Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
5
Replies

DMZ can't access outside

abuaqel
Level 1
Level 1

‎03-06-2004 10:00 AM - edited ‎03-09-2019 06:39 AM

Hello,

We have a Cisco PIX 515 and we are deploying a Mail server on its DMZ. Our inside users can access the internet freely from the inside, they also can access and ping the server in the DMZ. Outside users can access the server on the DMZ. The Problem is that we cannot ping the outside or access the internet from the DMZ (We can ping inside users from the DMZ). Below is the configuration :

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside A.B.C.66 255.255.255.248

ip address inside 128.100.14.101 255.255.0.0

ip address dmz 192.168.0.1 255.255.255.0

global (outside) 1 A.B.C.67 netmask 255.255.255.248

nat (inside) 1 128.100.14.100 255.255.255.255 0 0

nat (DMZ) 1 192.168.0.2 255.255.255.255 0 0

static (dmz,outside) A.B.C.68 192.168.0.2 netmask 255.255.255.255 0 0

access-list fromOut permit tcp any host A.B.C.68 eq smtp

access-list fromOut permit tcp any host A.B.C.68 eq pop3

access-list fromOut permit tcp any host A.B.C.68 eq http

access-group fromOut IN interface outside

static (inside,dmz) 128.100.0.0 128.100.0.0 netmask 255.255.0.0

access-list fromDMZ permit icmp 192.168.0.0 255.255.255.0 any

access-list fromDMZ permit tcp host 192.168.0.2 128.100.0.0 255.255.0.0

access-group fromDMZ in interface DMZ

route outside 0.0.0.0 0.0.0.0 A.B.C.65 1

I also tried to nat the server on the DMZ with a separate global like this :

global (outside) 2 A.B.C.69 netmask 255.255.255.248

nat (DMZ) 1 192.168.0.2 255.255.255.255 0 0

but also I couldn't ping the outside.

I added the "access-list fromDMZ permit icmp 192.168.0.0 255.255.255.0 any" because I know that an implicit "deny any any" is applied to the DMZ interface after my ACLs. Please advice me.

Thanks in advance.

Labels:
0 Helpful
5 Replies 5

pavlosd
Level 2
Level 2

‎03-06-2004 11:13 AM

Your DMZ access list:

access-list fromDMZ permit icmp 192.168.0.0 255.255.255.0 any

access-list fromDMZ permit tcp host 192.168.0.2 128.100.0.0 255.255.0.0

access-group fromDMZ in interface DMZ

allows your DMZ_server to "ping" any host and to access TCP services in internal LAN. It does not allow for DMZ_server to access outside world!!!

try: access-list fromDMZ permit ip host 192.168.0.2 any

0 Helpful

abuaqel
Level 1
Level 1
In response to pavlosd

‎03-07-2004 02:04 PM

Hi..

Thanks for the quick answer..

I tried using :

access-list fromDMZ permit ip 192.168.0.0 255.255.255.0 any

and it didn't work! I guess it is pretty much the same, if not please let me know. But doesn't this line affect the ping process:

access-list fromDMZ permit icmp 192.168.0.0 255.255.255.0 any

When i remove it can still ping inside from the DMZ and you are right when I remove

access-list fromDMZ permit tcp host 192.168.0.2 128.100.0.0 255.255.0.0

and return the other fromDMZ ACL I can also still ping the DMZ from inside. Am i using my nat(DMZ) correctly?

0 Helpful

tgshahrizam
Level 1
Level 1
In response to abuaqel

‎03-07-2004 06:02 PM

hi abuagel,

"I also tried to nat the server on the DMZ with a separate global like this :

global (outside) 2 A.B.C.69 netmask 255.255.255.248

nat (DMZ) 1 192.168.0.2 255.255.255.255 0 0

but also I couldn't ping the outside. "

- If you use nat (DMZ) 1, you should use global (outside) 1, not 2. If not, you can use nat (DMZ) 2 and global (oustide) 2. Make sure it doesn't overlaps with nat (inside) 1.

- you can use command "show xlate" to see whether the translation is correct or not.

- whenever changes made on the translation table, you should also clear the translation to reset the table. command: clear xlate.

- If your static translation is already correct, check your inbound and outbound access-list. make sure you allow icmp both from dmz server and also to dmz server.

If you want to troubleshoot address translation only, you can also disable the access-list and use conduit command instead. Remember that access-list has higher predency than conduit. So you must make sure that access-list is disable first before using the conduit. (you can remove the access-group temporarily)

If your pinging works successfully, that means your translation is already correct and you can proceed looking at the access-list.

0 Helpful

abuaqel
Level 1
Level 1
In response to tgshahrizam

‎03-17-2004 02:45 AM

Hello all,

I am very gratefull for all your help. The problem was solved by adding an access-list on the outside interface that permits all icmp traffic back in to the DMZ. I forgot that. For the Ping to work you have to open all of these:

access-list FromOut permit icmp any host A.B.C.68 echo-reply

access-list FromOut permit icmp any host A.B.C.68 source-quench

access-list FromOut permit icmp any host A.B.C.68 unreachable

access-list FromOut permit icmp any host A.B.C.68 time-exceeded

access-group FromOut in interface outside

This is it. Problem solved. Thank you everyone.

0 Helpful

xe1zvo
Level 1
Level 1
In response to abuaqel

‎03-19-2004 04:16 PM

Beware. If you open the ICMP from the outside you are opening a door to permit ping sweep from hackers. In fact, opening any ICMP from the outside will allow ping sweeps or any other attack.

0 Helpful
Customers Also Viewed These Support Documents