• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 359
  • Last Modified:

traffic from DMZ to LAN on a Pix5063 with VLANs

Hi there,

I have a Cisco Pix 506e with 2 virtual interfaces added to the physical inside interface as per below:

interface ethernet0 10full
interface ethernet1 auto                        
interface ethernet1 vlan2 logical                                
interface ethernet1 vlan3 logical

nameif ethernet0 outside security0
nameif inside security100
nameif vlan2 LAN security100
nameif vlan3 DMZ security50

ip address outside x.x.x.x 255.255.255.252
ip address inside 192.168.100.254 255.255.255.055.128 outside                                
ip address DMZ 10.0.0.254 255.255.255.055.255.255.255 outside                
ip address LAN 192.168.1.254 255.255.255.00.0 255.255.255.255 inside

The inside interface is connected to a trunking port on my "vlan switch" and 2 other ports on the switch are connected to my LAN and DMZ and are in the vlan2 and vlan3 as appropriate.

That 192.168.100.254 address is basically unused (I wasn't sure if I could just put in 0.0.0.0 or even assign no IP), it's the DMZ and LAN interfaces that are used.  

I have traffic coming in from the outside OK and both the DMZ and LAN can get to the internet OK, what I don't know how to do is to get traffic flowing between the DMZ and the LAN.

How do I do that? I'd like to open it right up for now so traffic can freely flow in both directions (from 192.168.1.0/24 to 10.0.0.0/24) and then once I'm all sorted I want to lock down access from the DMZ so it can only get to the servers and ports it needs to.

Thanks,

Simon

0
obstech
Asked:
obstech
  • 4
  • 2
  • 2
1 Solution
 
lrmooreCommented:
\\-- first you need NAT. This can be same inside/dmz like such:
 static (LAN,DMZ) 192.168.1.254 192.168.1.254 netmask 255.255.255.0

\\-- then you need to permit traffic from DMZ into LAN
 access-list dmz permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
 access-list dmz permit tcp host <mailhost> eq 25 any
 access-list dmz permit tcp host <webhost> eq 80 any
 access-list dmz permit udp 10.0.0.0 255.255.255.0 any eq 53

 access-group dmz in interface DMZ

0
 
Keith AlabasterEnterprise ArchitectCommented:
\\-- first you need NAT. This can be same inside/dmz like such:
 static (LAN,DMZ) 192.168.1.254 192.168.1.254 netmask 255.255.255.0

lrmoore, do you have a link that explains this part or a quick summary? I've seen it used but never quite got my head around the purpose.
Thanks
keith
0
 
lrmooreCommented:
Actually, I made and error in the post.
It should be a network subnet nat:

 static (LAN,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

For any PIX OS prior to 7.0 you must have a nat xlate for any traffic crossing interfaces higher to lower. static statement does the nat, but to the same IP.
You can also use access-lists and nat zero to bypass nat but it still goes through the nat process. For local interface access a static is much easier and more desireable. Nat zero wants traffic to originate from the interface it is applied (usually inside) where a static doesn't matter where traffic originates.
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
Keith AlabasterEnterprise ArchitectCommented:
Thanks very much.
Regards
keith
0
 
obstechAuthor Commented:
Thanks Irmoore, that's sorted it.

Cheers,

Simon
0
 
Keith AlabasterEnterprise ArchitectCommented:
Obstech, I think you have accepted my comment by mistake. If it is OK with you, I will edit the question and accept LRMoore's answer instead. Can you confirm this is OK for me to do please?
0
 
obstechAuthor Commented:
Sorry fellas, my mistake, meant to give points to Irmoore but obviously had a brain spasm.
0
 
Keith AlabasterEnterprise ArchitectCommented:
No problem, I have already made the change but thank you for confirming it.

Regards

Keith
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now