Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

dmz setup help please

Status
Not open for further replies.
djjazzyjeff

djjazzyjeff

MIS
Jul 18, 2001
40
US
Hi all, I have a Pix 515UR that I am trying to setup a dmz on. I want to connect a wireless access point (Cisco 350) to the dmz to allow access out to the internet only. I intend to put a dhcp server on the dmz to dole out addresses to wireless clients. My problem is this; wireless clients need name resolution services and I can't point them to external dns servers such as my T1 connected isp, AT&T. It doesn't work, I guess their dns servers are locked down to accept resolution requests only from my router's external interface IP address. As an alternative, I'd like to poke through the Pix to point dmz connected clients to my internal dns servers but allow no other connectivity to internal hosts. Can anyone help out here? Thx in advance......Jeff
 
Sort by date Sort by votes
Assuming:

ip address dmz 192.168.1.0 255.255.255.0
ip address inside 192.168.0.0 255.255.255.0

I would try this:

access-list dmz_in permit udp 192.168.1.0 255.255.255.0 host 192.168.0.1
access-group dmz_in in interface dmz

Where 192.168.0.1 is your inside dns server.

The only problem with this is (from my experience) once you bind an access-list to an interface using the access-group command, what is permitted in the access-list will be the only traffic that passes through that interface.

If the above access-list doesn't work, you may need a static command.
 
Upvote 0 Downvote
HI.

For DMZ to INSIDE traffic, you'll need both STATIC and ACCESS-LIST. Something like this:

ip address inside 10.1.1.254 255.255.255.0
ip address dmz 10.2.2.254 255.255.255.0
static (inside,dmz) 10.2.2.5 10.1.1.5
access-list dmz_in permit udp any host 10.2.2.5 eq 53
access-list dmz_in deny ip any 10.0.0.0 255.0.0.0
access-list dmz_in permit ip any any
access-group dmz_in in interface dmz

However, it would be much better (for security, performance and simplicity) to setup an additional DNS server on the DMZ network.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
960
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
210
tklamb
tklamb
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
305
PauS0n
PauS0n
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
324
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top