Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
225
Views
0
Helpful
1
Replies

DMZ Zone Web Problems

timpotter
Level 1
Level 1

‎08-07-2002 07:06 AM - edited ‎03-08-2019 11:51 PM

Hello....

I have a Pix 515 with a DMZ zone that contains our web server. The problem is that only sporadic sites can access the server via ping and tracert. About 75% of sites get to the web server. Also, on the web server I've tested accessing external sites and I can't get to most of them, but a couple of them I can. Very strange! Here are some config details (IP addresses are not real):

fixup protocol http 80

name 60.157.121.6 BEANS-IIS1

name 1.2.13.10 BEANS-IIS-INT

access-list INCOMING permit icmp any any echo-reply

access-list INCOMING permit tcp any host BP-EX1 eq smtp

access-list INCOMING permit esp any host vpn3005

access-list INCOMING permit udp any host vpn3005 eq isakmp

access-list INCOMING permit udp any host vpn3005 eq 10000

access-list INCOMING permit tcp any host BEANS-IIS1 eq www

access-list INCOMING permit icmp any any unreachable

access-list INCOMING permit icmp any any

access-list INCOMING deny tcp any any

access-list INCOMING deny ip any any

access-list INCOMINGWEBDMZ permit tcp any host BEANS-IIS1 eq www

access-list INCOMINGWEBDMZ permit icmp any any echo-reply

access-list INCOMINGWEBDMZ permit icmp any any unreachable

access-list INCOMINGWEBDMZ permit ip host BEANS-IIS1 host BP-BLM-DC1

access-list INCOMINGWEBDMZ permit ip host BEANS-IIS1 host BP-BLM-DC2

access-list INCOMINGWEBDMZ permit ip any any

access-list INCOMINGWEBDMZ deny tcp any any

ip address outside 60.157.121.3 255.255.255.248

ip address inside 1.2.3.3 255.255.255.0

ip address webdmz2 1.2.13.3 255.255.255.0

global (outside) 2 60.157.121.2

global (outside) 3 interface

global (webdmz2) 3 interface

static (inside,outside) BP-EX1 1.2.1.15 netmask 255.255.255.255 0 0

static (webdmz2,outside) BEANS-IIS1 BEANS-IIS-INT netmask 255.255.255.255 0 0

static (webdmz2,outside) BEANS-IIS-INT BEANS-IIS1 netmask 255.255.255.255 0 0

access-group INCOMING in interface outside

access-group INCOMINGWEBDMZ in interface webdmz2

route outside 0.0.0.0 0.0.0.0 60.157.121.3 1

Any Help would be greatly appreciated! I'm at a standstill and nothing is showing up in the logs that is leading me to any more conclusions.

Thanks,

-Tim

Labels:
0 Helpful
1 Reply 1

timpotter
Level 1
Level 1

‎08-07-2002 07:39 AM

I take that back... The Internal Web Server on that DMZ can not get out to the Internet. It was going to cahced web pages.... At least that gives me something more to go on. But I'll still take any other suggestions.

Thanks,

-Tim

0 Helpful
Customers Also Viewed These Support Documents