Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
0
Helpful
5
Replies

pix 515e build a DMZ for www server NAT to the web server on the DMZ interface

Go to solution
cgarlick1972
Level 1
Level 1

‎01-07-2017 08:15 AM - edited ‎03-12-2019 01:45 AM

I want to build a DMZ with www access, trace route suceds but I still can not access the web server

Outside IP 24.49.x.x

Inside 10.0.x.x

DMZ 192.168.1.100

DMZ interface 192.168.1.1

I only have 1 IP for the outside interface so I have to translate to the web server (DMZ_HOST)

Here is my current config:

PIX Version 8.0(4)28
!
hostname AvatarPix1
domain-name AvatarDomain.local
enable password <Omitted> encrypted
passwd <Omitted>encrypted
names
name 24.49.x.x Outside
name 10.0.0.1 Inside
name 192.168.1.100 DMZ_HOST
name 192.168.1.1 DMZ
!
interface Ethernet0
 speed 100
 duplex full
 nameif OUTSIDE
 security-level 0
 ip address Outside 255.255.255.0
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address Inside 255.255.255.0
!
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address DMZ 255.255.255.0
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name AvatarDomain.local
object-group service TCP-WWW tcp
 port-object eq 691
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq 135
 port-object eq 445
 port-object eq ftp
object-group service WWW_Ports tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq pop3
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any host DMZ_HOST object-group WWW_Ports
access-list DMZ_access_in extended permit icmp host DMZ_HOST any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 DMZ_HOST 255.255.255.255
static (DMZ,OUTSIDE) DMZ_HOST DMZ_HOST netmask 255.255.255.255
access-group outside_access_in in interface OUTSIDE
access-group DMZ_access_in in interface DMZ
route OUTSIDE 0.0.0.0 0.0.0.0 24.49.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 10.0.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd ping_timeout 750
!
dhcpd address 10.0.0.10-10.0.0.50 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect dns preset_dns_map
  inspect http
  inspect pptp
!
service-policy global_policy global

Can anyone see what my problem is?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎01-07-2017 08:51 AM

You nat for the DMZ-host is wrong as it translates the private IP to itself. Remove the following line:

static (DMZ,OUTSIDE) DMZ_HOST DMZ_HOST netmask 255.255.255.255

And add a new one:

static (DMZ,OUTSIDE) tcp interface 80 DMZ_HOST 80 netmask 255.255.255.255

In addition to that, your ACL is wrong. With the old software that your firewall runs you have to use the translated IP in the ACL:

no access-list outside_access_in extended permit tcp any host DMZ_HOST object-group WWW_Ports
access-list outside_access_in extended permit tcp any host 24.49.x.x object-group WWW_Ports

And if you enable ICMP-inspection, you can remove the ACE that allows echo-reply statelessly:

no access-list outside_access_in extended permit icmp any any echo-reply
policy-map global_policy
 class inspection_default
  inspect icmp

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎01-07-2017 08:51 AM

You nat for the DMZ-host is wrong as it translates the private IP to itself. Remove the following line:

static (DMZ,OUTSIDE) DMZ_HOST DMZ_HOST netmask 255.255.255.255

And add a new one:

static (DMZ,OUTSIDE) tcp interface 80 DMZ_HOST 80 netmask 255.255.255.255

In addition to that, your ACL is wrong. With the old software that your firewall runs you have to use the translated IP in the ACL:

no access-list outside_access_in extended permit tcp any host DMZ_HOST object-group WWW_Ports
access-list outside_access_in extended permit tcp any host 24.49.x.x object-group WWW_Ports

And if you enable ICMP-inspection, you can remove the ACE that allows echo-reply statelessly:

no access-list outside_access_in extended permit icmp any any echo-reply
policy-map global_policy
 class inspection_default
  inspect icmp

0 Helpful

Go to solution
cgarlick1972
Level 1
Level 1
In response to Karsten Iwen

‎01-07-2017 10:08 AM

Still getting error:

TCP access denied by ACL from 10.0.0.10/55479 to inside:Outside/80

If I try to reach it from an outside network it does nothing and doesn't even show an error

0 Helpful

Go to solution
cgarlick1972
Level 1
Level 1
In response to cgarlick1972

‎01-07-2017 10:20 AM

I think I fixed it, seems the object-group wasn't working.

This statement fixed it but I would have never found it without your help! Many thanks!

access-list outside_access_in extended permit tcp any 24.49.x.x 255.255.255.0 eq www

0 Helpful

Go to solution
cgarlick1972
Level 1
Level 1
In response to cgarlick1972

‎01-07-2017 02:00 PM

I can access my webserver from outside but not from the inside network.

What will allow this?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to cgarlick1972

‎01-07-2017 02:33 PM

You also need a NAT-rule from inside to DMZ. This is one way to do it. It exempts this traffic from NAT:

access-list NO-NAT permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list NO-NAT
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card