- Cisco Community
- Technology and Support
- Security
- Network Security
- PIX 515e Simple LAN > DMZ issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2010 03:22 AM - edited 03-11-2019 11:12 AM
Hey all,
So ive been trying to get my LAN talking to my DMZ. Sounds simple as, ive googled and googled, messed with it, and i cant get it to work. Im sure its some really obvious static line im missing, but would you mind helping me out? I basically want to allow all PC's on the LAN to be able to see the DMZ then use a ACL to limit what computers can get to that IP.
So LAN can see DMZ, but DMZ cant see LAN.
Below is a copy of the running config
Thanks in advance guys, really appreciate it
Result of the command: "sh running-config"
: Saved
:
PIX Version 8.0(4)32
!
hostname sussex
domain-name home.local
enable password encrypted
passwd encrypted
names
name 192.168.0.10 Avoca description Main Link Avoca
name 192.168.0.86 Bilgola description Switch
name 192.168.0.20 Calculon description Cisco Home Lab Entry Point
name 192.168.0.110 Karen-PC description Mums PC
name 192.168.0.30 Ninetymile description Colour Laserjet Printer
name 192.168.0.140 TAN-R31NBL description LAN
name 192.168.0.141 TAN-R31NBW description WLAN
name 192.168.0.142 TAN-R51NBL description LAN
name 192.168.0.143 TAN-R51NBW description WLAN
name 192.168.0.144 TAN-S10NBL description LAN
name 192.168.0.145 TAN-S10NBW description WLAN
name 192.168.0.79 Windawoppa description WAP
name 192.168.0.11 Balmoral description NTP and DNS server VIRTUAL
name 192.168.0.89 Robot_Santa description CHL 3550 Switch
name 10.0.0.16 Whale-DMZ description Torrent Server
name 192.168.0.192 Living-MCPC description Sunroom MCPC
name 192.168.0.190 Lounge-MCPC description Loungeroom-MCPC
name 192.168.0.102 Malibu description Aleks Linux Desktop
name 192.168.0.100 Alek-PC description Aleks Main PC
name 10.1.1.12 Avalon description Main Link Avalon VIRTUAL
name 10.1.1.13 Palm description Cacti
name 192.168.0.103 Attic-Desktop description Attic-Desktop
!
interface Ethernet0
nameif outside
security-level 0
pppoe client vpdn group Home
ip address pppoe setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet2
description dmz
nameif dmz
security-level 30
ip address 10.1.1.1 255.255.255.0
!
banner exec You are now logged onto $(hostname).$(domain)
banner exec Please logout when you are done
banner login -------------------------------------------------------------------------------
banner login Welcome Home!
banner login -------------------------------------------------------------------------------
banner login UNAUTHORISED ACCESS TO ANY SERVER ON THIS NETWORK IS STRICTLY PROHIBITED
banner login Loging in to any any server within this network without a user and
banner login password is considered cracking. If you gain access to this network
banner login without direct permission, you will be prosecuted to the full extent of the law.
banner login If you access further systems by tunneling through this connection, you are
banner login breaching the network and you will be punished to the full extent of the law
banner login By accessing this system, you are consenting to system monitoring for law
banner login enforcement purposes including your IP Address and login times.
banner login Any information (including data) is property of Alek and is
banner login protected under International Copyright.
