RE: PIX with Public DMZ

["Melson, Paul" <PMelson () sequoianet com>]

> -----Original Message-----
> All inside -> outside traffic is fine (all inside hosts are PAT'ed 
> through .2), and there are static mappings on the outside 
> interface for 
> hosts that need to be accessible from the Internet (DNS, 
> mail, FTP etc).
>
> Since the DMZ will have a routable address space, what commands do I 
> need use to allow the DMZ servers to access the outside world without 
> being NAT'ed?  Is it a nat 0 ACL, or nat outside?

Use  nat 0 access-lists for both inside and outside from the DMZ
(assuming you want hosts on the inside to be able to talk to the DMZ).
You will also have to use the access-group assigned to the outside
interface to allow Internet traffic to those hosts.


> Also, in the near future, I'd like the DMZ interface on the PIX to 
> accept incoming VPN connections, but that's something I'll 
> worry about 
> later.

So you want VPN connections to begin on the DMZ and tunnel to what I
presume will be the inside network?  Or did you mean you wanted to
tunnel traffic from DMZ hosts to other systems on the Internet using
VPN?  The latter is commonplace, but I'm not totally sure why you'd want
to do the former.

PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards