PIX 515 DMZ problem

jamil.abuaqel — Fri, 21 Feb 2020 07:47:11 GMT

Hello,

We are having some difficulties in moving the traffic in and out of a Cisco PIx 515 firewall. We are using it with two DMZs. The first DMZ has a mail server in it (Front end mail server) that communicates with another mail server in the inside (Back end mail server), this is called DMZ1. The second DMZ (DMZ2) has some users who are supposed to go through the firewall to the outside and use the internet and must have access to the mail server in DMZ1. The inside users must be able to use the Internet and can access DMZ1. Below is the important part of our configuration.

From what we did, we can access the internet properly from the inside, the inside users can reach the the mail server in DMZ1 and the mail server in DMZ1 can reach the the inside. Our problem is that we can't browse the internet on the mail server in DMZ1 though we set DMZ1 interface ip address as the gateway on that server and the ISP's DNS ip address is propely set on the same machine. Also, we couldn't make DMZ2 users browse the internet, though we permitted the www protocol in the fromOut access-list. One last question, can we make the DMZ2 interface on the PIX a DHCP server and make it distribute ip addresses for the users on that subnet only?? Thanks for all the help offered in advance.

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security50

nameif ethernet3 dmz2 security40

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

ip address outside X.Y.Z.163 255.255.255.248

ip address inside 192.168.0.9 255.255.255.0

ip address dmz1 192.168.10.1 255.255.255.0

ip address dmz2 192.168.20.1 255.255.255.0

access-list fromOut permit icmp any host X.Y.Z.162 source-quench

access-list fromOut permit icmp any host X.Y.Z.162 echo-reply

access-list fromOut permit icmp any host X.Y.Z.162 unreachable

access-list fromOut permit icmp any host X.Y.Z.162 time-exceeded

access-list fromOut permit tcp any host X.Y.Z.162 eq domain

access-list fromOut permit tcp any host X.Y.Z.162 eq telnet

access-list fromOut permit tcp any host X.Y.Z.162 eq smtp

access-list fromOut permit tcp any host X.Y.Z.162 eq www

access-list fromDMZ1 permit tcp host 192.168.10.2 192.168.0.0 255.255.255.0

access-list fromDMZ1 permit ip host 192.168.10.2 192.168.0.0 255.255.255.0

access-list fromDMZ2 permit tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz1 1500

mtu dmz2 1500

global (outside) 1 X.Y.Z.164 netmask 255.255.255.248

global (outside) 2 X.Y.Z.165 netmask 255.255.255.248

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

nat (dmz1) 1 192.168.10.2 255.255.255.255 0 0

nat (dmz2) 2 192.168.20.0 255.255.255.0 0 0

static (inside,dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz2,dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz1,outside) X.Y.Z.162 192.168.10.2 netmask 255.255.255.255 0 0

access-group fromOut in interface outside

access-group fromDMZ1 in interface dmz1

access-group fromDMZ2 in interface dmz2

route outside 0.0.0.0 0.0.0.0 X.Y.Z.161 1

Re: PIX 515 DMZ problem

sachinraja — Sat, 04 Dec 2004 07:09:47 GMT

Hi Jamil,

One important thing to note here are the access-lists. Always remember that a implicit deny rule is there in an access-list at the end. the answers to your problems are:

1) mail server in DMZ 1 not able to browse:

Just make sure you have the following on the access-list fromDMZ1.

access-list fromDMZ1 permit tcp host 192.168.10.2 192.168.0.0 255.255.255.0

access-list fromDMZ1 permit ip host 192.168.10.2 192.168.0.0 255.255.255.0

access-list fromDMZ1 permit ip host 192.168.10.2 any eq http

access-list fromDMZ1 permit ip host 192.168.10.2 any eq https

access-list fromDMZ1 permit ip host 192.168.10.2 any eq dns

add the access-list to open whatever port you want from 192.168.10.2

2) DMZ2 users not able to browse:please change it to the following:

access-list fromDMZ2 permit tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list fromDMZ2 permit tcp 192.168.2.0 255.255.255.0 any eq http

access-list fromDMZ2 permit tcp 192.168.2.0 255.255.255.0 eq dns

DHCP option:

yes.. you can configure.. refer to the following URL:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008008cd12.html#wp1050373

Hope this helps.. all the best..

Raj

Re: PIX 515 DMZ problem

sachinraja — Sat, 04 Dec 2004 07:11:23 GMT

Hi jamil,

There is a phrase on the URL that i sent you , that you can currently enable dhcp option on the inside interface only. Just check this..

Raj

topic PIX 515 DMZ problem in Network Security

PIX 515 DMZ problem

Re: PIX 515 DMZ problem

Re: PIX 515 DMZ problem