banner login ------------------------------------------------------------------------------ -
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
retries 3
timeout 5
domain-name theatticnetwork.local
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp traceroute
object-group service RemoteAccess tcp
description RemoteAccess
port-object eq 3389
port-object eq pptp
port-object eq ssh
port-object eq telnet
port-object eq 10000
port-object eq 15013
object-group service mail tcp
description mail
port-object eq imap4
port-object eq pop2
port-object eq pop3
port-object eq smtp
object-group service data tcp
description data
port-object eq ftp
port-object eq ftp-data
port-object eq 1044
object-group network desktops
description Main Desktop PC's
network-object host Karen-PC
network-object host Alek-PC
network-object host Attic-Desktop
object-group network laptops
description Laptops
network-object host TAN-R31NBL
network-object host TAN-R31NBW
network-object host TAN-R51NBL
network-object host TAN-R51NBW
network-object host TAN-S10NBL
network-object host TAN-S10NBW
object-group network servers
description Servers
network-object host Avoca
network-object host Balmoral
network-object host 192.168.0.15
network-object host Whale
object-group network LinuxDesktops
description LinuxDesktops
network-object host Malibu
object-group network DM_INLINE_NETWORK_1
group-object desktops
group-object laptops
network-object host Avoca
group-object LinuxDesktops
object-group service DM_INLINE_SERVICE_2
service-object tcp eq 13646
service-object udp eq 13646
object-group network DM_INLINE_NETWORK_2
network-object 192.168.0.0 255.255.255.0
network-object host Malibu
object-group network Printers
description Printers
network-object host Ninetymile
object-group network WAPs
description Wireless Access Devices
network-object host Windawoppa
object-group network switches
description Network Switches
network-object host Bilgola
object-group network Media_Centers
network-object host Living-MCPC
network-object host 192.168.0.191
object-group network DM_INLINE_NETWORK_4
group-object desktops
group-object laptops
network-object host Avoca
group-object Media_Centers
group-object LinuxDesktops
object-group network LiveServers
description Servers in everyday use
network-object host Avoca
network-object host Balmoral
object-group network DM_INLINE_NETWORK_6
group-object desktops
group-object laptops
group-object LiveServers
group-object LinuxDesktops
object-group network DM_INLINE_NETWORK_7
group-object desktops
group-object laptops
object-group network DM_INLINE_NETWORK_8
group-object desktops
group-object laptops
object-group network DM_INLINE_NETWORK_9
group-object desktops
group-object laptops
object-group service MSN_TCP tcp
description MSN Messenger TCP
port-object range 1025 1035
port-object eq 1863
port-object range 5000 5010
port-object eq 5061
port-object eq 7001
object-group service MSN_UDP udp
description MSN Messenger UDP
port-object range 1025 1035
port-object range 5000 5010
port-object range 5004 5014
port-object eq 7001
port-object eq discard
object-group network DM_INLINE_NETWORK_10
network-object host TAN-R31NBL
network-object host Alek-PC
object-group service Torrent tcp
description Torrents
port-object eq 13646
port-object eq 13367
port-object eq 6969
port-object eq 35932
object-group service Torrent_UDP udp
description Torrent UDP
port-object eq 13646
port-object eq 13367
port-object eq 6969
port-object eq 35932
object-group network DM_INLINE_NETWORK_11
network-object host TAN-R31NBL
network-object host Alek-PC
object-group service DM_INLINE_SERVICE_4
service-object tcp eq 13367
service-object udp eq 13367
object-group network PlanetExpress
description Cisco Home Lab
network-object host Robot_Santa
object-group network DNSServers
description DNS Servers
network-object host Avoca
network-object host Balmoral
object-group network DMZServers
description DMZ Server
network-object host Whale-DMZ
network-object host Avalon
object-group service DM_INLINE_UDP_1 udp
port-object eq snmp
port-object eq snmptrap
object-group service DM_INLINE_TCP_2 tcp
group-object RemoteAccess
port-object eq 8000
port-object eq 8001
object-group network DM_INLINE_NETWORK_3
network-object host Avalon
network-object host Palm
object-group network DM_INLINE_NETWORK_5
network-object host Avalon
network-object host Palm
object-group network DM_INLINE_NETWORK_12
network-object host Avalon
network-object host Palm
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 any object-group DM_INLINE_TCP_1
access-list inside_access_in remark MSN Messenger
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_8 any object-group MSN_TCP
access-list inside_access_in remark MSN Messenger
access-list inside_access_in extended permit udp object-group DM_INLINE_NETWORK_9 any object-group MSN_UDP
access-list inside_access_in remark SSH, Telnet, RDC, Webmin, TCP/8000, TCP/8001
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 any object-group DM_INLINE_TCP_2
access-list inside_access_in remark Torrent Traffic
