Configuration difficulties with DMZ

Unanswered Question
Apr 2nd, 2007
User Badges:

Hello,


I test a pix with several configurations. I'm able to configure my Pix with inside an outside (no dmz).

Now I activate dmz, but I've a problem.

-I'm able to access everything from inside to outside

-I'm able to access everything from inside to dmz (with 192.168.3.2)

-I'm able to access everything from dmz to outside

-I'm able to access in http from outside to dmz (with 192.168.1.241)

-I'm able to access to port 1433 and vpn (pptp+gre) from outside to inside (with 192.168.1.242)

But I'm not able to access to port 1433 from dmz to inside.


Here is the config with just the "I'm able to" thinks. I don't know how I can access port 1433 from outside to my SQL Server in inside.


Another think: I can't use IP from outside interface (192.168.1.240) to access to port 1433 and vpn. It' not really a problem, but I don't understand why.


And the last question: Is the Cisco VPN client free to download? I'm not able to use l2tp/ipsec vpn connection with MS vpn client.


Thanks in advance to all.


PS: please be patient, i'm not completely stupid (I hope :o), just beginer and I've some difficulties with English.


****************************************************


: Saved

:

PIX Version 7.2(2)14

!

hostname pix

domain-name test.com

enable password xxx

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.1.240 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet2

nameif dmz

security-level 10

ip address 192.168.3.1 255.255.255.0

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name test.com

access-list outside_access_in extended permit tcp any host 192.168.1.241 eq www

access-list outside_access_in extended permit tcp host 192.168.1.222 host 192.168.1.242 eq 1433

access-list outside_access_in extended permit tcp host 192.168.1.222 host 192.168.1.242 eq pptp

access-list outside_access_in extended permit gre host 192.168.1.222 host 192.168.1.242

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm522-58.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) 192.168.1.241 192.168.3.2 netmask 255.255.255.255

static (inside,outside) 192.168.1.242 192.168.2.2 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.222 255.255.255.255 outside

http 192.168.2.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.2.2-192.168.2.254 inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect http

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 04/02/2007 - 04:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


if you want to access an inside server from the DMZ you are missing a static statement ie.


you have

"static (inside,outside) 192.168.1.242 192.168.2.2 netmask 255.255.255.255"


You need a static for the inside to the DMZ


ie. static (inside,DMZ) 192.168.1.242 192.168.1.242 netmask 255.255.255.255


You will also need an access-list to allow the traffic to come from the DMZ to your inside server.


HTH


Jon


tagadapouette Tue, 04/03/2007 - 00:40
User Badges:

Hello,


I've tried something like your exemple and that's work.


Thank you.


JLE

Actions

This Discussion