DHCP on DMZ interface
in [Cisco]
|
From: midas1108 on 24 Apr 2008 08:57 I'm trying to set up a DHCP pool on a new DMZ interface (DMZ2) for visiting laptop users to connect to the internet wirelessly. I had imagined this to be a fairly simple process, however the hosts cannot access the internet. Here are the commands I entered: ----------------------------------------------------------- interface Ethernet4 nameif DMZ2 security-level 50 ip address 10.253.250.250 255.255.0.0 nat (DMZ2) 1 0.0.0.0 0.0.0.0 dhcpd dns 207.179.70.27 207.179.71.27 dhcpd ping_timeout 750 dhcpd address 10.253.16.1-10.253.16.63 DMZ2 dhcpd enable DMZ2 ----------------------------------------------------------- The outside interface is the default security 0. My other DMZ interface (DMZ1) has no problems, but all of the hosts in that DMZ are 1-to-1 static maps. The hosts in DMZ2 get IP addresses via DHCP just fine and can ping their gateway (10.253.250.250), however cannot ping any hosts on the internet nor access websites. Any help is appreciated. Thanks.
From: Martin Bilgrav on 24 Apr 2008 14:27 <midas1108(a)gmail.com> wrote in message news:283d3ae6-3f20-4735-abd6-72c0e29e64cf(a)d1g2000hsg.googlegroups.com... > I'm trying to set up a DHCP pool on a new DMZ interface (DMZ2) for > visiting laptop users to connect to the internet wirelessly. I had > imagined this to be a fairly simple process, however the hosts cannot > access the internet. Here are the commands I entered: > > ----------------------------------------------------------- > interface Ethernet4 > nameif DMZ2 > security-level 50 > ip address 10.253.250.250 255.255.0.0 > > nat (DMZ2) 1 0.0.0.0 0.0.0.0 > > dhcpd dns 207.179.70.27 207.179.71.27 > dhcpd ping_timeout 750 > dhcpd address 10.253.16.1-10.253.16.63 DMZ2 > dhcpd enable DMZ2 > ----------------------------------------------------------- > > The outside interface is the default security 0. My other DMZ > interface (DMZ1) has no problems, but all of the hosts in that DMZ are > 1-to-1 static maps. > > The hosts in DMZ2 get IP addresses via DHCP just fine and can ping > their gateway (10.253.250.250), however cannot ping any hosts on the > internet nor access websites. > > Any help is appreciated. Thanks. What is the global that match this: nat (DMZ2) 1 0.0.0.0 0.0.0.0 you must have a global (DMZ1) 1 initerface command if you want DMZ2 to access DMZ1 Also you should have global (outside) 1 interface inorder to access internet via outside interface Also verify that you have ACLs on ALL interfcaes, and that the ACL include ICMP. HTH Martin
From: midas1108 on 24 Apr 2008 15:29 > What is the global that match this: > nat (DMZ2) 1 0.0.0.0 0.0.0.0 > > you must have a global (DMZ1) 1 initerface command if you want DMZ2 to > access DMZ1 > Also you should have global (outside) 1 interface inorder to access internet > via outside interface > Also verify that you have ACLs on ALL interfcaes, and that the ACL include > ICMP. > > HTH > Martin- Hide quoted text - ===========================/ We have a global (outside) 1 interface command. This pix is currently already in production with the inside network being...well...our inside network and all its hosts, and DMZ1 being things like our web server, smtp gateway, and the like. I only want to create a new DMZ that can *only* access the internet. Hosts in this network will never under any circumstances communicate with either the inside or DMZ1 zones. My understanding is that I would not need an ACL on DMZ2 as they aren't necessary when going from a higher restriction (50) to a lower (0, which is the outside interface). When I originally set this up however, I did create an access-list called DMZ2 that only had ICMP any any, icmp any any echo-reply and icmp any any time-exceeded, and applied it using "access-group dmz2 in interface DMZ2". This wasn't working either so I have since removed that ACL.
From: Darren on 24 Apr 2008 16:52 midas1108(a)gmail.com wrote: >> What is the global that match this: >> nat (DMZ2) 1 0.0.0.0 0.0.0.0 >> >> you must have a global (DMZ1) 1 initerface command if you want DMZ2 to >> access DMZ1 >> Also you should have global (outside) 1 interface inorder to access internet >> via outside interface >> Also verify that you have ACLs on ALL interfcaes, and that the ACL include >> ICMP. >> >> HTH >> Martin- Hide quoted text - > ===========================/ > > We have a global (outside) 1 interface command. This pix is currently > already in production with the inside network being...well...our > inside network and all its hosts, and DMZ1 being things like our web > server, smtp gateway, and the like. > > I only want to create a new DMZ that can *only* access the internet. > Hosts in this network will never under any circumstances communicate > with either the inside or DMZ1 zones. My understanding is that I > would not need an ACL on DMZ2 as they aren't necessary when going from > a higher restriction (50) to a lower (0, which is the outside > interface). > > When I originally set this up however, I did create an access-list > called DMZ2 that only had ICMP any any, icmp any any echo-reply and > icmp any any time-exceeded, and applied it using "access-group dmz2 in > interface DMZ2". This wasn't working either so I have since removed > that ACL. Looks like you are using PIX 7+ from the syntax. Whilst I prefer the command line, why not try the ASDM and run the packet trace feature to simulate a packet traveling from the DMZ2 interface towards the Internet. It will show you where the flow breaks. Regards Darren
|
Pages: 1 Prev: Cicso Pix 501 VPN Next: PIX 501: NAT VPN Clients to Inside? |