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 object-group Torrent any object-group Torrent
access-list inside_access_in extended permit udp object-group DM_INLINE_NETWORK_11 object-group Torrent_UDP any object-group Torrent_UDP
access-list inside_access_in remark FTP etc
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 any object-group data
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host Avoca any eq domain
access-list inside_access_in extended permit udp host Malibu any eq ntp inactive
access-list inside_access_in remark Ping & tracert
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_6 any
access-list inside_access_in extended permit udp host Malibu host 10.0.0.12 object-group DM_INLINE_UDP_1
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any inactive
access-list outside_access_in remark RDC
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in remark SSH
access-list outside_access_in extended permit tcp any any eq ssh
access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_3 any eq www
access-list dmz_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_5 any eq domain
access-list dmz_access_in extended permit ip object-group DM_INLINE_NETWORK_12 any
access-list outside2_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm notifications
logging mail errors
logging from-address sussex@home.local
logging recipient-address alek@home.local level errors
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (inside) 1 interface
global (dmz) 30 interface
nat (inside) 101 192.168.0.0 255.255.255.0
nat (dmz) 101 10.1.1.0 255.255.255.0
static (dmz,outside) tcp interface www Avalon www netmask 255.255.255.255
static (dmz,outside) tcp interface ssh Avalon ssh netmask 255.255.255.255
static (inside,outside) udp interface 13646 Alek-PC 13646 netmask 255.255.255.255
static (inside,outside) tcp interface 13367 TAN-R31NBL 13367 netmask 255.255.255.255
static (inside,outside) udp interface 13367 TAN-R31NBL 13367 netmask 255.255.255.255
static (inside,outside) tcp secondaryWANIP www Malibu www netmask 255.255.255.255static (inside,outside) tcp secondaryWANIP ssh Malibu ssh netmask 255.255.255.255
static (dmz,outside) tcp SECONDARYWANIP ssh Palm ssh netmask 255.255.255.255
static (inside,outside) tcp SecondaryWANIP 3389 Alek-PC 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 13646 Alek-PC 13646 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Avoca 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
user-message "Welcome Home. Remember that you are connected to home. Please disconnect when you are done."
network-acl inside_access_in
network-acl outside_access_in
eou allow none
aaa authentication telnet console LOCAL
http server enable 81
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside Malibu community public
snmp-server location Study Rack
snmp-server contact Alek
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
snmp-server enable traps remote-access session-threshold-exceeded
no sysopt connection permit-vpn
auth-prompt prompt Please authenticate:
auth-prompt accept Welcome Home
auth-prompt reject Whoopsies. You didnt climb the stairs!
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local
telnet Alek-PC 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
management-access inside
vpdn group Home request dialout pppoe
vpdn group Home localname ispuser5364
vpdn group Home ppp authentication pap
vpdn username ispuser5364 password ********* store-local
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server Balmoral source inside prefer
group-policy DfltGrpPolicy attributes
banner value Welcome Home
wins-server value 192.168.0.10
dns-server value 192.168.0.10
default-domain value home.local
username alek password encrypted privilege 15
username alek attributes
vpn-group-policy DfltGrpPolicy
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage enable
group-lock value DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
dhcp-server Avoca
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
no tunnel-group-map enable peer-ip
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:93ec173171bcd401f07301db6bd20fd4
: end
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2010 04:03 AM
Here is the static statement that needs to be added for LAN access to DMZ:
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
If you are doing ping test to test connectivity, you might want to add the following inspection as well for icmp:
policy-map global_policy
class inspection_default
inspect icmp
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2010 04:03 AM
Here is the static statement that needs to be added for LAN access to DMZ:
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
If you are doing ping test to test connectivity, you might want to add the following inspection as well for icmp:
policy-map global_policy
class inspection_default
inspect icmp
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2010 04:20 AM
Exactly what i need! Thank your very very VERY much
I knew it would be something really simple
Thanks again, your a legend
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
