From: john matijevic (john.matijevic@gmail.com)
Date: Mon Aug 22 2005 - 17:49:26 GMT-3
Hello J.
Please post your config and reply to me offline. I will take a look at it.
Sincerely,
John
On 8/22/05, Nawaz, Ajaz <Ajaz.Nawaz@bskyb.com> wrote:
>
> In addition to Scott's advice, always keep in your mind the security
> levels
> set for each interface. Apply the appropriate rules for getting from a
> higher security interface to a lower one, and the required configuration
> for
> getting from a lower sec intf to one with a higher set security level.
>
> Ajaz
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Scott Morris
> Sent: 22 August 2005 20:59
> To: buesink@fma.nl; ccielab@groupstudy.com
> Subject: RE: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic
>
> Your static and nat/global commands are both bound to interfaces.
>
> Static (inside,outside) determines the relationship
>
> Static (inside,dmz-1) would as well.
>
> Nat and global pools do the same thing.
>
> You may consider reviewing the online documentation regarding the address
> tranlation on the PIX. While it can get complicated with multiple
> interfaces, at its very basic level just think through the life of the
> packet and which way it's going. That will help!
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> buesink@fma.nl
> Sent: Monday, August 22, 2005 3:39 PM
> To: ccielab@groupstudy.com
> Subject: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic
>
> Hi there,
>
> I have a question
> I have a pix firewall with:
>
> outside interface, dmz-1, dmz-2 and inside
>
> on the outside there is a .255 mask with realworld ip addressing, so no
> rfc
> 1918 addresses.
>
> on dmz-1 is private addresssing 172.16.1.0 <http://172.16.1.0> on dmz-2 is
> private addressing
> 172.18.1.0 <http://172.18.1.0> on inside is private adressing
172.19.1.0<http://172.19.1.0>
>
> From the dmz-1 dmz-2 and inside I can internet to the outside, and have
> access between them (using the private addresses). that's no problem, I
> used
> global / nat and static commands.
>
> On the dmz-1 AND dmz-2 are webservers, witch are reachable from the
> outside,
> with static NAT translations.
>
>
> My problem is the following:
>
> If I am on DMZ-2 and I want to access a webserver on DMZ-1 I am NOT able
> to
> do this with the outside address of that webserver, but I can access the
> webserver with it's REAL address in the DMZ-1.
>
> I want to make it work so when I'm in dmz-2 I can use both the REAL and
> NAT
> address from the webserver in DMZ-1.
>
> The outside NAT address (set with "static" command) is reachable. from the
> internet I can use the outside nat address, but my problem is I can't use
> it
> from withing the dmz-2.
>
>
> Does someone have an idea??
> Also I'm having a hard time to debug on the pix..
>
> I use logging monitor 7, but that's gives A LOT of info that I don't want
> to
> see, does someone know this problem?
>
> Regards and thanks,
>
> J.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> -----------------------------------------
> Information in this email may be privileged, confidential and is intended
> exclusively for the addressee. The views expressed may not be official
> policy, but the personal views of the originator. If you have received it
> in error, please notify the sender by return e-mail and delete it from
> your
> system. You should not reproduce, distribute, store, retransmit, use or
> disclose its contents to anyone. Please note we reserve the right to
> monitor all e-mail communication through our internal and external
> networks.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- John Matijevic, CCIE #13254 U.S. Installation Group Senior Network Engineer 954-969-7160 ext. 1147 (office) 305-321-6232 (cell)
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:19 GMT-3