Cisco PIX DMZ to DMZ Access

In article , Network-Guy wrote: :I'm trying to setup my PIX to allow access from a lower security level :DMZ to a higher security level DMZ.

:I have created the ACL's, but so far have not had any luck.

:Do I need a route statement or a static mapping between the DMZ's in :order to get this to work?

The usual rules for "lower security to higher security" apply: acl on the lower security interface plus a static mapping between the two interfaces. The static mapping can be a "static" statement or it can be a nat (HIGHERSECURITYDMZ) 0 access-list ACLNAME (in which case proxy arp will be disabled.)

how come NAT excemption disables proxy arp ?

:how come NAT excemption disables proxy arp ?

It is defined that way.

The nat 0 access-list command disables NAT, specifically proxy ARPing, for the IP addresses specified by the ACL referenced by acl_id.

That part must have slipped my attention .... thx

Out of interest, I saw a config recently where the PIX Inside + DMZ statements read something like:

static (inside, DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Objectective being that clients on the internal LAN received the same IP address when accessing the DMZ. The inbound access-group statement was on the DMZ interface but the LAN clients couldn't reach their DMZ server (can't remember the IP address). I wondered if this had anything to do with the Proxy Arp comment that you made Walter.

Everyting else looked ok.

Darren

The above means do not use NAT, when going inside-to-DMZ

Nope, as this is for nat commands in conjuction with 0 and ACL

Cisco phrases it as if NAT were still active in this case, but with each IP and port being mapped to itself. And for the nat 0 access-list case they phrase it as NAT being disabled. Cisco's phrasing could, I think, use some improvements in this matter.