Hi,
First thing that you need to check is your security levels. I am most definitely assuming that your internal is a greater value than the DMZ. This can be checked by typing "sh nameif". Traffic is allowed by default from a higher value to a lower (Eg. 100 --> 25) with the proper configuration .... which comes next.
To enabe you to connect from a higher security zone to a lower you make use of 2 commands, namely "nat" and "global" Lets say for instance that your DMZ zone is 192.168.1.0/24. You should have the following in your config
1) nat (dmz) 1 0.0.0.0 0.0.0.0 - Note: (dmz) is that name of your interface for that zone
2) global (dmz) 1 192.168.1.221-192.168.1.253
3) global (dmz) 1 192.168.1.220
1) This nats all connections to the dmz
2) This is what is assigned as the NAT address when connecting to that zone
3) If all addresses are used up it will use this ip for pat
IF you are only doing some minor admin, you dont need command 2.
Make sure that you dont have any access-lists applied to your dmz interface .... (of course it can be done) but once a single access-list is applied, the default policy is to deny all traffic other than what is specifically allowed, so you will specifically have to allow the protocols that you are using.
Another thing to check is that you are actually connecting to the right IP address .... this makes a difference if you use non-routable ip's in your dmz. Lets say that you connect to www.test.com doing an nslookup might reveal the legal ip (Eg. 193.76.90.21).... thats not going to work. To get around that add an entry to your local hosts file or put the non-routeable ip in your internal DNS server. (Eg. 192.168.1.23 www.test.com)
Hope this helped .... let me know if you need any further help.
Cheers
Mark
-----Original Message-----
From: Fr�d�ric M�dery [mailto:[EMAIL PROTECTED]]
Sent: 15 November 2001 01:01
To: [EMAIL PROTECTED]
Subject: PIX 515 question
The network
DMZ-----PIX-----LAN
|
|
INTERNET
We have a IIS web server inside the DMZ. I'm trying to access the web
site (in the DMZ) from a station inside the LAN. We cannot access the
web site.
A guy told me that i was not possible (a NAT problem ?) with the pix or
other ?) firewall.
I Know that I can open port 80 from the lan to the DMZ instead of trying
to go to internet to get to the DMZ web server but I'd like to
understand why it's not possible.
If You have some information it would be great !
Frederic
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
