethernet2
duplex full
nameif DMZ
security-level 50
ip address

object-group network INSIDE-LAN
network-object INSIDE-network

object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list inside_nat0_outbound extended permit ip INSIDE-network RemoteLan
access-list inside_access_in extended permit ip INSIDE-network any
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_2 RemoteLan any
access-list inside_access_out extended permit ip RemoteLan INSIDE-network

global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101
nat (DMZ) 101 RemoteLan
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group DMZ_access_in in interface DMZ
route DMZ RemoteLan 1

can someone please tell me what I am doing wrong?


  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    It doesn't look like your diagram matches the described flow, I'll go with the description.

    What are your logs telling you?

    Depending on your software version see if you can run 'show asp drop frame' and 'show asp drop flow'. If you can then run 'clear asp drop flow/frame', try your connection and then run the show commands again. This should give you some pointers on which ASP process is killing it.

    I'd change your route to the Remotelan from the PIX int to the next hop as it's relying on proxy arp this way. It shouldn't be the cause of your issue but it's worth ruling out.

    Remove the outbound list and run a packet-tracer to check just where it's failing (since from what you've described it should work minus the outbound list).
    something like:
    packet-tracer input DMZ tcp (IP of DMZ host) 12345 (IP of INSIDE host) 80

    It should tell you just where it's falling down. Post the results here if you're not sure (and of course scrub if this is production).
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • fid500fid500 Member Posts: 71 ■■□□□□□□□□

    Thanks for your reply. I will test your suggestions once I get home. And no, this is not a production environemnt, It s my home lab.
  • ilcram19-2ilcram19-2 Banned Posts: 436
    fid500 wrote: »

    Thanks for your reply. I will test your suggestions once I get home. And no, this is not a production environemnt, It s my home lab.

    let me ask you this are you natting in the 1760? can the PIX get to the natted ip ? or the ip that u are using to nat the remote network on th inside network? if so add a route to the remotelan over the 1760 ip address
Sign In or Register to comment.