Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
351
Views
0
Helpful
2
Replies

DMZ cannot access internet

jangeja
Level 1
Level 1

‎10-03-2003 10:13 AM - edited ‎03-09-2019 05:01 AM

I am a little confused to why my DMZ cannot access the internet. I know what is causing the problem (access-list) but do not know why. When I remove the dmz access-list from the dmz interface everything works but when I apply the access-list the dmz cannot get out to the internet. I have attached the config below.

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security40

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

names

access-list demosite permit icmp any any

access-list demosite permit tcp any host 63.123.X.X eq https

access-list demosite permit tcp any host 63.123.X.X eq www

access-list demosite permit tcp any host 63.123.X.X eq 563

access-list demosite permit tcp any host 63.123.X.X eq https

access-list demosite permit tcp any host 63.123.X.X eq www

access-list demosite permit tcp any host 63.123.X.X eq 563

access-list dmz permit icmp any any

ip address outside 63.123.X.X 255.255.X.X

ip address inside 10.100.0.246 255.255.255.0

ip address dmz1 172.30.254.254 255.255.255.0

no ip address intf3

no ip address intf4

no ip address intf5

global (outside) 1 63.123.X.X netmask 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0

static (dmz1,outside) tcp 63.123.X.X www 172.30.254.21 www netmask 255.255.255.255 0 0

static (dmz1,outside) tcp 63.123.X.X https 172.30.254.20 https netmask 255.255.255.255 0 0

static (dmz1,outside) tcp 63.123.X.X https 172.30.254.30 https netmask 255.255.255.255 0 0

static (dmz1,outside) tcp 63.123.X.X www 172.30.254.31 www netmask 255.255.255.255 0 0

static (inside,dmz1) 10.100.0.0 10.100.0.0 netmask 255.255.255.0 0 0

access-group demosite in interface outside

access-group dmz in interface dmz1

route outside 0.0.0.0 0.0.0.0 63.123.X.X

route inside 10.3.0.0 255.255.255.0 10.100.0.252 1

route inside 10.8.1.0 255.255.255.0 10.100.0.254 1

Thanks in advance

Joe

Labels:
0 Helpful
2 Replies 2

mostiguy
Level 6
Level 6

‎10-03-2003 03:30 PM

You are only allowing icmp into the DMZ interface with the "dmz" ACL. You need to allow dmz hosts to talk to tcp port 80 for everyone to allow http traffic, for example. You probably want to allow dns requests outbound too

0 Helpful

jkanclirz
Level 1
Level 1

‎10-05-2003 10:27 PM

Joe,

You are correct, it is your acl. Its important to know that the dmz acl is applied for DMZ-->out traffic. In this case you are only allowing ICMP and blocking everything else to go OUT of your DMZ (unless its returning ACK traffic like your webserver to end-user).

When you remove your dmz acl, the default behavior of PIX will allow everything OUT from a higher security interface to a lower security interface. In your case dmz1=40 outside=0. Returning ACKs to dmz will be allowed back via outside ACL, unlike IOS ACL where 'establish' would be required or other techniques.

Solution: Add your dmz access-list with servers on dmz wanting to initiate traffic to outside.

0 Helpful
Customers Also Viewed These Support Documents