I am new to the PIX firewall and am having a few problems configuring it.
I have a PIX515 configured with 4 DMZs I want to be able to let www traffic from the outside interface to one server in a DMZ, for this I have used the following command.
static (dmz110,outside) tcp interface www 192.168.110.2 www netmask 255.255.255.255 0 0
I have configured two PCs one with a web server running on it and connected them to the
relevant ports with crossover cables. Each PC points to the PIX interface as its default gateway.
When I try to connect to the PC running the web server all I get is the page can not be displayed.
Once I have got this working I would like to allow traffic from the DMZ with the webserver
in to access other DMZs. This would be controlled using access-lists but I am unsure how I
can get the traffic to flow from one DMZ to the other. I have a play with static addresses but I am getting confused.
I have included the full firewall config incase something else is causing the problems.
Thanks in advance for your help.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz106 security70
nameif ethernet3 dmz107 security60
nameif ethernet4 dmz108 security50
nameif ethernet5 dmz110 security80
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 107 permit icmp any any echo
access-list 107 permit icmp any any echo-reply
access-list 107 permit icmp any any source-quench
access-list 107 permit icmp any any unreachable
access-list 107 permit icmp any any time-exceeded
access-list dmz-in permit ip any 10.10.60.0 255.255.255.0
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz106 1500
mtu dmz107 1500
mtu dmz108 1500
mtu dmz110 1500
ip address outside 192.168.200.1 255.255.255.0
ip address inside 10.10.60.135 255.255.0.0
ip address dmz106 192.168.106.1 255.255.255.0
ip address dmz107 192.168.107.1 255.255.255.0
ip address dmz108 192.168.108.1 255.255.255.0
ip address dmz110 192.168.110.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz106
no failover ip address dmz107
no failover ip address dmz108
no failover ip address dmz110
pdm location 10.10.60.134 255.255.255.255 inside
pdm location 192.168.110.2 255.255.255.255 dmz110
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 10.0.0.0 255.0.0.0 0 0
nat (dmz106) 1 192.168.106.0 255.255.255.0 0 0
nat (dmz107) 1 192.168.107.0 255.255.255.0 0 0
nat (dmz110) 1 192.168.110.0 255.255.255.0 0 0
static (dmz110,outside) tcp interface www 192.168.110.2 www netmask 255.255.255.255 0 0
static (inside,dmz108) 10.10.60.0 10.10.60.0 netmask 255.255.255.0 0 0
access-group 107 in interface dmz107
access-group dmz-in in interface dmz108
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.60.134 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
