06-14-2004 11:30 AM - edited 03-09-2019 07:44 AM
I have a pix 515e with three interfaces and I do realize that I have statements for icmp but it is only for debugging.
All inside users are fine browsing outside world.
I can ping dmz webserver from inside to dmz and from outside to dmz.
I can browse website in dmz from outside.
Webserver in dmz can ping and browse outside.
I cannot browse website from inside or ping the public address.
It seems to be a
and here are some "show" commands
1. show access-group
access-group 101 in interface outside
access-group 301 in interface inside
access-group 201 in interface dmz
2. show access-list
access-list 101 permit tcp any host 206.x.x.175 eq www (hitcnt=12)
access-list 201 permit icmp any any (hitcnt=232625)
access-list 201 permit icmp any 10.0.0.0 255.255.255.0 (hitcnt=0)
access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq www (hitcnt=0)
access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq domain (hitcnt=0)
access-list 201 permit udp 10.0.15.0 255.255.255.0 any eq domain (hitcnt=1)
access-list 201 permit tcp any host 10.0.15.175 eq www (hitcnt=0)
access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq www
3.show xlate
Global 206.x.x.175 Local 10.0.15.175
4. show global
global (outside) 1 206.x.x.132-206.x.x.135 netmask 255.255.x.x
global (outside) 1 206.x.x.131
global (dmz) 1 10.0.15.2-10.0.15.8
5. show nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 10.0.15.0 255.255.255.0 0 0
6. show static
static (dmz,outside) 206.x.x.175 10.0.15.175 netmask 255.255.255.255 0 0 interface transversal problem, I
think.
This is abbrivated config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password encrypted
passwd encrypted
hostname pix1
domain-name your.com
fixup protocol domain 53
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
no fixup protocol ils 389
no fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
names
access-list 101 permit icmp any any
access-list 101 permit tcp any host 206.x.x.175 eq www
access-list 201 permit icmp any any
access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq www
access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq domain
access-list 201 permit udp 10.0.15.0 255.255.255.0 any eq domain
access-list 201 permit tcp any host 10.0.15.175 eq www
access-list 201 permit icmp any 10.0.0.0 255.255.255.0
access-list 301 permit icmp any any
access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq www
access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq https
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 206.x.x.130 255.255.x.x
ip address inside 10.0.0.6 255.255.255.0
ip address dmz 10.0.15.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
arp timeout 14400
global (outside) 1 206.x.x.132-206.x.x.135 netmask 255.255.x.x
global (outside) 1 206.x.x.131
global (dmz) 1 10.0.15.2-10.0.15.8
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 10.0.15.0 255.255.255.0 0 0
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0
static (dmz,outside) 206.x.x.175 10.0.15.175 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 301 in interface inside
access-group 201 in interface dmz
rip outside default version 1
rip inside default version 2
route outside 0.0.0.0 0.0.0.0 206.x.x.129
route inside 10.0.1.0 255.255.255.0 10.0.0.224 2
06-14-2004 07:19 PM
Hey lmbaity -
I am sorry - I thought I had replied to your last post. Thanks for the show commands - they are really helpful.
So here's the order I will check things and my thoughts:
1 - Interface config check
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
good
2 - Interface enabled check
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
good
3 - Interface ip config check
ip address outside 206.x.x.130 255.255.x.x
ip address inside 10.0.0.6 255.255.255.0
ip address dmz 10.0.15.1 255.255.255.0
good
4 - Translations for Inside to Outside
global (outside) 1 206.x.x.132-206.x.x.135 netmask 255.255.x.x
global (outside) 1 206.x.x.131
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
NAT with PAT - good
First 4 connections to outside will be translated to 132,133,134 and then 135. The 5th+ connetions will be translated to 131.
5 - Translations from Inside to DMZ check
global (dmz) 1 10.0.15.2-10.0.15.8
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
and
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0
This may be the problem
You have both dynamic NAT and static NAT configured for translations of addresses for traffic from the inside to the dmz. You may want to use on or the other.
Even though I think this could be tweaked, I don't think it is the issue, so let's keep looking.
6 - Translations from the Dmz to the Outsidecheck
global (outside) 1 206.x.x.132-206.x.x.135 netmask 255.255.x.x
global (outside) 1 206.x.x.131
nat (dmz) 1 10.0.15.0 255.255.255.0 0 0
good - same comments as in 4
7 - Translations for traffic from Outside to DMZ
static (dmz,outside) 206.x.x.175 10.0.15.175 netmask 255.255.255.255 0 0
good
8 - Access Lists applied to any interface check
access-group 101 in interface outside
access-group 301 in interface inside
access-group 201 in interface dmz
ok
9 - Let's check the ACLs for any issues
access-list 101 permit icmp any any
access-list 101 permit tcp any host 206.x.x.175 eq www
good - WWW traffic inbound
access-list 101 permit tcp any host 206.x.x.175 eq www (hitcnt=12)
getting hits on it, too
access-list 201 permit icmp any any
access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq www
access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq domain
access-list 201 permit udp 10.0.15.0 255.255.255.0 any eq domain
the above statements permit your DMZ servers to get to any website and resolve DNS
access-list 201 permit tcp any host 10.0.15.175 eq www
access-list 201 permit icmp any 10.0.0.0 255.255.255.0
I don't think these 2 statements are needed - but should not be impacting things right now
access-list 301 permit icmp any any
access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq www
access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq https
this looks good, if you are using internal DNS. Notice you have no hits probably because no DNS resolution can occur because the ACL blocks it. Tell us more about how you are doing DNS for internal hosts.
10 - Let's wrap this up by checking routing
route outside 0.0.0.0 0.0.0.0 206.x.x.129
route inside 10.0.1.0 255.255.255.0 10.0.0.224 2
looks good
Take a look at #9 and tell us more about your DNS.
thanks
peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide