Re: PIX DMZ configuration for webserver

sbrock · ‎10-22-2004

I'm trying to setup a DMZ on my PIX 515E running 6.2(2) for a webserver.

I have the DMZ interface setup. My workstations on the inside interface

are able to access the webserver, but not from the outside interface.

What am I doing wrong?

For config purposes, let's use the following:

outside network: 209.178.184.193 255.255.255.240

inside network: 10.10.0.0 255.255.0.0

dmz network: 201.201.201.0 255.255.255.0

webserver: 201.201.201.3 255.255.255.0

I have the following commands:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 209.178.184.194 255.255.255.240

ip address inside 10.10.10.2 255.255.0.0

ip address dmz 201.201.201.1 255.255.255.0

access-list acl_outside permit tcp any host 209.178.184.203 eq www

global (outside) 1 209.178.184.196

static (dmz,outside) 209.178.184.203 201.201.201.3 netmask 255.255.255.255 0 0

route dmz 201.201.201.2 255.255.255.255 201.201.201.1 1

mpalardy · ‎10-22-2004

Replace this ACL:

access-list acl_outside permit tcp any host 209.178.184.203 eq www

w/ this ACL

access-list acl_outside permit tcp any host 201.201.201.3 eq www

jogillis · ‎10-22-2004

Your access-list with the outside address is correct, not the dmz address. You say that the inside can access the webserver but not from the outside. Are you trying to access the webserver from the inside workstations using its outside address? If so, then that will not work, by design.

mpalardy · ‎10-22-2004

Oops! I've mistakenly invert ip's in the static command. Sorry for that. Yes, you have to code the outside ACL based on the published ip address. Any syslog would help.