Re: PIX inside, outside, 2 x DMZ's translate problem

From: john matijevic (john.matijevic@gmail.com)
Date: Tue Aug 23 2005 - 09:05:07 GMT-3

• Next message: Scott Morris: "RE: No Deafult in ISIS ?"
• Previous message: Keane, James: "RE: ppp callback secure command."
• Maybe in reply to: buesink@fma.nl: "PIX inside, outside, 2 x DMZ's translate problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,
I also see a problem with this statement:
static (dmz-2,dmz-1) 172.18.1.0 <http://172.18.1.0/>
172.18.1.0<http://172.18.1.0/>netmask
255.255.255.0 <http://255.255.255.0/>
 should be:
 static (dmz-2,dmz-1) 172.16.1.0 <http://172.18.1.0/>
172.18.1.0<http://172.18.1.0/>netmask
255.255.255.0 <http://255.255.255.0/>
 Sincerely,
John

 On 8/23/05, buesink@fma.nl <buesink@fma.nl> wrote:
>
> Hi Guys,
>
> Now I also have the configs...
> Question :
>
> Why can't I reach SRV-1-WEB031 from the DMZ-2 on it's OUTSIDE configured
> address (191.12.112.14 <http://191.12.112.14>). From the outside I can
> reach the server by this address. I can reach the server from the DMZ-2 on
> it's REAL address 172.16.1.31 <http://172.16.1.31>.
> but I want to reach it ALSO via the 191.12.112.14 <http://191.12.112.14>).
>
>
> Thanks
>
> global (outside) 1 interface
>
> nat (inside) 1 10.100.128.0 <http://10.100.128.0>
255.255.252.0<http://255.255.252.0>
> nat (dmz-1) 1 172.16.1.0 <http://172.16.1.0>
255.255.255.0<http://255.255.255.0>
> nat (dmz-2) 1 172.18.1.0 <http://172.18.1.0>
255.255.255.0<http://255.255.255.0>
>
> static (inside,dmz-1) 10.100.128.0 <http://10.100.128.0>
10.100.128.0<http://10.100.128.0>netmask
> 255.255.252.0 <http://255.255.252.0>
> static (inside,dmz-2) 10.100.128.0 <http://10.100.128.0>
10.100.128.0<http://10.100.128.0>netmask
> 255.255.252.0 <http://255.255.252.0>
> static (dmz-1,outside) 191.12.112.14 <http://191.12.112.14> SRV-1-WEB031
> netmask 255.255.255.255 <http://255.255.255.255>
> static (dmz-2,outside) 191.12.112.36 <http://191.12.112.36> SRV-2-PRT226
> netmask 255.255.255.255 <http://255.255.255.255>
> static (dmz-2,vpnlan) 172.18.1.0 <http://172.18.1.0>
172.18.1.0<http://172.18.1.0>netmask
> 255.255.255.0 <http://255.255.255.0>
> static (dmz-2,outside) 191.12.112.38 <http://191.12.112.38> SRV-2-DC221
> netmask 255.255.255.255 <http://255.255.255.255>
> static (dmz-2,dmz-1) 172.18.1.0 <http://172.18.1.0>
172.18.1.0<http://172.18.1.0>netmask
> 255.255.255.0 <http://255.255.255.0>
>
>
> name 172.16.1.31 <http://172.16.1.31> SRV-1-WEB031
> name 172.18.1.6 <http://172.18.1.6> SRV-2-PRT226
> name 172.18.1.2 <http://172.18.1.2> SRV-2-DC221
>
> nameif vlan2 inside security100
> nameif vlan17 dmz-1 security50
> nameif vlan20 outside security0
> nameif vlan12 dmz-2 security51
> nameif vlan19 vpnlan security10
>
>
> Every access-list on all interfaces is set to "permit any any" for testing
> I think it's a NAT issue
>
>
> Question:
>
> From the OUTSIDE I can reach the SRV-1-WEB031 with the outside address
> From the DMZ-2 I can reach the SRV-1-WEB031 on it's real internal address
> (172.16.1.31 <http://172.16.1.31>), but NOT on it's
> OUTSIDE address...(191.12.112.14 <http://191.12.112.14>) How can I do
> this?
>
>
> Many thanks!
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

--
John Matijevic, CCIE #13254
U.S. Installation Group
Senior Network Engineer
954-969-7160 ext. 1147 (office)
305-321-6232 (cell)

• Next message: Scott Morris: "RE: No Deafult in ISIS ?"
• Previous message: Keane, James: "RE: ppp callback secure command."
• Maybe in reply to: buesink@fma.nl: "PIX inside, outside, 2 x DMZ's translate problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:20 GMT-3