Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 258
  • Last Modified:

Can I allow traffic from an inside network host to a dmz host on my pix 515 using 6.3(5)?

I have a server sitting on a dmz network, 192.168.10.2, which has a natted address and is available to the outside/internet.  However, I'd like to be able to get to it from my computer on the internal network, but I can't so far.  I need to open tcp port 3389 for terminal services access, and was going to add icmp while I was at it so I can ping the server.  Neither works, however - the dmz interface is security10, while the internal interface is security100, and the external interface to the internet is security100.  I used conduit statements like 'conduit permit tcp host 192.168.10.2 eq 3389 host (my ip address on the internal network), which didn't work, so I then tried 'conduit permit tcp host (my ip address on the internal network) eq 3389 192.168.10.2', which didn't work either.

Any suggestions how I can do this?  Thanks in advance!
0
atyar
Asked:
atyar
  • 3
  • 2
1 Solution
 
lrmooreCommented:
All you need is a nat static
What is your Internal LAN subnet? example using 192.168.9.0 for internal:
 
static (inside,dmz) 192.168.9.0 192.168.9.0 netmask 255.255.255.0

Nat same same, inside to dmz
You should not need conduit for higher to lower inside to dmz
0
 
atyarAuthor Commented:
Ok that works, but I'm a little confused as to why.  Why create a nat statement that doesn't change the address for the other network?
0
 
atyarAuthor Commented:
b.t.w. typo above I just noticed - internet interface is security 0, not 100 :)
0
 
lrmooreCommented:
Because it is just the design of the PIX. It is designed as a firewall and not a router. It does not simply route packets between interfaces. There has to be NAT applied to all traffic between interfaces of different security levels and in this context we just nat the original to the same subnet
In PIX 7.x we can use a command "nat control" and "no nat control" to turn on/off this requirement.
0
 
atyarAuthor Commented:
Well, give a man a fish, and he eats for a day.  Teach a man to fish, and he eats for a lifetime.
Thanks for the tutelage..... :)
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now