[fw-wiz] Transparent DMZ



I am trying to use a cisco 2621 router as a firewall, it should have
an outside, inside and dmz, the dmz should be able to use public ips
on the machines behind it. If anyone is familiar with sonicwalls, just
like a sonicwall transparent dmz.

Currently what i have done is made my 3 interfaces, set ips on the
outside and inside, then bridged with irb bridging the outside and dmz
interfaces. the inside interface works fine however the dmz does not
seem to be able to pass traffic(at one point in time while i was
configuring this it did work, i just cant pinpoint when).
38.102.248.179 is my dmz host, and it can not get out to the internet
or receive connections.

thank you

!
bridge irb
!
!
!
interface FastEthernet0/0
description outside
ip address 38.102.248.178 255.255.255.248
ip access-group outside_access_in in
ip nat outside
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0/1
description inside/dmz
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.10
description inside
encapsulation dot1Q 10
ip address 172.21.16.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.11
description dmz
encapsulation dot1Q 11
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
no ip address
!
ip nat inside source list nat interface FastEthernet0/0 overload
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 38.102.248.177
!
ip access-list standard nat
permit 172.21.16.0 0.0.0.255
!
ip access-list extended outside_access_in
permit tcp any any established
permit icmp any any
permit tcp any host 38.102.248.179
permit tcp any host 38.102.248.178 eq www
permit tcp any host 38.102.248.178 eq 4125
permit tcp any host 38.102.248.178 eq 5900
permit tcp any host 38.102.248.178 eq 443
permit tcp any host 38.102.248.178 eq 444
permit tcp 208.65.144.0 0.0.7.255 host 38.102.248.178 eq smtp
permit tcp 208.81.64.0 0.0.3.255 host 38.102.248.178 eq smtp
permit udp any eq domain any
permit tcp any eq domain any
!
!

--
-Lawrence
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Proxy ARP and Routing
    ... some CPE from our ISP connected to a firewall. ... the public IPs on the physical DMZ network. ... packets to the host on the DMZ? ... on the DMZ interface. ...
    (SunManagers)
  • Re: ASA Firewall and Web Server Help!!!
    ... the www traffic to an ip located in my DMZ but i need that this ... traffic are sent to a host in my internal network. ... interface GigabitEthernet0/0 ...
    (comp.dcom.sys.cisco)
  • Re: DNS inside the DMZ on an 877
    ... the dmz to refer to external DNS servers for hosts outside the DMZ ... any host outside the DMZ. ... permit tcp host 192.168.168.2 host 10.0.0.10 eq 636 ... match access-group name adam ...
    (comp.dcom.sys.cisco)
  • login to DC from DMZ server
    ... Do you know what ports must be opened on pix 515E between ... Another servers are in DMZ. ... access-list dmz_in permit tcp any host 192.168.1.70 eq ... access-list dmz_in permit udp any host 192.168.1.70 eq 88 ...
    (microsoft.public.security)
  • Re: Need Help Configuring Static NAT and Access List
    ... The ip address on the outside interface is 200.1.1.132. ... address on the dmz interface is 192.168.20.1. ... To test I have one host, ... my static NAT statement Am I missing something? ...
    (comp.dcom.sys.cisco)