PIX Lan-to-DMZ connectivity

Hi there,

We have a PIX 506E and have recently set up a DMZ. Currently machines in the DMZ and the LAN can both access the internet. I have entered a NAT 0 command and access-list to enable communication from a machine on the LAN to a machine on the DMZ, but I thought that because the DMZ have a lower security, any machines on an interface with higher security should, by default, have access to interfaces of lower security. Is this the case?

I don't want to go through entering individual access-list commends for each machine that would need to access the DMZ if there is an easier way of doing it.

Thanks for your help,


Reply to
Loading thread data ...

Yes, but in order for that access to work, the PIX needs to know what address translation to use when going from the inside to the DMZ. That's accomplished by using a 'static' command, or by using a 'nat 0 access-list', or by using a nat/global pair.

Also, keep in mind that UDP is effectively two unidirectional connections, one from the inside to the DMZ and the other from the DMZ to the inside. If the inside host initiated a UDP connection towards the DMZ, then by default (if there is no access-group applied to the inside interface) the flow would be permitted and replies from the DMZ to the inside would be permitted until the UDP flow timed out according to the PIX 'timeout' parameters. But UDP does not have "connections" so the PIX cannot tell whether silence on the UDP flow is because the flow is finished or because the two ends just don't have anything to say right then. If the flow goes idle for a while and the PIX times it out, and then the DMZ host tries to send something back to the inside, it will not be permitted: the PIX will see those packets as if they were a new flow from the DMZ to the inside that should be blocked by default.

Reply to
Walter Roberson

That makes sense. Many thanks for your advice; I now have it working using the nat/global config you suggested.

Thanks again,


Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.