06-17-2003 10:04 AM - edited 03-09-2019 03:42 AM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
Users on the inside can a go out on the internet and access servers on the dmz. Users on the dmz cannot go out on the internet. Outside users cannot access servers on the dmz.
Here is my configuration on the PIX515E-can any see what's missing?
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxx encrypted
hostname tulepix
domain-name mycompany.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.7 nasdo
name 192.168.1.8 nasmedia
name 192.168.1.3 www
access-list acl_out permit tcp any host nnn.nnn.51.37 eq www
access-list acl_out permit tcp any host nnn.nnn.51.41 eq ftp
access-list acl_out permit tcp any host nnn.nnn.51.42 eq ftp
access-list acl_out permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside nnn.nnn.51.44 255.255.255.224
ip address inside 172.16.0.1 255.255.0.0
ip address dmz 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.0.10 255.255.255.255 inside
pdm location 172.16.0.10 255.255.255.255 dmz
pdm location www 255.255.255.255 dmz
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) nnn.nnn.51.41 nasdo 255.255.255.255
alias (inside) nnn.nnn.51.42 nasmedia 255.255.255.255
alias (inside) nnn.nnn.51.37 www 255.255.255.255
static (dmz,outside) nnn.nnn.51.37 www netmask 255.255.255.255 0 0
static (dmz,outside) nnn.nnn.51.41 nasdo netmask 255.255.255.255 0 0
static (dmz,outside) nnn.nnn.51.42 nasmedia netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 nnn.nnn.51.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.16.0.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 172.16.0.10 255.255.255.255 inside
telnet 172.16.0.10 255.255.255.255 dmz
telnet timeout 15
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxx
: end
[OK]
06-17-2003 10:54 AM
Hi Mark -
Pls. read the following document and see if it helps your situation:
http://www.cisco.com/warp/public/707/28.html
Thanks --
06-17-2003 11:09 AM
Configuration seems to be OK. Certainly except "access-list acl_out permit ip any any" line that opens your firewall entirely.
1. It is Cisco so try "clear xlate" and reload :-).
2. Turn on logging "logging on", "logging buffered debugging" and try to find something interesting in "show logging".
06-17-2003 01:49 PM
I turned on logging then went to an outside host and tried accessing the web server on the dmz-no access. Then tried going on the internet from the web server on the dmz-no access. Went to a computer on the inside and accessed the web server on the dmz okay. showed the log and there is no mention of that outside computer or the server, but the inside computer is shown as accessing the server.
I removed the access-list permit ip any any. I only had it in to see if I could get anything through
06-17-2003 11:22 AM
It looks fine to me. Try removing the ALIAS commands. Also create an outbound access-list for the DMZ.
access-list acl_dmz permit tcp any any
access-group acl_dmz in interface dmz
06-17-2003 01:52 PM
If I remove the alias commands then I can't get to the dmz servers from the inside.
add the access-list/group to the dmz interface--still no luck
06-18-2003 01:34 PM
Thanks for all your help-After somemore troubleshooting with the Fluke I've determined that the dmz ethernet card is not working properly. For now I've shifted my servers to the inside interface and everything is working fine
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide