?
Solved

DMZ hosts to internet & inside require two NIC's, or can this be done by NAT?  250 POINTS

Posted on 2006-04-27
4
Medium Priority
?
230 Views
Last Modified: 2010-04-11
I have an network with 1 pix with an outside interface, a dmz interface which the internet can access with public addresses, lets just say 195.XXX & an inside 10.XXX network.

I want the DMZ hosts to be able to contact hosts on my inside network as well as the internet. how can this be done?

Is the only way to do this by having two lots of nics on the hosts, one with public addresses 195XXX that route to the internet & one with lets say  172.16.X.X for my dmz hosts so they can go inside, or can my dmz hosts get to the inside without having to nat their 195.XXX addresses?

If this can be done by nat & route could someone show  example nat & route statements?
thanks in advance
0
Comment
Question by:lowfell
  • 2
  • 2
4 Comments
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16553102
You can do this by simple NAT and access-list.  Here's an example

ip address outside 1.1.1.1 255.255.255.0
ip address inside 10.1.1.0 255.255.255.0
ip address dmz1 192.168.5.0 255.255.255.0

!!allows hosts on the inside and dmz1 interface to go out to the internet using PAT

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz1) 1 0.0.0.0 0.0.0.0

!! allows hosts on the dmz to communicate with the inside hosts and vice versa.

static (inside,dmz1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
access-list dmz1_acl permit ip any any
access-group dmz1_acl in interface dmz1


The static above can be done on a per IP basis instead of the entire inside network depending on your
requirements. Likewise, you can be as restrictive on the access-list as you need to be (e.g only allowing
certain traffic to the inside network).



0
 

Author Comment

by:lowfell
ID: 16555771
Sorry I may be confusing you. My DMZ hosts Accept INBOUND only WWW FROM THE INTERNET. These DMZ hosts have 200.XXX public addresses

I believe the 200.XXX DMZ hosts nat to a 192.168.0.X addresses (although they are only accepting inbound connections)

I want these 200.XXX (192.168.0.X) DMZ hosts  to connect to my inside hosts on   port 80

The inside address range is 172.16XX

How do I do this ?
0
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 1000 total points
ID: 16558129
Ok, so the DMZ host already accepts a connection from the internet on port 80 and
you want the DMZ hosts to connect to the inside hosts. Since inside hosts is
residing on an interface with a higher security level, you will need to add a static and
access-rule.

e.g

static (inside, dmz) 172.16.x.x 172.16.x.x netmask 255.255.x.x

access-list 101 permit tcp 192.168.0.x 255.255.x.x 172.16.x.x 255.255.x.x eq 80
access-list 101 deny ip 192.168.0.x 255.255.x.x 172.16.x.x 255.255.x.x
access-list 101 permit ip any any

access-group 101 in interface dmz

The command above will allow host on the DMZ to communicate with the inside host on port 80.
Just replace it with the actual IP and interface name.
0
 

Author Comment

by:lowfell
ID: 16593830
Many thanks, this is much appreciated.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question