Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
231
Views
0
Helpful
1
Replies

Problems with inside accessing dmz hosts with public IP

lmbaity
Level 1
Level 1

‎06-14-2004 11:30 AM - edited ‎03-09-2019 07:44 AM

I have a pix 515e with three interfaces and I do realize that I have statements for icmp but it is only for debugging.

All inside users are fine browsing outside world.

I can ping dmz webserver from inside to dmz and from outside to dmz.

I can browse website in dmz from outside.

Webserver in dmz can ping and browse outside.

I cannot browse website from inside or ping the public address.

It seems to be a

and here are some "show" commands

1. show access-group

access-group 101 in interface outside

access-group 301 in interface inside

access-group 201 in interface dmz

2. show access-list

access-list 101 permit tcp any host 206.x.x.175 eq www (hitcnt=12)

access-list 201 permit icmp any any (hitcnt=232625)

access-list 201 permit icmp any 10.0.0.0 255.255.255.0 (hitcnt=0)

access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq www (hitcnt=0)

access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq domain (hitcnt=0)

access-list 201 permit udp 10.0.15.0 255.255.255.0 any eq domain (hitcnt=1)

access-list 201 permit tcp any host 10.0.15.175 eq www (hitcnt=0)

access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq www

3.show xlate

Global 206.x.x.175 Local 10.0.15.175

4. show global

global (outside) 1 206.x.x.132-206.x.x.135 netmask 255.255.x.x

global (outside) 1 206.x.x.131

global (dmz) 1 10.0.15.2-10.0.15.8

5. show nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 10.0.15.0 255.255.255.0 0 0

6. show static

static (dmz,outside) 206.x.x.175 10.0.15.175 netmask 255.255.255.255 0 0 interface transversal problem, I

think.

This is abbrivated config:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password encrypted

passwd encrypted

hostname pix1

domain-name your.com

fixup protocol domain 53

fixup protocol ftp 21

no fixup protocol h323 h225 1720

no fixup protocol h323 ras 1718-1719

fixup protocol http 80

no fixup protocol ils 389

no fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

names

access-list 101 permit icmp any any

access-list 101 permit tcp any host 206.x.x.175 eq www

access-list 201 permit icmp any any

access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq www

access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq domain

access-list 201 permit udp 10.0.15.0 255.255.255.0 any eq domain

access-list 201 permit tcp any host 10.0.15.175 eq www

access-list 201 permit icmp any 10.0.0.0 255.255.255.0

access-list 301 permit icmp any any

access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq www

access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq https

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 206.x.x.130 255.255.x.x

ip address inside 10.0.0.6 255.255.255.0

ip address dmz 10.0.15.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface dmz

arp timeout 14400

global (outside) 1 206.x.x.132-206.x.x.135 netmask 255.255.x.x

global (outside) 1 206.x.x.131

global (dmz) 1 10.0.15.2-10.0.15.8

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 10.0.15.0 255.255.255.0 0 0

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0

static (dmz,outside) 206.x.x.175 10.0.15.175 netmask 255.255.255.255 0 0

access-group 101 in interface outside

access-group 301 in interface inside

access-group 201 in interface dmz

rip outside default version 1

rip inside default version 2

route outside 0.0.0.0 0.0.0.0 206.x.x.129

route inside 10.0.1.0 255.255.255.0 10.0.0.224 2

Labels:
0 Helpful
1 Reply 1

pcomeaux
Cisco Employee
Cisco Employee

‎06-14-2004 07:19 PM

Hey lmbaity -

I am sorry - I thought I had replied to your last post. Thanks for the show commands - they are really helpful.

So here's the order I will check things and my thoughts:

1 - Interface config check

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

good

2 - Interface enabled check

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

good

3 - Interface ip config check

ip address outside 206.x.x.130 255.255.x.x

ip address inside 10.0.0.6 255.255.255.0

ip address dmz 10.0.15.1 255.255.255.0

good

4 - Translations for Inside to Outside

global (outside) 1 206.x.x.132-206.x.x.135 netmask 255.255.x.x

global (outside) 1 206.x.x.131

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

NAT with PAT - good

First 4 connections to outside will be translated to 132,133,134 and then 135. The 5th+ connetions will be translated to 131.

5 - Translations from Inside to DMZ check

global (dmz) 1 10.0.15.2-10.0.15.8

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

and

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0

This may be the problem

You have both dynamic NAT and static NAT configured for translations of addresses for traffic from the inside to the dmz. You may want to use on or the other.

Even though I think this could be tweaked, I don't think it is the issue, so let's keep looking.

6 - Translations from the Dmz to the Outsidecheck

global (outside) 1 206.x.x.132-206.x.x.135 netmask 255.255.x.x

global (outside) 1 206.x.x.131

nat (dmz) 1 10.0.15.0 255.255.255.0 0 0

good - same comments as in 4

7 - Translations for traffic from Outside to DMZ

static (dmz,outside) 206.x.x.175 10.0.15.175 netmask 255.255.255.255 0 0

good

8 - Access Lists applied to any interface check

access-group 101 in interface outside

access-group 301 in interface inside

access-group 201 in interface dmz

ok

9 - Let's check the ACLs for any issues

access-list 101 permit icmp any any

access-list 101 permit tcp any host 206.x.x.175 eq www

good - WWW traffic inbound

access-list 101 permit tcp any host 206.x.x.175 eq www (hitcnt=12)

getting hits on it, too

access-list 201 permit icmp any any

access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq www

access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq domain

access-list 201 permit udp 10.0.15.0 255.255.255.0 any eq domain

the above statements permit your DMZ servers to get to any website and resolve DNS

access-list 201 permit tcp any host 10.0.15.175 eq www

access-list 201 permit icmp any 10.0.0.0 255.255.255.0

I don't think these 2 statements are needed - but should not be impacting things right now

access-list 301 permit icmp any any

access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq www

access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq https

this looks good, if you are using internal DNS. Notice you have no hits probably because no DNS resolution can occur because the ACL blocks it. Tell us more about how you are doing DNS for internal hosts.

10 - Let's wrap this up by checking routing

route outside 0.0.0.0 0.0.0.0 206.x.x.129

route inside 10.0.1.0 255.255.255.0 10.0.0.224 2

looks good

Take a look at #9 and tell us more about your DNS.

thanks

peter

0 Helpful
Customers Also Viewed These Support Documents