12-29-2003 10:02 AM - edited 02-20-2020 11:10 PM
Hi guys, mind looking at my config and helping me figure out why any box in the DMZ can not be accessed from the outside.. They also have no access to the net? I looked at couple example configurations and i must be missing something every single time? What i am currently attempted to do is move 2 of my servers into the DMZ. Currently using a unix box with apache and qmail as my test machine.
Thanks
-Bob
--------------
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
hostname Guardian
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol http 80
names
access-list smtp permit tcp any host nnn.nnn.nnn.226 eq smtp
access-list smtp permit tcp any host nnn.nnn.nnn.226 eq pop3
access-list smtp permit tcp any host nnn.nnn.nnn.226 eq www
access-list smtp permit tcp any host nnn.nnn.nnn.228 eq www
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside nnn.nnn.nnn.226 255.255.255.224
ip address inside 192.168.4.1 255.255.255.0
ip address DMZ 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 2 interface
global (inside) 3 interface
global (DMZ) 4 nnn.nnn.nnn.228
nat (inside) 2 192.0.0.0 255.255.0.0 0 0
nat (DMZ) 4 192.168.5.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.4.2 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.4.1 pop3 netmask 255.255.255.255 0 0
static (DMZ,outside) tcp nnn.nnn.nnn.228 www 192.168.5.5 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.4.2 www netmask 255.255.255.255 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 nnn.nnn.nnn.225 1
route inside 10.10.1.0 255.255.255.0 191.0.32.1 1
route inside 10.10.2.0 255.255.255.0 191.0.32.1 1
route inside 192.168.3.0 255.255.255.0 192.168.4.1 1
route inside 192.168.2.0 255.255.255.0 192.168.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
terminal width 80
12-29-2003 10:59 AM
static (DMZ,outside) tcp nnn.nnn.nnn.228 www 192.168.5.5 www netmask 255.255.255.255 0 0
that is the only static statement referencing the dmz. Are you able to connect to that web server?
12-29-2003 12:58 PM
Nope i am unable to connect to it from the outside. right now i havnt added the static statement for smtp yet.
12-29-2003 01:13 PM
have you done a clear xlate to wipe clean the translation slot table?
12-29-2003 03:24 PM
No sir i havnt. I will try this once i get back into the office. I got the feeling that my static was working correctly as when i would use telnet to port 80 it would just hang, not just die. My thinking was that the requests were getting through but the replies were not?
12-30-2003 06:39 AM
I have cleard the xlate and still same problem. IE just sits there stating that its opening the page.
12-30-2003 06:53 AM
from looking at your config you have and access list for the outside interface to allow only the following access:
tcp any host nnn.nnn.nnn.226 eq smtp
tcp any host nnn.nnn.nnn.226 eq pop3
tcp any host nnn.nnn.nnn.226 eq www
tcp any host nnn.nnn.nnn.228 eq www
but as you only have one static command referencing dmz interface:
static (DMZ,outside) tcp nnn.nnn.nnn.228 www 192.168.5.5 www netmask 255.255.255.255 0 0
only this one would be allowed.
also you have no fixup protocol http? you should use fixup protocol i think.
sam
12-30-2003 10:48 AM
That is correct, the reason is, is because im trying to move services from the inside interface (first three access-list) to the DMZ (last access-list). Currently i only allowing 80 to get into the dmz and thats all im concentrating right now. As soon as i have http traffic running smoothly i should be easily able to allow smtp.
The fixup protocol is a personal preference from my readings. I may choose to enable it once again in the near future.
01-02-2004 03:02 AM
have you tried to debug this making sure that the traffic is leaving the dmz interface of the pix and getting to the server?
command is= debug pack dmz src any dst xxx.xxx.xxx.228 proto tcp dport 80 tx
then you could debug from the server for the replies
command=
debug packet dmz src xxx.xxx.xxx.228 dst any proto tcp dport 80 tx
will show you where the trouble is. otherwise get a packet sniffer on that interface because your config looks fine.
sam
01-06-2004 11:42 AM
I would check the default gateway on the web server. Make sure this is pointing to the DMZ interface. You may also want to remove the global statement and NAT for the DMZ as your statics should take care of that (depends on the rest of your setup). You probably will want to allow the WWW server to talk to some DNS server either internal or external.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide