Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
689
Views
5
Helpful
5
Replies

PIX version 8.0(4) problem to configure DMZ

Go to solution
cbemobile
Level 1
Level 1

‎02-19-2017 10:17 AM - edited ‎03-12-2019 01:57 AM

HI,

I have a pix 515E firewall and have some issue with the configuration (I am a beginner).

Multiple clients connected to a switch using VLANs and the switch is connected to a PIX using a trunk.

The PIX is connected to the ISP router using the OUTSIDE interface.

For each VLAN i create a sub interface on the pix.

I have a DMZ1 with a specific server inside.

This server in the DMZ1 must be accessed from the internet and also from all the inside vlan.

INSIDE VLANS -> INTERNET

INSIDE VLANS -> DMZ1

DMZ1 -> INTERNET

INTERNET->DMZ1

With the configuration i did :

The Inside VLANs can access INTERNET

The DMZ1 can access INTERNET

I forward (NAT) all the traffic comming on the outside interface to the DMZ1 server to permit the access from INTERNET to DMZ1. (I suppose there are other solution).

From VLANS i cannot access to the DMZ1 server.

I am not fluent with NAT, NO NAT and ACL and perhaps this is the origin of the problems.

I joint the version informations of my PIX and the running configuration

I will appreciate your help

Thanks

Labels:
Preview file
3 KB
Preview file
6 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎02-20-2017 08:12 AM

You need to use PAT and not static NAT all ports from outside to DMZ1

for example, you can use the following to NAT 172.30.70.9 port TCP/80 to the outside interface

static (DMZ1,OUTSIDE) tcp interface 172.30.70.9 80 netmask 255.255.255.255

You can also test your configuration by using the packet tracer and see if it is successful or if it fails, where it fails.

packet-tracer input OUTSIDE tcp 4.2.2.2 12345 <Outside Int IP> 80

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marius Gunnerud
VIP
VIP

‎02-20-2017 08:12 AM

You need to use PAT and not static NAT all ports from outside to DMZ1

for example, you can use the following to NAT 172.30.70.9 port TCP/80 to the outside interface

static (DMZ1,OUTSIDE) tcp interface 172.30.70.9 80 netmask 255.255.255.255

You can also test your configuration by using the packet tracer and see if it is successful or if it fails, where it fails.

packet-tracer input OUTSIDE tcp 4.2.2.2 12345 <Outside Int IP> 80

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
cbemobile
Level 1
Level 1
In response to Marius Gunnerud

‎02-21-2017 03:38 AM

Hi Marius,

Thanks for your help.

I change the NATt according to your example and it's work (i join my new configuraion file).

But have an issue to submit to your analysis :

when i use HTTPS from outside "https:\\192.168.220.200" i get the ASDM index.html page "https://192.168.220.200/admin/public/index.html". If i want to get for example the admin console of my web server (10.100.70.9) in the DMZ1 i need to use "https://192.168.220.200/console/" and it's work. But in normal use the outside client use only "HTTPS:://mywebserver" to get the public secure access banner. It is possible to get the ASDM only using the managment interface and one inside administrator vlan and to redirect all the https traffic from the outside to the Webserver in the DMZ1.

why administrator VLAN : In the future i would like, if possible, to use a VPN client from outside to manage using remote access the firewall. But if it is to complex my first goal is to get all HTTPS traffic with my webserver.

Thanks for your help

Preview file
6 KB
0 Helpful

Go to solution
cbemobile
Level 1
Level 1
In response to cbemobile

‎02-21-2017 07:06 AM

HI Marius,

I hope i found the solution for the ASDM access.

I had a look on the command "HTTP SERVER" and i saw that it is possible to change the port allocated to the ASDM (443 is the default). So, i change it using the command :

"http server enable 10500"

I also add an access to asdm from outside :

"http 192.168.220.0 255.255.255.0 OUTSIDE"

and now when i use "https:\\192.168.220.200" i get the DMZ1 webserver HTTPS login page.

When i was on an outside computer i use the ASDM launcher adding the port to address

"Decive IP Address/ Name : 192.168.220.200:10500"

It seem to work according to my expectations.

What do you think about.

Regards

Claude

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to cbemobile

‎02-21-2017 02:50 PM

This is a common practice when you have a server on the inside which has port TCP/443 NATed to it using the outside interface IP.  When this is the case you need to do as you say, assign a different port to access the ASDM via the outside interface.  If you do not then traffic to the ASDM will not work on port 443.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Go to solution
cbemobile
Level 1
Level 1
In response to Marius Gunnerud

‎02-21-2017 11:35 PM

Hi Marius,

I want to thank you for you precious help.

Regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card