Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

DMZ hosts to internet & inside require two NIC's, or can this be done by NAT?  250 POINTS

Posted on 2006-04-27
4
Medium Priority
?
176 Views
Last Modified: 2010-04-09
I have an network with 1 pix with an outside interface, a dmz interface which the internet can access with public addresses, lets just say 195.XXX & an inside 10.XXX network.

I want the DMZ hosts to be able to contact hosts on my inside network as well as the internet. how can this be done?

Is the only way to do this by having two lots of nics on the hosts, one with public addresses 195XXX that route to the internet & one with lets say  172.16.X.X for my dmz hosts so they can go inside, or can my dmz hosts get to the inside without having to nat their 195.XXX addresses?

If this can be done by nat & route could someone show  example nat & route statements?
thanks in advance
0
Comment
Question by:lowfell
  • 2
  • 2
4 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 16551589
hi there

Simplest way to do it is create a static nat translation - no route statements are necessary

conf t
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

If inside and dmz hosts can both access the internet then you probably have something in your config like:
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 [ip address/range/interface]

The static nat translation will not affect this.
Also if you want to restrict DMZ hosts to just certain hosts/ports etc on the inside then you can apply an access-list for same:

access-list fromdmz permit tcp any any eq www
access-list fromdmz permit ip any host 10.1.1.1 eq https
access-list fromdmz deny ip any any
access-group fromdmz in interface dmz

Hope this helps




0
 

Author Comment

by:lowfell
ID: 16555765
Sorry I may be confusing you. My DMZ hosts Accept INBOUND only WWW FROM THE INTERNET. These DMZ hosts have 200.XXX public addresses

I believe the 200.XXX DMZ hosts nat to a 192.168.0.X addresses (although they are only accepting inbound connections)

I want these 200.XXX (192.168.0.X) DMZ hosts  to connect to my inside hosts on   port 80

The inside address range is 172.16XX

How do I do this ?
0
 
LVL 19

Accepted Solution

by:
nodisco earned 1000 total points
ID: 16556125
If you post your sanitized pix config it will be easier to explain this but if you cannot.....

I am assuming the following:
Internal range - 172.16.x.x
DMZ range - 192.168.0.x
DMZ hosts are natted to public ip and then allow www traffic in
For this - you should see something like this in your config:
static (dmz, outside) 200.x.x.x 192.168.0.x netmask 255.255.255.255
access-list [aclname] permit tcp any host 200.x.x.x eq www
access-group [aclname] in interface outside
#######################################
To allow the DMZ hosts to connect to your inside hosts on port 80:
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-list fromdmz permit tcp any host 172.16.0.x eq 80
access-list fromdmz deny ip any any
access-group fromdmz in interface dmz

In this example - you are permitting only port 80 access from "any" machine in the dmz to the host 172.16.0.x in the inside network.  The deny acl is not necessary but I like to add one of these in so you can see hits on the acl if other traffic is attempting a connection.

Hope this helps

0
 

Author Comment

by:lowfell
ID: 16593834
Many thanks, this is much appreciated
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Integration Management Part 2
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month21 days, 6 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question