topic Pb conf pix 515 in Network Security

Pb conf pix 515

hassanimagid — Fri, 21 Feb 2020 09:08:11 GMT

I have a little pb with my pix.*

I have open the all port between DMZ and INSIDE but the inside users could not connect to the proxy(in DMZ) and open an internet pages.

Please help me

My configuration is :

PIX Version 7.0(4)

hostname pixfirewall

domain-name default.domain.invalid

enable password xxxx

names

name 192.168.38.201 SRV-DC1

name 192.168.38.205 SRV-ANTIVIRUS

name 192.168.38.203 SRV-MAIL

name 192.168.38.202 SRV-DC2

name 192.168.40.10 ISVW

interface Ethernet0

nameif Outside

security-level 0

ip address 192.168.2.50 255.255.255.0

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.39.251 255.255.255.0

interface Ethernet2

nameif DMZ

security-level 30

ip address 192.168.40.254 255.255.255.0

passwd xxx

ftp mode passive

access-list Outside_access_in extended permit tcp any any eq smtp

access-list Outside_access_in extended deny ip any any

access-list DMZ_access_in extended permit tcp any any eq domain

access-list DMZ_access_in extended permit udp any any eq domain

access-list DMZ_access_in extended permit tcp any any eq https

access-list DMZ_access_in extended permit tcp any any eq 8080

access-list DMZ_access_in extended permit tcp any any eq www

access-list DMZ_access_in extended permit tcp any any eq pptp

access-list DMZ_access_in extended permit tcp any any eq smtp

access-list DMZ_access_in extended permit tcp any eq smtp any eq smtp

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_in extended permit tcp any eq 8080 any

access-list inside_access_in extended permit tcp any any eq smtp

access-list inside_access_in extended permit tcp any any eq www

access-list inside_access_in extended permit tcp any any eq https

access-list inside_access_in extended permit tcp any any eq 8080

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu inside 1500

mtu DMZ 1500

failover

monitor-interface Outside

monitor-interface inside

monitor-interface DMZ

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

global (Outside) 1 192.168.2.32-192.168.2.39 netmask 255.255.255.0

global (DMZ) 1 192.168.40.20-192.168.40.50 netmask 255.255.255.0

nat (inside) 1 192.168.38.0 255.255.255.0

nat (DMZ) 1 192.168.40.0 255.255.255.0

access-group Outside_access_in in interface Outside

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 192.168.2.1 1

route inside 192.168.38.0 255.255.255.0 192.168.39.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username admin password xxx encrypted privilege 15

http server enable

http 192.168.39.0 255.255.255.0 inside

http 192.168.38.0 255.255.255.0 inside

http 192.168.40.0 255.255.255.0 DMZ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.39.252-192.168.39.254 inside

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable inside

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

service-policy global_policy global

Cryptochecksum:xxx

: end

Re: Pb conf pix 515

vijayasankar — Mon, 28 Aug 2006 14:43:33 GMT

Hi,

From which ip segment in the inside network you are trying to access the proxy server.

There is no nat statements for the inside network 192.168.39.0 /24.

You should have this statement also to include the inside network in the nat translation.

nat (inside) 1 192.168.39.0 255.255.255.0

HTH

-VJ

Re: Pb conf pix 515

m-haddad — Mon, 28 Aug 2006 15:01:41 GMT

You have to PAT the inside subnet to the DMZ otherwise they won't be able to connect to the proxy.

Therefore your NAT should look like this

global (Outside) 1 192.168.2.32-192.168.2.39 netmask 255.255.255.0

global (DMZ) 2 192.168.40.20-192.168.40.50 netmask 255.255.255.0

nat (inside) 1 192.168.38.0 255.255.255.0

nat (Inside) 2 192.168.38.0 255.255.255.0

Let me know if this solves your problem and rate please,

Re: Pb conf pix 515

hassanimagid — Mon, 28 Aug 2006 15:20:25 GMT

Thank you for your answers but it's not ok!!

I have installed the soft "ethereal" and the pb is that the proxy couldn't answer to the user.

xx-->8080(of DMZ proxy) ok

8080-->xx(inside port) not ok!

please help me thanks!!!

Re: Pb conf pix 515

m-haddad — Mon, 28 Aug 2006 17:40:05 GMT

From where are the clients are comming? 192.168.39.0 or 192.168.38?

Re: Pb conf pix 515

m-haddad — Mon, 28 Aug 2006 17:40:47 GMT

Also did you clear xlate after I sent you applied the config I sent?

THanks,

Re: Pb conf pix 515

hassanimagid — Tue, 29 Aug 2006 09:32:47 GMT

The client are comming from 192.168.39.0

and I clear the xlate

Please help me

Re: Pb conf pix 515

a.kiprawih — Tue, 29 Aug 2006 11:33:46 GMT

Do a quick test, and see can help:

static (inside, DMZ) 192.168.38.0 192.168.38.0 netmask 255.255.255.0

static (inside, DMZ) 192.168.39.0 192.168.39.0 netmask 255.255.255.0

* delete/add as required.

The above will allow inside & DMZ to talk to each other via respective@original IP Address. Maintain ACL on the DMZ & inside interface.

Rgds,

Re: Pb conf pix 515

hassanimagid — Tue, 29 Aug 2006 12:11:23 GMT

Hi,

Thank you very much its OK!!!!!!

Re: Pb conf pix 515

martin0627 — Tue, 29 Aug 2006 12:14:56 GMT

看一下能支持中文吗