RE: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic

From: Nawaz, Ajaz (Ajaz.Nawaz@bskyb.com)
Date: Mon Aug 22 2005 - 17:20:05 GMT-3

• Next message: john matijevic: "Re: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic"
• Previous message: Scott Morris: "RE: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic"
• Maybe in reply to: buesink@fma.nl: "PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

In addition to Scott's advice, always keep in your mind the security levels
set for each interface. Apply the appropriate rules for getting from a
higher security interface to a lower one, and the required configuration for
getting from a lower sec intf to one with a higher set security level.

Ajaz

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott Morris
Sent: 22 August 2005 20:59
To: buesink@fma.nl; ccielab@groupstudy.com
Subject: RE: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic

Your static and nat/global commands are both bound to interfaces.

Static (inside,outside) determines the relationship

Static (inside,dmz-1) would as well.

Nat and global pools do the same thing.

You may consider reviewing the online documentation regarding the address
tranlation on the PIX. While it can get complicated with multiple
interfaces, at its very basic level just think through the life of the
packet and which way it's going. That will help!

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
buesink@fma.nl
Sent: Monday, August 22, 2005 3:39 PM
To: ccielab@groupstudy.com
Subject: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic

Hi there,

I have a question
I have a pix firewall with:

outside interface, dmz-1, dmz-2 and inside

on the outside there is a .255 mask with realworld ip addressing, so no rfc
1918 addresses.

on dmz-1 is private addresssing 172.16.1.0 on dmz-2 is private addressing
172.18.1.0 on inside is private adressing 172.19.1.0

From the dmz-1 dmz-2 and inside I can internet to the outside, and have
access between them (using the private addresses). that's no problem, I used
global / nat and static commands.

On the dmz-1 AND dmz-2 are webservers, witch are reachable from the outside,
with static NAT translations.

My problem is the following:

If I am on DMZ-2 and I want to access a webserver on DMZ-1 I am NOT able to
do this with the outside address of that webserver, but I can access the
webserver with it's REAL address in the DMZ-1.

I want to make it work so when I'm in dmz-2 I can use both the REAL and NAT
address from the webserver in DMZ-1.

The outside NAT address (set with "static" command) is reachable. from the
internet I can use the outside nat address, but my problem is I can't use it
from withing the dmz-2.

Does someone have an idea??
Also I'm having a hard time to debug on the pix..

I use logging monitor 7, but that's gives A LOT of info that I don't want to
see, does someone know this problem?

Regards and thanks,

J.

• Next message: john matijevic: "Re: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic"
• Previous message: Scott Morris: "RE: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic"
• Maybe in reply to: buesink@fma.nl: "PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:19 GMT-3