Hello all. I would like to preface this post by saying I am very new to firewall configuration. I have a PIX 515E O/S version 7.0(2). I am trying to implement a most basic configuration in a test

environment. My goal is to have our webservers in the DMZ with access to them from the inside and outside interface.

From the inside network in our test environment I am able to access internet sites via ip address, but DNS is not working. Also, from the inside network I am unable to reach internet ip addresses of the

webservers in our current production DMZ. Could this be a subneting issue? We own 12x.17x.24x.128-161. We use 12x.17x.24x.128-144 in our production environment. Our test environment uses

12x.17x.24x.145-161.

Secondly I have configured a webserver in the test DMZ. At this point I have been unable to contact the lone DMZ webserver from either the inside or outside interface.

I know the current firewall configuration is wide open. It will be required to be more restrictive once in production. I have just been trying to communicate with anything at this point.

Any help is appreciated! I have pasted the config below. Thank you in advance.

~kris

: Saved

:

PIX Version 7.0(2)

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 12x.17x.24x.145 255.255.252.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2

nameif dmz

security-level 50

ip address 10.0.0.1 255.0.0.0

!

enable password xxxx

passwd xxxx

hostname pixfirewall

ftp mode passive

dns retries 2

dns timeout 2

dns domain-lookup outside

dns name-server xxx.xxx.xxx.xxx

access-list internet extended permit icmp any any

access-list internet extended permit icmp any any echo

access-list internet extended permit icmp any any echo-reply

access-list internet extended permit tcp any any eq www

access-list internet extended permit tcp any host 12x.17x.24x.146 eq www

access-list internet extended permit udp any any

pager lines 20

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

monitor-interface outside

monitor-interface inside

monitor-interface dmz

icmp permit any outside

icmp permit any inside

icmp permit any dmz

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (dmz) 1 10.0.0.2-10.0.0.10

nat (inside) 1 192.168.1.0 255.255.255.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) 12x.17x.24x.146 10.0.0.2 netmask 255.255.255.255

access-group internet in interface outside

access-group internet out interface outside

access-group internet in interface inside

access-group internet out interface inside

access-group internet in interface dmz

access-group internet out interface dmz

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxxx

: end