1. Home
  2. Cisco Systems
  3. DMZ to access inside

DMZ to access inside

I was hoping someone could help me out. I have a web site that calls a web service to retrieve data. I want to put my "Website" in the DMZ and let outside traffic access it but have it call the "WebService" that would sit on the inside. I can see the DMZ from the inside no problem, config not shown below. Now getting the DMZ access inside is a different story. Some of my config below.

nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security30

ip address outside 65.86.251.1 255.255.255.224 ip address inside 172.78.107.1 255.255.0.0 ip address DMZ 192.168.1.1 255.255.255.0

global (outside) 1 interface global (DMZ) 200 192.168.1.100-192.168.1.110 nat (inside) 0 access-list 102 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0

access-list 102; 5 elements access-list 102 line 1 permit ip 172.78.107.0 255.255.255.0

192.168.101.0 255.255.255.0 access-list 102 line 2 permit ip 172.78.107.0 255.255.255.0 192.168.102.0 255.255.255.0 access-list 102 line 3 permit ip host 65.86.251.130 any access-list 102 line 4 permit ip 172.78.107.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list 102 line 5 permit ip 172.78.107.0 255.255.255.0 192.168.108.0 255.255.255.0

static (inside,outside) tcp interface smtp 172.78.107.15 smtp netmask

255.255.255.255 0 0 static (inside,outside) 65.86.251.135 172.78..107.16 netmask 255.255.255.255 0 0 static (inside,outside) 65.86.251.136 netmask 255.255.255.255 0 0 static (inside,DMZ) 172.78..107.0 192.168.107.0 netmask 255.255.255.0 0 0 access-group OWA-in in interface outside

access-list OWA-in; 4 elements access-list OWA-in line 1 permit tcp any host 65.86.251.135 eq https access-list OWA-in line 2 permit tcp any host 65.86.251.135 eq www access-list OWA-in line 3 permit tcp any host 65.86.251.136 eq ftp access-list OWA-in line 4 permit tcp any host 65.86.251.136 eq www

I started to config a site to site and a PPTP VPN. that's the 102 access-list. I also have OWA inside. I would love also to put this in the DMZ and allow it to communicate with my exchange server on the inside. What can I do. Everything I have tried has not worked.

Reply to
Lui
Loading thread data ...

access-list DMZ_acl permit tcp host Website host WebService eq TCPPORT access-list DMZ_acl in interface DMZ

Reply to
Walter Roberson

Exchange 2000 really doesn't like NAT (or static to a different IP).

Exchange 2003 configured to use LDAP is supposedly much better about that (in theory), but I still saw some NAT/static related problems. I don't know enough about Exchange to know whether those problems would have been solvable by reconfiguring Exchange; they weren't solvable by reconfiguring the PIX.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.