|
Home > Archive > CCIE > May 2003 > Can't access webserver from my inside network
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Can't access webserver from my inside network
|
|
| cogito 2003-05-01, 6:20 pm |
| I have a DMZ with a www server that resides in it. Users in my internal network can not Access the website on the sserver. Here is what is configure
outside: 200.200.200.200
DMZ: 10.10.10.1/24
webserver internal :10.10.10.10/24
real webserver ip address :200.200.200.201
webserver internal address 172.18.134.2/24
This is what i have
1. static (dmz,outside) 200.200.200.201 10.10.10.10 netmask 255.255.255.255
2. conduit permit tcp host 200.200.200.201 eq www any
nat (inside) 1 0.0.0.0 0.0.0.0
Do I need a global (dmz) statement
thanks | |
| mosam 2003-05-01, 10:47 pm |
| As a rule, any lower security interface to access higher security interface, you need static. And for a higher security interface to access lower security interface, you need to nat. If you take this as a golden rule in PIX, you can can do almost any kind of translation...
So, in order for internal users to access DMZ, they will need to be natted to DMZ as well. And you will need to either assign them an address range for that, or just use PAT single IP address (or even DMZ interface for that). | |
| cogito 2003-05-01, 11:36 pm |
| I'm using the following:
nat (inside) 1 0.0.0.0 0.0.0.0
Do you think I should add additional global and nat commands?
global (dmz) 1 10.10.10.0-10.10.10.20
nat (dmz) 1 10.10.10.0 255.255.255.0 | |
| mosam 2003-05-02, 12:39 am |
| Try this,
! This will nat all inside network
nat (inside) 1 0.0.0.0 0.0.0.0
! to a global outside address
global (outside) 1 interface
! and a global DMZ address
global (dmz) 1 interface
The only thing left is to nat DMZ to outside.. make it in different nat process,
! This will nat all dmz network
nat (dmz) 2 0 0
! to a global outside address
global (outside) 2 interface
"interface" may not work in some PIX image versions, if it doesn't work, try replacing it with an IP address of the same DMZ (in case of DMZ) network, or outisde IP (In case of outside natting). | |
| cogito 2003-05-02, 12:15 pm |
| Thanks mosam!
This should work to access webservr from internal...yes or no
this is only part of the config
# Nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
#ip address
ip address outside 64.x.x.x 255.255.255.128
ip address inside 172.16.34.1 255.255.255.0
ip address DMZ 10.10.10.1 255.255.255.0
#Global
global (outside) 1 64.x.x.31-64.x.x.126 netmask 255.255.255.128
global (dmz) 1 10.10.10.0-10.10.10.20
(or i can make it 64.x.x.30)
#Nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 2 0.0.0.0 0.0.0.0
# Static
static (DMZ,outside) 64.x.x.x.29 10.10.10.10 netmask 255.255.255.255
#conduit
conduit permit tcp host 64.x.x.29 eq www any
Looking at the previous post it looks like I need to Add
global (outside) 2 64.x.x.x.3 netmask 255.255.255.128 | |
|
| Yes, this should wor, just replace,
global (dmz) 1 10.10.10.0-10.10.10.20
with
global (dmz) 1 10.10.10.2-10.10.10.20 | |
| cogito 2003-05-02, 9:11 pm |
| ok.. |
|
|
|
|