03-06-2004 10:00 AM - edited 03-09-2019 06:39 AM
Hello,
We have a Cisco PIX 515 and we are deploying a Mail server on its DMZ. Our inside users can access the internet freely from the inside, they also can access and ping the server in the DMZ. Outside users can access the server on the DMZ. The Problem is that we cannot ping the outside or access the internet from the DMZ (We can ping inside users from the DMZ). Below is the configuration :
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
ip address outside A.B.C.66 255.255.255.248
ip address inside 128.100.14.101 255.255.0.0
ip address dmz 192.168.0.1 255.255.255.0
global (outside) 1 A.B.C.67 netmask 255.255.255.248
nat (inside) 1 128.100.14.100 255.255.255.255 0 0
nat (DMZ) 1 192.168.0.2 255.255.255.255 0 0
static (dmz,outside) A.B.C.68 192.168.0.2 netmask 255.255.255.255 0 0
access-list fromOut permit tcp any host A.B.C.68 eq smtp
access-list fromOut permit tcp any host A.B.C.68 eq pop3
access-list fromOut permit tcp any host A.B.C.68 eq http
access-group fromOut IN interface outside
static (inside,dmz) 128.100.0.0 128.100.0.0 netmask 255.255.0.0
access-list fromDMZ permit icmp 192.168.0.0 255.255.255.0 any
access-list fromDMZ permit tcp host 192.168.0.2 128.100.0.0 255.255.0.0
access-group fromDMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 A.B.C.65 1
I also tried to nat the server on the DMZ with a separate global like this :
global (outside) 2 A.B.C.69 netmask 255.255.255.248
nat (DMZ) 1 192.168.0.2 255.255.255.255 0 0
but also I couldn't ping the outside.
I added the "access-list fromDMZ permit icmp 192.168.0.0 255.255.255.0 any" because I know that an implicit "deny any any" is applied to the DMZ interface after my ACLs. Please advice me.
Thanks in advance.
03-06-2004 11:13 AM
Your DMZ access list:
access-list fromDMZ permit icmp 192.168.0.0 255.255.255.0 any
access-list fromDMZ permit tcp host 192.168.0.2 128.100.0.0 255.255.0.0
access-group fromDMZ in interface DMZ
allows your DMZ_server to "ping" any host and to access TCP services in internal LAN. It does not allow for DMZ_server to access outside world!!!
try: access-list fromDMZ permit ip host 192.168.0.2 any
03-07-2004 02:04 PM
Hi..
Thanks for the quick answer..
I tried using :
access-list fromDMZ permit ip 192.168.0.0 255.255.255.0 any
and it didn't work! I guess it is pretty much the same, if not please let me know. But doesn't this line affect the ping process:
access-list fromDMZ permit icmp 192.168.0.0 255.255.255.0 any
When i remove it can still ping inside from the DMZ and you are right when I remove
access-list fromDMZ permit tcp host 192.168.0.2 128.100.0.0 255.255.0.0
and return the other fromDMZ ACL I can also still ping the DMZ from inside. Am i using my nat(DMZ) correctly?
03-07-2004 06:02 PM
hi abuagel,
"I also tried to nat the server on the DMZ with a separate global like this :
global (outside) 2 A.B.C.69 netmask 255.255.255.248
nat (DMZ) 1 192.168.0.2 255.255.255.255 0 0
but also I couldn't ping the outside. "
- If you use nat (DMZ) 1, you should use global (outside) 1, not 2. If not, you can use nat (DMZ) 2 and global (oustide) 2. Make sure it doesn't overlaps with nat (inside) 1.
- you can use command "show xlate" to see whether the translation is correct or not.
- whenever changes made on the translation table, you should also clear the translation to reset the table. command: clear xlate.
- If your static translation is already correct, check your inbound and outbound access-list. make sure you allow icmp both from dmz server and also to dmz server.
If you want to troubleshoot address translation only, you can also disable the access-list and use conduit command instead. Remember that access-list has higher predency than conduit. So you must make sure that access-list is disable first before using the conduit. (you can remove the access-group temporarily)
If your pinging works successfully, that means your translation is already correct and you can proceed looking at the access-list.
03-17-2004 02:45 AM
Hello all,
I am very gratefull for all your help. The problem was solved by adding an access-list on the outside interface that permits all icmp traffic back in to the DMZ. I forgot that. For the Ping to work you have to open all of these:
access-list FromOut permit icmp any host A.B.C.68 echo-reply
access-list FromOut permit icmp any host A.B.C.68 source-quench
access-list FromOut permit icmp any host A.B.C.68 unreachable
access-list FromOut permit icmp any host A.B.C.68 time-exceeded
access-group FromOut in interface outside
This is it. Problem solved. Thank you everyone.
03-19-2004 04:16 PM
Beware. If you open the ICMP from the outside you are opening a door to permit ping sweep from hackers. In fact, opening any ICMP from the outside will allow ping sweeps or any other attack.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide