Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
0
Helpful
4
Replies

pix 515 problem urgently

cychenyan
Level 1
Level 1

‎06-18-2003 05:17 PM - edited ‎02-20-2020 10:48 PM

hi,

I have a pix 515 with 3 interfaces, the outside interface and the DMZ interface are different subnets of one main net, which means that I have a legal net ( 200.200.200.0/26, the outside interface and the DMZ interface are 200.200.200.0/27 and 200.200.200.32/27, all the www and mail servers are located in the DMZ. One Router is outside of the PIX.

I have add the routes on the router to the DMZ net.

The problem is from the inside I can reach anywhere which I certainly use the nat, but from the DMZ I can not reach anywhere.

the configuration is below:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

enable password xxxx encrypted

passwd xxxxx encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit icmp any any

access-list 101 permit tcp any host 200.200.200.1 eq domain

access-list 101 permit udp any host 200.200.200.1 eq domain

access-list 101 permit tcp any host 200.200.200.6 eq www

access-list 101 permit tcp any host 200.200.200.8 eq ftp

access-list 101 permit tcp any host 200.200.200.3 eq smtp

access-list 101 permit ip any any

access-list 102 permit ip any any

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside xxxx.xxx.xxx.59 255.255.255.224

ip address inside xxx.xxx.xx.230 255.255.255.0

ip address dmz 200.200.200.30 255.255.255.224

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 60

global (outside) 1 200.200.200.61

global (dmz) 1 200.200.200.15

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 101 in interface outside

access-group 102 in interface dmz

route outside 0.0.0.0 0.0.0.0 200.200.200.62 1

route inside 192.168.10.0 255.255.255.0 192.168.30.1 1

route inside 192.168.20.0 255.255.255.0 192.168.30.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxxxx

: end

[OK]

0 Helpful
4 Replies 4

bdube
Level 2
Level 2

‎06-18-2003 05:34 PM

you need the following static & nat commands:

static (dmz,outside) 200.200.200.1 200.200.200.1 netmask 255.255.255.255

static (dmz,outside) 200.200.200.3 200.200.200.3 netmask 255.255.255.255

static (dmz,outside) 200.200.200.6 200.200.200.6 netmask 255.255.255.255

static (dmz,outside) 200.200.200.8 200.200.200.8 netmask 255.255.255.255

And for DMZ to go out:

nat (dmz) 1 0.0.0.0 0.0.0.0

Regards,

Ben

0 Helpful

aboelhouwers
Level 1
Level 1
In response to bdube

‎07-01-2003 06:58 AM

I agree with this solution but I don't understand access-list 101

access-list 101 permit icmp any any

access-list 101 permit tcp any host 200.200.200.1 eq domain

access-list 101 permit udp any host 200.200.200.1 eq domain

access-list 101 permit tcp any host 200.200.200.6 eq www

access-list 101 permit tcp any host 200.200.200.8 eq ftp

access-list 101 permit tcp any host 200.200.200.3 eq smtp

access-list 101 permit ip any any <-------------------------------------------------

I think the last statement should be: deny ip any any

Regards

Aad

0 Helpful

adallica
Level 1
Level 1
In response to aboelhouwers

‎08-07-2003 05:38 PM

THis is an implicit rule that happens automatically. You only need it if you want to log the deny alls, otherwise it won't get logged

0 Helpful

l.mourits
Level 5
Level 5
In response to aboelhouwers

‎08-11-2003 11:07 PM

I agree with Aad (good to see you here Aad *grin*)

The permit ip any any will drill a serious securityhole in your PIX. Your PIX is open to any traffic with this command (not implicit command like the other guy stated, cause the implicit rule depending on securitylevels is never seen in config)

If you do not want the servers on the dmz to be reachable from the outside, the nat (dmz) 1 0.0.0.0 0.0.0.0 will do

The static commands provides you with the ability to let the PIX proxy-ARP on the outside interface for these adresses (no further config needed)

Kind Regards,

Leo

K

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card