Re: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic

From: john matijevic (john.matijevic@gmail.com)
Date: Mon Aug 22 2005 - 18:56:40 GMT-3

Hi Scott,
There are many topics that could be interesting depending on what your
interest level is of the topic. Since this forum is dedicated to the routing
and switching exam, I try to minimize the threads and post what is related
to the topic. Just my .02 cents.
Sincerely,
John

 On 8/22/05, Scott Morris <swm@emanon.com> wrote:
>
> If it's good enough to ask the question here do you not think that
> everyone
> would benefit from the discussion and answer?
>
> Just a thought...
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> john
> matijevic
> Sent: Monday, August 22, 2005 4:49 PM
> To: Nawaz, Ajaz
> Cc: Scott Morris; buesink@fma.nl; ccielab@groupstudy.com
> Subject: Re: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic
>
> Hello J.
> Please post your config and reply to me offline. I will take a look at it.
> Sincerely,
> John
>
> On 8/22/05, Nawaz, Ajaz <Ajaz.Nawaz@bskyb.com> wrote:
> >
> > In addition to Scott's advice, always keep in your mind the security
> > levels set for each interface. Apply the appropriate rules for getting
> > from a higher security interface to a lower one, and the required
> > configuration for getting from a lower sec intf to one with a higher
> > set security level.
> >
> > Ajaz
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of Scott Morris
> > Sent: 22 August 2005 20:59
> > To: buesink@fma.nl; ccielab@groupstudy.com
> > Subject: RE: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic
> >
> > Your static and nat/global commands are both bound to interfaces.
> >
> > Static (inside,outside) determines the relationship
> >
> > Static (inside,dmz-1) would as well.
> >
> > Nat and global pools do the same thing.
> >
> > You may consider reviewing the online documentation regarding the
> > address tranlation on the PIX. While it can get complicated with
> > multiple interfaces, at its very basic level just think through the
> > life of the packet and which way it's going. That will help!
> >
> > Scott
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of buesink@fma.nl
> > Sent: Monday, August 22, 2005 3:39 PM
> > To: ccielab@groupstudy.com
> > Subject: PIX DMZ-1, DMZ-2, INSIDE OUTSIDE traffic
> >
> > Hi there,
> >
> > I have a question
> > I have a pix firewall with:
> >
> > outside interface, dmz-1, dmz-2 and inside
> >
> > on the outside there is a .255 mask with realworld ip addressing, so
> > no rfc
> > 1918 addresses.
> >
> > on dmz-1 is private addresssing 172.16.1.0 <http://172.16.1.0> <
> http://172.16.1.0> on
> > dmz-2 is private addressing 172.18.1.0 <http://172.18.1.0> <
> http://172.18.1.0> on inside
> > is private adressing
> 172.19.1.0 <http://172.19.1.0><http://172.19.1.0>
> >
> > From the dmz-1 dmz-2 and inside I can internet to the outside, and
> > have access between them (using the private addresses). that's no
> > problem, I used global / nat and static commands.
> >
> > On the dmz-1 AND dmz-2 are webservers, witch are reachable from the
> > outside, with static NAT translations.
> >
> >
> > My problem is the following:
> >
> > If I am on DMZ-2 and I want to access a webserver on DMZ-1 I am NOT
> > able to do this with the outside address of that webserver, but I can
> > access the webserver with it's REAL address in the DMZ-1.
> >
> > I want to make it work so when I'm in dmz-2 I can use both the REAL
> > and NAT address from the webserver in DMZ-1.
> >
> > The outside NAT address (set with "static" command) is reachable. from
> > the internet I can use the outside nat address, but my problem is I
> > can't use it from withing the dmz-2.
> >
> >
> > Does someone have an idea??
> > Also I'm having a hard time to debug on the pix..
> >
> > I use logging monitor 7, but that's gives A LOT of info that I don't
> > want to see, does someone know this problem?
> >
> > Regards and thanks,
> >
> > J.
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > -----------------------------------------
> > Information in this email may be privileged, confidential and is
> > intended exclusively for the addressee. The views expressed may not be
> > official policy, but the personal views of the originator. If you have
> > received it in error, please notify the sender by return e-mail and
> > delete it from your system. You should not reproduce, distribute,
> > store, retransmit, use or disclose its contents to anyone. Please note
> > we reserve the right to monitor all e-mail communication through our
> > internal and external networks.
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> John Matijevic, CCIE #13254
> U.S. Installation Group
> Senior Network Engineer
> 954-969-7160 ext. 1147 (office)
> 305-321-6232 (cell)
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> 

--
John Matijevic, CCIE #13254
U.S. Installation Group
Senior Network Engineer
954-969-7160 ext. 1147 (office)
305-321-6232 (cell)

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:19 GMT-3