dmz webserver configuration

[Kurt111780]

Hello,

I recently setup a web server and used the DMZ port on the Cisco pix515e.

I could not access it from the 192.168 network so with help from cisco I issued these commands:

static (dmz,inside) 68.217.84.114 172.18.0.10 netmask 255.255.255.255
global (dmz) 10 interface

Now I can access the server from the 192.168 network but I cannot access the 192.168 network from the server.

Do you know what I need to do to allow this? Also, is this defeating the purpose of having a dmz?

Thanks,
Kurt


It's only easy when you know how.

http://www.seedandgarden.com

 

[lgarner]

That's what an ACL does- permit access from a less-secure network to a more-secure one.

What ACL is applied to the DMZ interface?

Also, what's "68.217.84.114"? I think your static NAT could be improved like this:

static(inside,dmz) 192.168.x.x 192.168.x.x netmask 255.255.x.x

This will effectively use "identity nat" so the DMZ hosts will see the inside hosts as their actual address, not the dmz interface address.

Then, providing your inside hosts can route to 172.18.0.0 via the Pix's inside interface, they should be able to access it. With an appropriate ACL on the dmz interface, DMZ hosts can access internal hosts via their actual addresses.