Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: DMZ Problem - configs included

DMZ Problem - configs included 8 years 8 months ago #25408

I have a PIX 506E with a Virtual interface assigned as the DMZ, VLAN50.

Behind the PIX is two 2950 with two vlans, management VLAN and VLAN50 which corresponds to the PIX.

I assigned a single port on the switch to VLAN50 and hooked up a machine. Configured a static IP address with a default gateway of the DMZ interface. I haven't been able to get the internet, nor have I been able to see the machine on the DMZ from the inside network.

here are the necessary parts of my config:
Switch 1 (VTP Client):

interface GigabitEthernet0/2
description VLANTESTPORT
switchport access vlan 50
switchport mode access
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
no ip route-cache

---Vlan50 isn't listed in the config even though its listed in show vlan:

50 DMZ active Gi0/2

Is this because its a client switch?
Switch 2 (VTP Serverr):

interface Vlan1
ip address 192.168.1.3 255.255.255.0
no ip route-cache
!
interface Vlan50
no ip address
no ip route-cache
shutdown

---Vlan50 IS listed in this config.
PIX Firewall:

---logical vlan50 configured with security 50. this is configured based on cisco's docs.

interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan50 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan50 DMZ security50

----granting the dmz subnet, 5.* to access the inside interface subnet 1.*, then applying the ACL to the DMZ interface:

access-list dmz permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group dmz in interface DMZ

----more access list for no NAT. this allows my 2.0 site-to-site network access without address translation. I added an ACL for the 5.0 network since I don't think it requires NAT:

access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

----Assigned DMZ interface an IP address:

ip address outside *.*.*.74 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip address DMZ 192.168.5.1 255.255.255.0

----Enabled NAT on the DMZ interface:

global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 192.168.5.0 255.255.255.0 0 0
what am I missing?

This is what I'm shooting for:

inside: 192.168.1.*
dmz: 192.168.5.*

i want to put a mail server in the dmz which the outside and inside interfaces have access to 25 and 110.

any help is appreciated.
The administrator has disabled public write access.

Re: DMZ Problem - configs included 8 years 8 months ago #25590

  • ramasamy
  • ramasamy's Avatar
  • Offline
  • Frequent Member
  • Posts: 67
  • Karma: 0
Hi,

If you want to put a Mail server in the DMZ and need to access it from Inside to Outside.

Static NAT one to one Mapping for the mail server needs to be applied.

You need to apply the rule on the Inside and outside interface in the inbound direction for the port 25, 110 for the server IP address.

You can apply a PAT on the DMZ interface for the traffic from inside network to DMZ instead of a NAT 0
The administrator has disabled public write access.
Time to create page: 0.074 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup