Solved

Can I allow traffic from an inside network host to a dmz host on my pix 515 using 6.3(5)?

Posted on 2006-11-10
5
252 Views
Last Modified: 2010-04-10
I have a server sitting on a dmz network, 192.168.10.2, which has a natted address and is available to the outside/internet.  However, I'd like to be able to get to it from my computer on the internal network, but I can't so far.  I need to open tcp port 3389 for terminal services access, and was going to add icmp while I was at it so I can ping the server.  Neither works, however - the dmz interface is security10, while the internal interface is security100, and the external interface to the internet is security100.  I used conduit statements like 'conduit permit tcp host 192.168.10.2 eq 3389 host (my ip address on the internal network), which didn't work, so I then tried 'conduit permit tcp host (my ip address on the internal network) eq 3389 192.168.10.2', which didn't work either.

Any suggestions how I can do this?  Thanks in advance!
0
Comment
Question by:atyar
  • 3
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 17918468
All you need is a nat static
What is your Internal LAN subnet? example using 192.168.9.0 for internal:
 
static (inside,dmz) 192.168.9.0 192.168.9.0 netmask 255.255.255.0

Nat same same, inside to dmz
You should not need conduit for higher to lower inside to dmz
0
 
LVL 2

Author Comment

by:atyar
ID: 17929795
Ok that works, but I'm a little confused as to why.  Why create a nat statement that doesn't change the address for the other network?
0
 
LVL 2

Author Comment

by:atyar
ID: 17929810
b.t.w. typo above I just noticed - internet interface is security 0, not 100 :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17933344
Because it is just the design of the PIX. It is designed as a firewall and not a router. It does not simply route packets between interfaces. There has to be NAT applied to all traffic between interfaces of different security levels and in this context we just nat the original to the same subnet
In PIX 7.x we can use a command "nat control" and "no nat control" to turn on/off this requirement.
0
 
LVL 2

Author Comment

by:atyar
ID: 17938577
Well, give a man a fish, and he eats for a day.  Teach a man to fish, and he eats for a lifetime.
Thanks for the tutelage..... :)
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
2 Subnets, 2 routes, failover routing ? 3 55
Manage ASA using outside IP 14 62
web server dns redirect 5 38
Vyos VLANs 14 31
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question