DMZ to access inside

I was hoping someone could help me out. I have a web site that calls a web service to retrieve data. I want to put my "Website" in the DMZ and let outside traffic access it but have it call the "WebService" that would sit on the inside. I can see the DMZ from the inside no problem, config not shown below. Now getting the DMZ access inside is a different story. Some of my config below.

nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security30

ip address outside ip address inside ip address DMZ

global (outside) 1 interface global (DMZ) 200 nat (inside) 0 access-list 102 nat (inside) 1 0 0 nat (DMZ) 1 0 0

access-list 102; 5 elements access-list 102 line 1 permit ip access-list 102 line 2 permit ip access-list 102 line 3 permit ip host any access-list 102 line 4 permit ip access-list 102 line 5 permit ip

static (inside,outside) tcp interface smtp smtp netmask 0 0 static (inside,outside) 172.78..107.16 netmask 0 0 static (inside,outside) netmask 0 0 static (inside,DMZ) 172.78..107.0 netmask 0 0 access-group OWA-in in interface outside

access-list OWA-in; 4 elements access-list OWA-in line 1 permit tcp any host eq https access-list OWA-in line 2 permit tcp any host eq www access-list OWA-in line 3 permit tcp any host eq ftp access-list OWA-in line 4 permit tcp any host eq www

I started to config a site to site and a PPTP VPN. that's the 102 access-list. I also have OWA inside. I would love also to put this in the DMZ and allow it to communicate with my exchange server on the inside. What can I do. Everything I have tried has not worked.

Reply to
Loading thread data ...

access-list DMZ_acl permit tcp host Website host WebService eq TCPPORT access-list DMZ_acl in interface DMZ

Reply to
Walter Roberson

Exchange 2000 really doesn't like NAT (or static to a different IP).

Exchange 2003 configured to use LDAP is supposedly much better about that (in theory), but I still saw some NAT/static related problems. I don't know enough about Exchange to know whether those problems would have been solvable by reconfiguring Exchange; they weren't solvable by reconfiguring the PIX.

Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.