From: Nawaz, Ajaz (Ajaz.Nawaz@bskyb.com)
Date: Mon Aug 22 2005 - 19:04:36 GMT-3
If anything - one would have expected to see this query sent to the security
forum. I agree rsgs is not necessarily the correct place to submit this
post. As such, I have modified the subject header with *OT*
Ajaz
_____
From: john matijevic [mailto:john.matijevic@gmail.com]
Sent: 22 August 2005 22:57
To: swm@emanon.com
Cc: Nawaz, Ajaz; buesink@fma.nl; ccielab@groupstudy.com
Subject: Re: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic
Hi Scott,
There are many topics that could be interesting depending on what your
interest level is of the topic. Since this forum is dedicated to the routing
and switching exam, I try to minimize the threads and post what is related
to the topic. Just my .02 cents.
Sincerely,
John
On 8/22/05, Scott Morris <swm@emanon.com <mailto:swm@emanon.com> > wrote:
If it's good enough to ask the question here do you not think that everyone
would benefit from the discussion and answer?
Just a thought...
-----Original Message-----
From: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
[mailto:nobody@groupstudy.com <mailto:nobody@groupstudy.com> ] On Behalf Of
john
matijevic
Sent: Monday, August 22, 2005 4:49 PM
To: Nawaz, Ajaz
Cc: Scott Morris; buesink@fma.nl <mailto:buesink@fma.nl> ;
ccielab@groupstudy.com <mailto:ccielab@groupstudy.com>
Subject: Re: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic
Hello J.
Please post your config and reply to me offline. I will take a look at it.
Sincerely,
John
On 8/22/05, Nawaz, Ajaz <Ajaz.Nawaz@bskyb.com <mailto:Ajaz.Nawaz@bskyb.com>
> wrote:
>
> In addition to Scott's advice, always keep in your mind the security
> levels set for each interface. Apply the appropriate rules for getting
> from a higher security interface to a lower one, and the required
> configuration for getting from a lower sec intf to one with a higher
> set security level.
>
> Ajaz
>
>
> -----Original Message-----
> From: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
[mailto:nobody@groupstudy.com <mailto:nobody@groupstudy.com> ] On Behalf
> Of Scott Morris
> Sent: 22 August 2005 20:59
> To: buesink@fma.nl <mailto:buesink@fma.nl> ; ccielab@groupstudy.com
<mailto:ccielab@groupstudy.com>
> Subject: RE: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic
>
> Your static and nat/global commands are both bound to interfaces.
>
> Static (inside,outside) determines the relationship
>
> Static (inside,dmz-1) would as well.
>
> Nat and global pools do the same thing.
>
> You may consider reviewing the online documentation regarding the
> address tranlation on the PIX. While it can get complicated with
> multiple interfaces, at its very basic level just think through the
> life of the packet and which way it's going. That will help!
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
[mailto:nobody@groupstudy.com <mailto:nobody@groupstudy.com> ] On Behalf
> Of buesink@fma.nl <mailto:buesink@fma.nl>
> Sent: Monday, August 22, 2005 3:39 PM
> To: ccielab@groupstudy.com <mailto:ccielab@groupstudy.com>
> Subject: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic
>
> Hi there,
>
> I have a question
> I have a pix firewall with:
>
> outside interface, dmz-1, dmz-2 and inside
>
> on the outside there is a .255 mask with realworld ip addressing, so
> no rfc
> 1918 addresses.
>
> on dmz-1 is private addresssing 172.16.1.0 <http://172.16.1.0>
<http://172.16.1.0 <http://172.16.1.0> > on
> dmz-2 is private addressing 172.18.1.0 <http://172.18.1.0>
<http://172.18.1.0 <http://172.18.1.0> > on inside
> is private adressing
172.19.1.0 <http://172.19.1.0> <http://172.19.1.0 <http://172.19.1.0> >
>
> From the dmz-1 dmz-2 and inside I can internet to the outside, and
> have access between them (using the private addresses). that's no
> problem, I used global / nat and static commands.
>
> On the dmz-1 AND dmz-2 are webservers, witch are reachable from the
> outside, with static NAT translations.
>
>
> My problem is the following:
>
> If I am on DMZ-2 and I want to access a webserver on DMZ-1 I am NOT
> able to do this with the outside address of that webserver, but I can
> access the webserver with it's REAL address in the DMZ-1.
>
> I want to make it work so when I'm in dmz-2 I can use both the REAL
> and NAT address from the webserver in DMZ-1.
>
> The outside NAT address (set with "static" command) is reachable. from
> the internet I can use the outside nat address, but my problem is I
> can't use it from withing the dmz-2.
>
>
> Does someone have an idea??
> Also I'm having a hard time to debug on the pix..
>
> I use logging monitor 7, but that's gives A LOT of info that I don't
> want to see, does someone know this problem?
>
> Regards and thanks,
>
> J.
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
<http://www.groupstudy.com/list/CCIELab.html>
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
<http://www.groupstudy.com/list/CCIELab.html>
>
> -----------------------------------------
> Information in this email may be privileged, confidential and is
> intended exclusively for the addressee. The views expressed may not be
> official policy, but the personal views of the originator. If you have
> received it in error, please notify the sender by return e-mail and
> delete it from your system. You should not reproduce, distribute,
> store, retransmit, use or disclose its contents to anyone. Please note
> we reserve the right to monitor all e-mail communication through our
> internal and external networks.
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
<http://www.groupstudy.com/list/CCIELab.html>
>
-- John Matijevic, CCIE #13254 U.S. Installation Group Senior Network Engineer 954-969-7160 ext. 1147 (office) 305-321-6232 (cell)
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:19 GMT-3