From: Scott Morris (swm@emanon.com)
Date: Mon Aug 22 2005 - 18:44:47 GMT-3
If it's good enough to ask the question here do you not think that everyone
would benefit from the discussion and answer?
Just a thought...
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of john
matijevic
Sent: Monday, August 22, 2005 4:49 PM
To: Nawaz, Ajaz
Cc: Scott Morris; buesink@fma.nl; ccielab@groupstudy.com
Subject: Re: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic
Hello J.
Please post your config and reply to me offline. I will take a look at it.
Sincerely,
John
On 8/22/05, Nawaz, Ajaz <Ajaz.Nawaz@bskyb.com> wrote:
>
> In addition to Scott's advice, always keep in your mind the security
> levels set for each interface. Apply the appropriate rules for getting
> from a higher security interface to a lower one, and the required
> configuration for getting from a lower sec intf to one with a higher
> set security level.
>
> Ajaz
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Scott Morris
> Sent: 22 August 2005 20:59
> To: buesink@fma.nl; ccielab@groupstudy.com
> Subject: RE: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic
>
> Your static and nat/global commands are both bound to interfaces.
>
> Static (inside,outside) determines the relationship
>
> Static (inside,dmz-1) would as well.
>
> Nat and global pools do the same thing.
>
> You may consider reviewing the online documentation regarding the
> address tranlation on the PIX. While it can get complicated with
> multiple interfaces, at its very basic level just think through the
> life of the packet and which way it's going. That will help!
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of buesink@fma.nl
> Sent: Monday, August 22, 2005 3:39 PM
> To: ccielab@groupstudy.com
> Subject: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic
>
> Hi there,
>
> I have a question
> I have a pix firewall with:
>
> outside interface, dmz-1, dmz-2 and inside
>
> on the outside there is a .255 mask with realworld ip addressing, so
> no rfc
> 1918 addresses.
>
> on dmz-1 is private addresssing 172.16.1.0 <http://172.16.1.0> on
> dmz-2 is private addressing 172.18.1.0 <http://172.18.1.0> on inside
> is private adressing
172.19.1.0<http://172.19.1.0>
>
> From the dmz-1 dmz-2 and inside I can internet to the outside, and
> have access between them (using the private addresses). that's no
> problem, I used global / nat and static commands.
>
> On the dmz-1 AND dmz-2 are webservers, witch are reachable from the
> outside, with static NAT translations.
>
>
> My problem is the following:
>
> If I am on DMZ-2 and I want to access a webserver on DMZ-1 I am NOT
> able to do this with the outside address of that webserver, but I can
> access the webserver with it's REAL address in the DMZ-1.
>
> I want to make it work so when I'm in dmz-2 I can use both the REAL
> and NAT address from the webserver in DMZ-1.
>
> The outside NAT address (set with "static" command) is reachable. from
> the internet I can use the outside nat address, but my problem is I
> can't use it from withing the dmz-2.
>
>
> Does someone have an idea??
> Also I'm having a hard time to debug on the pix..
>
> I use logging monitor 7, but that's gives A LOT of info that I don't
> want to see, does someone know this problem?
>
> Regards and thanks,
>
> J.
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> -----------------------------------------
> Information in this email may be privileged, confidential and is
> intended exclusively for the addressee. The views expressed may not be
> official policy, but the personal views of the originator. If you have
> received it in error, please notify the sender by return e-mail and
> delete it from your system. You should not reproduce, distribute,
> store, retransmit, use or disclose its contents to anyone. Please note
> we reserve the right to monitor all e-mail communication through our
> internal and external networks.
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- John Matijevic, CCIE #13254 U.S. Installation Group Senior Network Engineer 954-969-7160 ext. 1147 (office) 305-321-6232 (cell)
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:19 GMT-3