No access from DMZ to Inside on PIX 515

virtd1978 · ‎03-22-2005

Hello!

I have 3 i-faces on PIX515: Inside, DMZ and Outside. DMZ and Outside have public IP, Inside has private IP.

I want to have access between Outside<--->DMZ<--->Inside without any translation

(my mail-server located in DMZ and must be accessible from internet and intranet via piblic IP)

The part of my config:

...

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security90

hostname pix

names

access-list open permit ip any any

ip address outside IP.OF.OUTSIDE.IFACE 255.255.255.252

ip address inside 172.21.116.6 255.255.255.252

ip address dmz IP.OF.DMZ.IFACE 255.255.255.248

static (dmz,outside) DMZ.PUBLIC.NETWORK.IP DMZ.PUBLIC.NETWORK.IP netmask 255.255.255.248 0 0

static (inside,dmz) INSIDE.PRIVATE.NETWORK.IP INSIDE.PRIVATE.NETWORK.IP netmask 255.255.255.252 0 0

access-group open in interface inside

access-group open in interface dmz

routing interface outside

routing interface inside

routing interface dmz

route outside 0.0.0.0 0.0.0.0 IP.FROM.OUTSIDE.NETWORK 1

...

So I have access between Outside<--->DMZ and only DMZ<---Inside. Why I have not access from DMZ to Inside?

Please, help.

Thank you.

Dmitry

beat · ‎03-23-2005

Your netmask of the static (dmz,inside) is suspiciously small: 255.255.255.252

Are you sure you you only have 2 IP addresses?

virtd1978 · ‎03-24-2005

Yes, it's test network. There are PIX inside interface and notebook.

Thank you fo your help! But it was trouble with notebook. It works under WinXP with enabled IP security (firewall). I'm sorry. I'm stupid.