obstech
asked on
traffic from DMZ to LAN on a Pix5063 with VLANs
Hi there,
I have a Cisco Pix 506e with 2 virtual interfaces added to the physical inside interface as per below:
interface ethernet0 10full
interface ethernet1 auto
interface ethernet1 vlan2 logical
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif inside security100
nameif vlan2 LAN security100
nameif vlan3 DMZ security50
ip address outside x.x.x.x 255.255.255.252
ip address inside 192.168.100.254 255.255.255.055.128 outside
ip address DMZ 10.0.0.254 255.255.255.055.255.255.25 5 outside
ip address LAN 192.168.1.254 255.255.255.00.0 255.255.255.255 inside
The inside interface is connected to a trunking port on my "vlan switch" and 2 other ports on the switch are connected to my LAN and DMZ and are in the vlan2 and vlan3 as appropriate.
That 192.168.100.254 address is basically unused (I wasn't sure if I could just put in 0.0.0.0 or even assign no IP), it's the DMZ and LAN interfaces that are used.
I have traffic coming in from the outside OK and both the DMZ and LAN can get to the internet OK, what I don't know how to do is to get traffic flowing between the DMZ and the LAN.
How do I do that? I'd like to open it right up for now so traffic can freely flow in both directions (from 192.168.1.0/24 to 10.0.0.0/24) and then once I'm all sorted I want to lock down access from the DMZ so it can only get to the servers and ports it needs to.
Thanks,
Simon
I have a Cisco Pix 506e with 2 virtual interfaces added to the physical inside interface as per below:
interface ethernet0 10full
interface ethernet1 auto
interface ethernet1 vlan2 logical
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif inside security100
nameif vlan2 LAN security100
nameif vlan3 DMZ security50
ip address outside x.x.x.x 255.255.255.252
ip address inside 192.168.100.254 255.255.255.055.128 outside
ip address DMZ 10.0.0.254 255.255.255.055.255.255.25
ip address LAN 192.168.1.254 255.255.255.00.0 255.255.255.255 inside
The inside interface is connected to a trunking port on my "vlan switch" and 2 other ports on the switch are connected to my LAN and DMZ and are in the vlan2 and vlan3 as appropriate.
That 192.168.100.254 address is basically unused (I wasn't sure if I could just put in 0.0.0.0 or even assign no IP), it's the DMZ and LAN interfaces that are used.
I have traffic coming in from the outside OK and both the DMZ and LAN can get to the internet OK, what I don't know how to do is to get traffic flowing between the DMZ and the LAN.
How do I do that? I'd like to open it right up for now so traffic can freely flow in both directions (from 192.168.1.0/24 to 10.0.0.0/24) and then once I'm all sorted I want to lock down access from the DMZ so it can only get to the servers and ports it needs to.
Thanks,
Simon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Actually, I made and error in the post.
It should be a network subnet nat:
static (LAN,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
For any PIX OS prior to 7.0 you must have a nat xlate for any traffic crossing interfaces higher to lower. static statement does the nat, but to the same IP.
You can also use access-lists and nat zero to bypass nat but it still goes through the nat process. For local interface access a static is much easier and more desireable. Nat zero wants traffic to originate from the interface it is applied (usually inside) where a static doesn't matter where traffic originates.
It should be a network subnet nat:
static (LAN,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
For any PIX OS prior to 7.0 you must have a nat xlate for any traffic crossing interfaces higher to lower. static statement does the nat, but to the same IP.
You can also use access-lists and nat zero to bypass nat but it still goes through the nat process. For local interface access a static is much easier and more desireable. Nat zero wants traffic to originate from the interface it is applied (usually inside) where a static doesn't matter where traffic originates.
Thanks very much.
Regards
keith
Regards
keith
ASKER
Thanks Irmoore, that's sorted it.
Cheers,
Simon
Cheers,
Simon
Obstech, I think you have accepted my comment by mistake. If it is OK with you, I will edit the question and accept LRMoore's answer instead. Can you confirm this is OK for me to do please?
ASKER
Sorry fellas, my mistake, meant to give points to Irmoore but obviously had a brain spasm.
No problem, I have already made the change but thank you for confirming it.
Regards
Keith
Regards
Keith
static (LAN,DMZ) 192.168.1.254 192.168.1.254 netmask 255.255.255.0
lrmoore, do you have a link that explains this part or a quick summary? I've seen it used but never quite got my head around the purpose.
Thanks
keith