Re: Ports needed for ISA 2004 (DMZ)?

Short of you posting a copy of your PIX config it would be hard for anyone to
help you troubleshoot this issue. Use the following config snippet as an
EXAMPLE ONLY.

Phillip is right, you need to reverse NAT anything that applies to the ACL
on the PIX unless you tell the PIX not to NAT traffic for a specific IP or IP
chunk.

Quick example: Internal = 10.1.1.0 DMZ = 10.1.2.0
*****************
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10


access-list dmz_rule permit tcp any dmzwebip.x.x.x eq https

nat (inside) 1 10.1.1.0 255.255.255.0 0 0
nat (dmz) 1 10.1.2.0 255.255.255.0 0 0

static (dmz,outside) PubIP.address.x.x dmzwebip.x.x.x netmask
255.255.255.255 0 0

access-group dmz_rule in interface dmz






"Phillip Windell" wrote:

> I can't help with PIX
>
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "Magoo" <magoo-nospam@xxxxxxxxxxx> wrote in message
> news:ONyNQ3NVFHA.3412@xxxxxxxxxxxxxxxxxxxxxxx
> > Sorry I didn't understand what entries I would need to put in the firewall
> > to cover the reverse NAT scenario you mentioned ? Can you elaborate on
> that
> > ?
> >
> >
> >
> > "Phillip Windell" <@.> wrote in message
> > news:ORcAANKVFHA.3868@xxxxxxxxxxxxxxxxxxxxxxx
> > >
> > > "Magoo" <magoo-nospam@xxxxxxxxxxx> wrote in message
> > > news:O8O4AKKVFHA.3544@xxxxxxxxxxxxxxxxxxxxxxx
> > > > I have two ISA 2004 Enterprise boxes configured as NLB integrated
> (DMZ).
> > > > In my external DNS servers, I specify the virtual IP address =
> 10.1.1.1
> > =
> > > > webmail.mycompany.com
> > > >
> > > > ISA 2004->OWA was working prior to a network maintenance. Now it
> doesn't
> > > > work anymore.
> > > >
> > > > In the PIX firewall I have an entry that looks like:
> > > > permit tcp any host 10.1.1.1 eq www
> > > >
> > > > permit tcp any host 10.1.1.1. eq 443
> > >
> > > You still have to reverse-NAT it (aka Static NAT). Those rules only tell
> > it
> > > that the traffic is allowed,...they don't tell it how to make the
> traffic
> > > "happen".
> > >
> > > --
> > >
> > > Phillip Windell [MCP, MVP, CCNA]
> > > www.wandtv.com
> > >
> > >
> >
> >
>
>
>
.

Relevant Pages

  • Re: Cisco PIX515E Beginners Help
    ... >addresses of the PIX. ... The PIX should then have a default route (route ... nameif ethernet0 outside security0 ...
    (comp.security.firewalls)
  • Re: PIX 501 - problem
    ... nameif ethernet0 outside security0 ... pdm location 90.90.67.114 255.255.255.255 inside ... this is from my PIX ...
    (comp.dcom.sys.cisco)
  • Quick help: PIX 501 and Port Forwarding
    ... used (beside management of the PIX) for mapping some external ports ... nameif ethernet0 outside security0 ... interface ethernet0 10baset ... icmp permit any outside ...
    (comp.dcom.sys.cisco)
  • Re: Help!! Web Server outage - ping failure
    ... I got my old web server running fine ... PIX to point at it. ... Then, the pinging immediately failed. ... scenario is related to the Cisco Pix config. ...
    (microsoft.public.inetserver.iis)
  • Re: Quick help: PIX 501 and Port Forwarding
    ... used (beside management of the PIX) for mapping some external ports ... nameif ethernet0 outside security0 ... interface ethernet0 10baset ... icmp permit any outside ...
    (comp.dcom.sys.cisco)
Loading