12-03-2004 02:40 PM - edited 02-20-2020 11:47 PM
Hello,
We are having some difficulties in moving the traffic in and out of a Cisco PIx 515 firewall. We are using it with two DMZs. The first DMZ has a mail server in it (Front end mail server) that communicates with another mail server in the inside (Back end mail server), this is called DMZ1. The second DMZ (DMZ2) has some users who are supposed to go through the firewall to the outside and use the internet and must have access to the mail server in DMZ1. The inside users must be able to use the Internet and can access DMZ1. Below is the important part of our configuration.
From what we did, we can access the internet properly from the inside, the inside users can reach the the mail server in DMZ1 and the mail server in DMZ1 can reach the the inside. Our problem is that we can't browse the internet on the mail server in DMZ1 though we set DMZ1 interface ip address as the gateway on that server and the ISP's DNS ip address is propely set on the same machine. Also, we couldn't make DMZ2 users browse the internet, though we permitted the www protocol in the fromOut access-list. One last question, can we make the DMZ2 interface on the PIX a DHCP server and make it distribute ip addresses for the users on that subnet only?? Thanks for all the help offered in advance.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
!
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 dmz2 security40
!
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
!
names
!
ip address outside X.Y.Z.163 255.255.255.248
ip address inside 192.168.0.9 255.255.255.0
ip address dmz1 192.168.10.1 255.255.255.0
ip address dmz2 192.168.20.1 255.255.255.0
!
access-list fromOut permit icmp any host X.Y.Z.162 source-quench
access-list fromOut permit icmp any host X.Y.Z.162 echo-reply
access-list fromOut permit icmp any host X.Y.Z.162 unreachable
access-list fromOut permit icmp any host X.Y.Z.162 time-exceeded
access-list fromOut permit tcp any host X.Y.Z.162 eq domain
access-list fromOut permit tcp any host X.Y.Z.162 eq telnet
access-list fromOut permit tcp any host X.Y.Z.162 eq smtp
access-list fromOut permit tcp any host X.Y.Z.162 eq www
!
access-list fromDMZ1 permit tcp host 192.168.10.2 192.168.0.0 255.255.255.0
access-list fromDMZ1 permit ip host 192.168.10.2 192.168.0.0 255.255.255.0
!
access-list fromDMZ2 permit tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
!
pager lines 24
!
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
!
global (outside) 1 X.Y.Z.164 netmask 255.255.255.248
global (outside) 2 X.Y.Z.165 netmask 255.255.255.248
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (dmz1) 1 192.168.10.2 255.255.255.255 0 0
nat (dmz2) 2 192.168.20.0 255.255.255.0 0 0
static (inside,dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
static (dmz2,dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
static (dmz1,outside) X.Y.Z.162 192.168.10.2 netmask 255.255.255.255 0 0
!
access-group fromOut in interface outside
access-group fromDMZ1 in interface dmz1
access-group fromDMZ2 in interface dmz2
route outside 0.0.0.0 0.0.0.0 X.Y.Z.161 1
Solved! Go to Solution.
12-03-2004 11:11 PM
Hi jamil,
There is a phrase on the URL that i sent you , that you can currently enable dhcp option on the inside interface only. Just check this..
Raj
12-03-2004 11:09 PM
Hi Jamil,
One important thing to note here are the access-lists. Always remember that a implicit deny rule is there in an access-list at the end. the answers to your problems are:
1) mail server in DMZ 1 not able to browse:
Just make sure you have the following on the access-list fromDMZ1.
access-list fromDMZ1 permit tcp host 192.168.10.2 192.168.0.0 255.255.255.0
access-list fromDMZ1 permit ip host 192.168.10.2 192.168.0.0 255.255.255.0
access-list fromDMZ1 permit ip host 192.168.10.2 any eq http
access-list fromDMZ1 permit ip host 192.168.10.2 any eq https
access-list fromDMZ1 permit ip host 192.168.10.2 any eq dns
add the access-list to open whatever port you want from 192.168.10.2
2) DMZ2 users not able to browse:please change it to the following:
access-list fromDMZ2 permit tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list fromDMZ2 permit tcp 192.168.2.0 255.255.255.0 any eq http
access-list fromDMZ2 permit tcp 192.168.2.0 255.255.255.0 eq dns
DHCP option:
yes.. you can configure.. refer to the following URL:
Hope this helps.. all the best..
Raj
12-03-2004 11:11 PM
Hi jamil,
There is a phrase on the URL that i sent you , that you can currently enable dhcp option on the inside interface only. Just check this..
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide