Firewall Wizards mailing list archives
RE: PIX with Public DMZ
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Tue, 6 Jul 2004 09:11:58 -0400
-----Original Message----- All inside -> outside traffic is fine (all inside hosts are PAT'ed through .2), and there are static mappings on the outside interface for hosts that need to be accessible from the Internet (DNS, mail, FTP etc). Since the DMZ will have a routable address space, what commands do I need use to allow the DMZ servers to access the outside world without being NAT'ed? Is it a nat 0 ACL, or nat outside?
Use nat 0 access-lists for both inside and outside from the DMZ (assuming you want hosts on the inside to be able to talk to the DMZ). You will also have to use the access-group assigned to the outside interface to allow Internet traffic to those hosts.
Also, in the near future, I'd like the DMZ interface on the PIX to accept incoming VPN connections, but that's something I'll worry about later.
So you want VPN connections to begin on the DMZ and tunnel to what I presume will be the inside network? Or did you mean you wanted to tunnel traffic from DMZ hosts to other systems on the Internet using VPN? The latter is commonplace, but I'm not totally sure why you'd want to do the former. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX with Public DMZ Tony Mucker (Jul 02)
- <Possible follow-ups>
- RE: PIX with Public DMZ Melson, Paul (Jul 06)