traffic from DMZ to LAN on a Pix5063 with VLANs

Hi there,

I have a Cisco Pix 506e with 2 virtual interfaces added to the physical inside interface as per below:

interface ethernet0 10full
interface ethernet1 auto                        
interface ethernet1 vlan2 logical                                
interface ethernet1 vlan3 logical

nameif ethernet0 outside security0
nameif inside security100
nameif vlan2 LAN security100
nameif vlan3 DMZ security50

ip address outside x.x.x.x
ip address inside outside                                
ip address DMZ outside                
ip address LAN inside

The inside interface is connected to a trunking port on my "vlan switch" and 2 other ports on the switch are connected to my LAN and DMZ and are in the vlan2 and vlan3 as appropriate.

That address is basically unused (I wasn't sure if I could just put in or even assign no IP), it's the DMZ and LAN interfaces that are used.  

I have traffic coming in from the outside OK and both the DMZ and LAN can get to the internet OK, what I don't know how to do is to get traffic flowing between the DMZ and the LAN.

How do I do that? I'd like to open it right up for now so traffic can freely flow in both directions (from to and then once I'm all sorted I want to lock down access from the DMZ so it can only get to the servers and ports it needs to.



Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

\\-- first you need NAT. This can be same inside/dmz like such:
 static (LAN,DMZ) netmask

\\-- then you need to permit traffic from DMZ into LAN
 access-list dmz permit ip
 access-list dmz permit tcp host <mailhost> eq 25 any
 access-list dmz permit tcp host <webhost> eq 80 any
 access-list dmz permit udp any eq 53

 access-group dmz in interface DMZ

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
\\-- first you need NAT. This can be same inside/dmz like such:
 static (LAN,DMZ) netmask

lrmoore, do you have a link that explains this part or a quick summary? I've seen it used but never quite got my head around the purpose.
Actually, I made and error in the post.
It should be a network subnet nat:

 static (LAN,DMZ) netmask

For any PIX OS prior to 7.0 you must have a nat xlate for any traffic crossing interfaces higher to lower. static statement does the nat, but to the same IP.
You can also use access-lists and nat zero to bypass nat but it still goes through the nat process. For local interface access a static is much easier and more desireable. Nat zero wants traffic to originate from the interface it is applied (usually inside) where a static doesn't matter where traffic originates.
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Keith AlabasterEnterprise ArchitectCommented:
Thanks very much.
obstechAuthor Commented:
Thanks Irmoore, that's sorted it.


Keith AlabasterEnterprise ArchitectCommented:
Obstech, I think you have accepted my comment by mistake. If it is OK with you, I will edit the question and accept LRMoore's answer instead. Can you confirm this is OK for me to do please?
obstechAuthor Commented:
Sorry fellas, my mistake, meant to give points to Irmoore but obviously had a brain spasm.
Keith AlabasterEnterprise ArchitectCommented:
No problem, I have already made the change but thank you for confirming it.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.