https://community.cisco.com/t5/network-security/pix-dmz-configuration-problem/m-p/201642#M590256 <HTML><HEAD></HEAD><BODY><P>Hi Kay Keong,</P><P></P><P>Your config look good. You can capture packets in DMZ to examine incoming &amp; outgoing packets, you should be able to identify where is the problem. If not, you need to go deeper by using debug/syslog feature on PIX to see if it has something wrong.</P><P></P><P>Regards</P><P></P><P>Ben</P><P></P></BODY></HTML> Mon, 01 Sep 2003 11:40:13 GMT bdube 2003-09-01T11:40:13Z https://community.cisco.com/t5/network-security/pix-dmz-configuration-problem/m-p/201641#M590253 <P>Hi,</P><P>I do have some trouble to get my dmz settings working. I have a reverse proxy, located in the dmz, which is supposed to redirect all http traffice to a certain domain to web server that is in the inside network. The PIX does NAT all connections originating for inside and dmz (perimeter):</P><P></P><P>global (outside) 1 interface</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P>nat (perimeter) 1 0.0.0.0 0.0.0.0 0 0</P><P></P><P>First of all I created a static to outside for my reverse proxy:</P><P></P><P>static (perimeter,outside) x.x.x.x 192.168.109.52 netmask 255.255.255.255 0 0 </P><P></P><P>Then I permitted access to the reverse proxy:</P><P></P><P>access-list 100 permit tcp any host x.x.x.x eq www</P><P></P><P>And bound the access-list to the outside interface:</P><P></P><P>access-group 100 in interface outside</P><P></P><P>So far so good, everything&#146;s working at this point. But as soon as I add an access-list for using the web server in the inside network, it interrupts my connection flow. </P><P></P><P>Excemption to nat from inside to dmz:</P><P></P><P>static (inside,perimeter) 192.168.108.0 192.168.108.0 netmask 255.255.255.0 0 0 </P><P>static (inside,perimeter) 192.168.107.0 192.168.107.0 netmask 255.255.255.0 0 0</P><P></P><P>Permit access to the inside web server:</P><P></P><P>access-list 200 permit tcp host 192.168.109.52 host 192.168.108.34 eq 7777 </P><P></P><P>Now what happens is (or at least I assume it): A host connections to the IP x.x.x.x for a http request. The PIX passes the request to the reverse proxy using the acl 100. The reverse proxy picks up the request and processes it respectively forwards it to the internal web server. The answer is sent back to the reverse proxy and then it tries to transmit the response back to the requester. Actually this should work based on the inferface definition of the security level: inside 100, perimeter 50, outside 0. But the responses does not get through to the outside anymore. I guess it must be somewhere between the reverse proxy and the PIX since the network connections (a) is hold between reverse proxy and requester and a new connection (b) is hold by reverse proxy and inside web server.</P><P></P><P>Does anyone have a clue on how to solve this problem?</P><P></P><P>Thanks in advance.</P><P>Kai Keong Ng</P><P></P> Fri, 21 Feb 2020 06:57:48 GMT https://community.cisco.com/t5/network-security/pix-dmz-configuration-problem/m-p/201641#M590253 kk.ng 2020-02-21T06:57:48Z https://community.cisco.com/t5/network-security/pix-dmz-configuration-problem/m-p/201642#M590256 <HTML><HEAD></HEAD><BODY><P>Hi Kay Keong,</P><P></P><P>Your config look good. You can capture packets in DMZ to examine incoming &amp; outgoing packets, you should be able to identify where is the problem. If not, you need to go deeper by using debug/syslog feature on PIX to see if it has something wrong.</P><P></P><P>Regards</P><P></P><P>Ben</P><P></P></BODY></HTML> Mon, 01 Sep 2003 11:40:13 GMT https://community.cisco.com/t5/network-security/pix-dmz-configuration-problem/m-p/201642#M590256 bdube 2003-09-01T11:40:13Z