Solved

Can I allow traffic from an inside network host to a dmz host on my pix 515 using 6.3(5)?

Posted on 2006-11-10
5
255 Views
Last Modified: 2010-04-10
I have a server sitting on a dmz network, 192.168.10.2, which has a natted address and is available to the outside/internet.  However, I'd like to be able to get to it from my computer on the internal network, but I can't so far.  I need to open tcp port 3389 for terminal services access, and was going to add icmp while I was at it so I can ping the server.  Neither works, however - the dmz interface is security10, while the internal interface is security100, and the external interface to the internet is security100.  I used conduit statements like 'conduit permit tcp host 192.168.10.2 eq 3389 host (my ip address on the internal network), which didn't work, so I then tried 'conduit permit tcp host (my ip address on the internal network) eq 3389 192.168.10.2', which didn't work either.

Any suggestions how I can do this?  Thanks in advance!
0
Comment
Question by:atyar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 17918468
All you need is a nat static
What is your Internal LAN subnet? example using 192.168.9.0 for internal:
 
static (inside,dmz) 192.168.9.0 192.168.9.0 netmask 255.255.255.0

Nat same same, inside to dmz
You should not need conduit for higher to lower inside to dmz
0
 
LVL 2

Author Comment

by:atyar
ID: 17929795
Ok that works, but I'm a little confused as to why.  Why create a nat statement that doesn't change the address for the other network?
0
 
LVL 2

Author Comment

by:atyar
ID: 17929810
b.t.w. typo above I just noticed - internet interface is security 0, not 100 :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17933344
Because it is just the design of the PIX. It is designed as a firewall and not a router. It does not simply route packets between interfaces. There has to be NAT applied to all traffic between interfaces of different security levels and in this context we just nat the original to the same subnet
In PIX 7.x we can use a command "nat control" and "no nat control" to turn on/off this requirement.
0
 
LVL 2

Author Comment

by:atyar
ID: 17938577
Well, give a man a fish, and he eats for a day.  Teach a man to fish, and he eats for a lifetime.
Thanks for the tutelage..... :)
0

Featured Post

Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses
Course of the Month10 days, 23 hours left to enroll

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question