03-25-2003 03:25 PM - edited 03-09-2019 02:39 AM
I am using a PIX 506 6.1 (1) with one DMZ IF. This is our first DMZ and I need some help with accessing the web server within the DMZ. We are using a 172.16.0.0 subnet for the DMZ and a 192.168.40.0 subnet internally. The public subnet address in 12.19.xxx.xx. I have added the following commands for the Web server on the PIX:
static (dmz,outside) 12.19.xxx.xx 172.16.0.21 netmask 255.255.255.255 0 0
global (dmz) 1 172.16.0.100-172.16.0.110
nat (dmz) 1 172.16.0.0 255.255.255.0
I need to access the webserver in the DMZ from the 192.168.40.0 subnet.
What am I missing? Thanks
Solved! Go to Solution.
03-26-2003 11:27 AM
Is this access-list doing anything?
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 200.171.173.178
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 64.219.15.121
access-list nonat permit ip 192.168.31.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list nonat permit ip 192.168.31.0 255.255.255.0 host 64.219.15.121
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 148.233.144.17
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 148.235.11.101
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.7.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 66.136.190.89
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.6.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 64.22.205.74
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.0.0 255.255.255.0
I believe this is the problem.
You should use something like this;
access-list nonat permit ip 192.168.40.0 255.255.255.0 172.16.0.0 255.255.255.0
That should take of your inside reaching your dmz.
03-26-2003 05:44 AM
Hi,
I suspect that you don't have a 506 as that device only has 2 ethernet interfaces !
But, I think you will need to add a nat (inside) 1 0.0.0.0 0.0.0.0 statement in order to catch the outgoing traffic from the inside.
Regards
John
03-26-2003 05:52 AM
My mistake, it is a 520 not a 506.
03-26-2003 05:57 AM
Thanks for your reply. I have the statement,
nat (inside) 1 192.168.0.0 255.255.0.0 0 0, already.
03-26-2003 06:22 AM
That should be fine then,
All you need to get from the Inside NW to the DMZ should be a global on the DMZ and a NAT on the inside.
If you post most of your config I'll take a look for you.
John
03-26-2003 06:30 AM
Thanks John, here is the relevant part of my config:
ip address outside 12.19.xxx.xx 255.255.255.240
ip address inside 192.168.40.3 255.255.255.0
ip address dmz 172.16.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 12.19.xxx.xx-12.19.xxx.xx netmask 255.255.255.240
global (outside) 1 12.19.xxx.xx netmask 255.255.255.240
global (dmz) 1 172.16.0.100-172.16.0.110
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (dmz) 1 172.16.0.0 255.255.255.0 0 0
static (inside,outside) 12.19.xxx.ww192.168.13.59 netmask 255.255.255.255 0 0
static (inside,outside) 12.19.xxx.yy192.168.40.31 netmask 255.255.255.255 0 0
static (dmz,outside) 12.19.xxx.zz 172.16.0.21 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 12.19.xxx.aa 1
route inside 192.168.0.0 255.255.0.0 192.168.40.1 1
timeout xlate 1:00:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0
timeout uauth 0:00:00 absolute uauth 0:40:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.40.19 secret timeout 15
aaa authentication exclude tcp/0 inside 192.168.40.19 255.255.255.255 0.0.0.0 0S
aaa authentication exclude tcp/0 inside 192.168.40.26 255.255.255.255 0.0.0.0 0S
aaa authentication exclude tcp/0 inside 192.168.40.29 255.255.255.255 0.0.0.0 0S
aaa authentication exclude tcp/0 inside 192.168.40.30 255.255.255.255 0.0.0.0 0S
aaa authentication exclude tcp/0 inside 192.168.40.31 255.255.255.255 0.0.0.0 0S
aaa authentication exclude tcp/0 inside 192.168.13.59 255.255.255.255 0.0.0.0 0S
aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 RADIUS
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
sysopt connection permit-ipsec
no sysopt route dnat
03-26-2003 07:58 AM
Obviously this is not the full config but can you confirm that the access lists are OK and are not blocking what you are trying to do.
The NAT and Global statements look fine, the only thing I can see is that you have no netmask defined for your Global (DMZ) statement.
So, to confirm, from your 192.168.40.0 you are trying to access host 172.16.0.21, what sort of error do you see?
If you carry out a show xlate at this time what do you see?
One last thing, I assume that the host you are trying this from is not excluded by your AAA config ?
Regards
John
03-26-2003 08:11 AM
John, here are the access lists. We also use this PIX to connections to pixes at remote site using ipsec.
access-list acl_in permit icmp any any
access-list acl_in permit ip any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 12.19.224.xx eq smtp
access-list acl_out permit tcp any host 12.19.224.yy eq smtp
access-list acl_out permit tcp any host 12.19.224.zz eq ftp-data
access-list acl_out permit tcp any host 12.19.224.xx eq www
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 200.171.173.178
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 64.219.15.121
access-list nonat permit ip 192.168.31.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list nonat permit ip 192.168.31.0 255.255.255.0 host 64.219.15.121
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 148.233.144.17
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 148.235.11.101
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.7.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 66.136.190.89
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.6.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 64.22.205.74
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list acl_dmz permit icmp any any
access-list 120 permit ip 192.168.40.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list 120 permit ip 192.168.40.0 255.255.255.0 host 148.233.144.17
access-list 115 permit ip 192.168.40.0 255.255.255.0 host 64.219.15.121
access-list 115 permit ip 192.168.31.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list 115 permit ip 192.168.31.0 255.255.255.0 host 64.219.15.121
access-list 115 permit ip 192.168.40.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list 125 permit ip 192.168.40.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list 125 permit ip 192.168.40.0 255.255.255.0 host 148.235.11.101
access-list 122 permit ip 192.168.40.0 255.255.255.0 10.0.7.0 255.255.255.0
access-list 122 permit ip 192.168.40.0 255.255.255.0 host 66.136.190.89
access-list 121 permit ip 192.168.40.0 255.255.255.0 10.0.6.0 255.255.255.0
access-list 121 permit ip 192.168.40.0 255.255.255.0 host 64.22.205.74
access-list 105 permit ip 192.168.40.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list 105 permit ip 192.168.40.0 255.255.255.0 host 200.171.173.178
access-list 110 permit ip 192.168.40.0 255.255.255.0 10.0.0.0 255.255.255.0
03-26-2003 08:45 AM
I suspect then that you will need to ammend the acl_dmz acl to allow the return traffic from your web server.
03-26-2003 11:27 AM
Is this access-list doing anything?
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 200.171.173.178
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 64.219.15.121
access-list nonat permit ip 192.168.31.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list nonat permit ip 192.168.31.0 255.255.255.0 host 64.219.15.121
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 148.233.144.17
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 148.235.11.101
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.7.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 66.136.190.89
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.6.0 255.255.255.0
access-list nonat permit ip 192.168.40.0 255.255.255.0 host 64.22.205.74
access-list nonat permit ip 192.168.40.0 255.255.255.0 10.0.0.0 255.255.255.0
I believe this is the problem.
You should use something like this;
access-list nonat permit ip 192.168.40.0 255.255.255.0 172.16.0.0 255.255.255.0
That should take of your inside reaching your dmz.
03-26-2003 12:09 PM
Thanks, that took care of it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide