- Posts: 37
- Thank you received: 0
DMZ Problem - configs included
- FiercePowahs
- Topic Author
- Offline
- Junior Member
Less
More
16 years 8 months ago #25408
by FiercePowahs
DMZ Problem - configs included was created by FiercePowahs
I have a PIX 506E with a Virtual interface assigned as the DMZ, VLAN50.
Behind the PIX is two 2950 with two vlans, management VLAN and VLAN50 which corresponds to the PIX.
I assigned a single port on the switch to VLAN50 and hooked up a machine. Configured a static IP address with a default gateway of the DMZ interface. I haven't been able to get the internet, nor have I been able to see the machine on the DMZ from the inside network.
here are the necessary parts of my config:
Switch 1 (VTP Client):
interface GigabitEthernet0/2
description VLANTESTPORT
switchport access vlan 50
switchport mode access
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
---Vlan50 isn't listed in the config even though its listed in show vlan:
50 DMZ active Gi0/2
Is this because its a client switch?
Switch 2 (VTP Serverr):
interface Vlan1
ip address 192.168.1.3 255.255.255.0
no ip route-cache
!
interface Vlan50
no ip address
no ip route-cache
shutdown
---Vlan50 IS listed in this config.
PIX Firewall:
---logical vlan50 configured with security 50. this is configured based on cisco's docs.
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan50 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan50 DMZ security50
----granting the dmz subnet, 5.* to access the inside interface subnet 1.*, then applying the ACL to the DMZ interface:
access-list dmz permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group dmz in interface DMZ
----more access list for no NAT. this allows my 2.0 site-to-site network access without address translation. I added an ACL for the 5.0 network since I don't think it requires NAT:
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
----Assigned DMZ interface an IP address:
ip address outside *.*.*.74 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip address DMZ 192.168.5.1 255.255.255.0
----Enabled NAT on the DMZ interface:
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 192.168.5.0 255.255.255.0 0 0
what am I missing?
This is what I'm shooting for:
inside: 192.168.1.*
dmz: 192.168.5.*
i want to put a mail server in the dmz which the outside and inside interfaces have access to 25 and 110.
any help is appreciated.
Behind the PIX is two 2950 with two vlans, management VLAN and VLAN50 which corresponds to the PIX.
I assigned a single port on the switch to VLAN50 and hooked up a machine. Configured a static IP address with a default gateway of the DMZ interface. I haven't been able to get the internet, nor have I been able to see the machine on the DMZ from the inside network.
here are the necessary parts of my config:
Switch 1 (VTP Client):
interface GigabitEthernet0/2
description VLANTESTPORT
switchport access vlan 50
switchport mode access
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
---Vlan50 isn't listed in the config even though its listed in show vlan:
50 DMZ active Gi0/2
Is this because its a client switch?
Switch 2 (VTP Serverr):
interface Vlan1
ip address 192.168.1.3 255.255.255.0
no ip route-cache
!
interface Vlan50
no ip address
no ip route-cache
shutdown
---Vlan50 IS listed in this config.
PIX Firewall:
---logical vlan50 configured with security 50. this is configured based on cisco's docs.
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan50 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan50 DMZ security50
----granting the dmz subnet, 5.* to access the inside interface subnet 1.*, then applying the ACL to the DMZ interface:
access-list dmz permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group dmz in interface DMZ
----more access list for no NAT. this allows my 2.0 site-to-site network access without address translation. I added an ACL for the 5.0 network since I don't think it requires NAT:
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
----Assigned DMZ interface an IP address:
ip address outside *.*.*.74 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip address DMZ 192.168.5.1 255.255.255.0
----Enabled NAT on the DMZ interface:
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 192.168.5.0 255.255.255.0 0 0
what am I missing?
This is what I'm shooting for:
inside: 192.168.1.*
dmz: 192.168.5.*
i want to put a mail server in the dmz which the outside and inside interfaces have access to 25 and 110.
any help is appreciated.
16 years 7 months ago #25590
by ramasamy
Replied by ramasamy on topic Re: DMZ Problem - configs included
Hi,
If you want to put a Mail server in the DMZ and need to access it from Inside to Outside.
Static NAT one to one Mapping for the mail server needs to be applied.
You need to apply the rule on the Inside and outside interface in the inbound direction for the port 25, 110 for the server IP address.
You can apply a PAT on the DMZ interface for the traffic from inside network to DMZ instead of a NAT 0
If you want to put a Mail server in the DMZ and need to access it from Inside to Outside.
Static NAT one to one Mapping for the mail server needs to be applied.
You need to apply the rule on the Inside and outside interface in the inbound direction for the port 25, 110 for the server IP address.
You can apply a PAT on the DMZ interface for the traffic from inside network to DMZ instead of a NAT 0
Time to create page: 0.112 seconds