08-07-2002 07:06 AM - edited 03-08-2019 11:51 PM
Hello....
I have a Pix 515 with a DMZ zone that contains our web server. The problem is that only sporadic sites can access the server via ping and tracert. About 75% of sites get to the web server. Also, on the web server I've tested accessing external sites and I can't get to most of them, but a couple of them I can. Very strange! Here are some config details (IP addresses are not real):
fixup protocol http 80
name 60.157.121.6 BEANS-IIS1
name 1.2.13.10 BEANS-IIS-INT
access-list INCOMING permit icmp any any echo-reply
access-list INCOMING permit tcp any host BP-EX1 eq smtp
access-list INCOMING permit esp any host vpn3005
access-list INCOMING permit udp any host vpn3005 eq isakmp
access-list INCOMING permit udp any host vpn3005 eq 10000
access-list INCOMING permit tcp any host BEANS-IIS1 eq www
access-list INCOMING permit icmp any any unreachable
access-list INCOMING permit icmp any any
access-list INCOMING deny tcp any any
access-list INCOMING deny ip any any
access-list INCOMINGWEBDMZ permit tcp any host BEANS-IIS1 eq www
access-list INCOMINGWEBDMZ permit icmp any any echo-reply
access-list INCOMINGWEBDMZ permit icmp any any unreachable
access-list INCOMINGWEBDMZ permit ip host BEANS-IIS1 host BP-BLM-DC1
access-list INCOMINGWEBDMZ permit ip host BEANS-IIS1 host BP-BLM-DC2
access-list INCOMINGWEBDMZ permit ip any any
access-list INCOMINGWEBDMZ deny tcp any any
ip address outside 60.157.121.3 255.255.255.248
ip address inside 1.2.3.3 255.255.255.0
ip address webdmz2 1.2.13.3 255.255.255.0
global (outside) 2 60.157.121.2
global (outside) 3 interface
global (webdmz2) 3 interface
static (inside,outside) BP-EX1 1.2.1.15 netmask 255.255.255.255 0 0
static (webdmz2,outside) BEANS-IIS1 BEANS-IIS-INT netmask 255.255.255.255 0 0
static (webdmz2,outside) BEANS-IIS-INT BEANS-IIS1 netmask 255.255.255.255 0 0
access-group INCOMING in interface outside
access-group INCOMINGWEBDMZ in interface webdmz2
route outside 0.0.0.0 0.0.0.0 60.157.121.3 1
Any Help would be greatly appreciated! I'm at a standstill and nothing is showing up in the logs that is leading me to any more conclusions.
Thanks,
-Tim
08-07-2002 07:39 AM
I take that back... The Internal Web Server on that DMZ can not get out to the Internet. It was going to cahced web pages.... At least that gives me something more to go on. But I'll still take any other suggestions.
Thanks,
-Tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide