Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
4
Replies

PIX 515 with DMZ probs

andymh
Level 1
Level 1

‎08-17-2007 07:17 AM - edited ‎03-11-2019 03:59 AM

I'm trying to setup an SSL VPN box within a DMZ using a PIX 515.

Basically I've setup the SSL box with a DMZ IP and NAT'd this to an external IP. I've put the following ACLs in:

access-list INCOMING permit tcp any object-group SSL_BOX object-group WEB_BROWSING_PORTS

access-list DMZ permit tcp host 172.17.1.100 object-group INTRANET_SERVERS eq www

access-list DMZ permit tcp host 172.17.1.100 object-group DOMAIN_CTRLRS object-group DC_PORTS

access-list DMZ permit tcp host 172.17.1.100 object-group CITRIX_SERVERS object-group CITRIX_PORTS

access-list DMZ deny ip any any

However, I can get to the SSL box externally, but it's not passing from there to the internal LAN.

I've done a show ACL DMZ, but the hit count on all entries is 0. Is there a way I can troubleshoot this to see where it's getting held up. I've tried viewing on a SYSLOG server with a DEBUG ACL but it's not helping much.

any help much apprec.

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎08-17-2007 08:10 AM

Hi

Quick check. Do you have static translations for the internal servers to the DMZ eg if one of your DC's was 192.168.5.10

static (inside,DMZ) 192.168.5.10 192.168.5.10 netmask 255.255.255.255

if so could you post config ?

What version of pix software are you running ?

Jon

0 Helpful

andymh
Level 1
Level 1
In response to Jon Marshall

‎08-20-2007 01:02 AM

Thanks Jon, PIX s/w is ver 6.3(4)

I was kind of thinking along the lines of what you were saying here. I have a:

static (outside,DMZ) 172.17.1.100 194.x.x.x netmask 255.255.255.255

but all the internal servers are on 10 addresses. I presume that I need some kind of translations for the Netilla box (172.17.1.100) to be able to see them internally ?

Andrew

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to andymh

‎08-20-2007 01:56 AM

Andrew

What is the static (outside,DMZ) 172.17.1.100 194.x.x.x netmask 255.255.255.255 meant to do ?

if you are presenting your Netilla box to the outside as 194.x.x.x your statement should be

static (DMZ,outside) 194.x.x.x 172.17.1.100 netmask 255.255.255.255

As for your internal servers yes you need to present them to the DMZ ie.

static (inside,DMZ) "internal 10.x.x.x server address" "internal 10.x.x.x server address" netmask 255.255.255.255

HTH

Jon

0 Helpful

andymh
Level 1
Level 1
In response to Jon Marshall

‎08-20-2007 03:39 AM

Jon,

tRyping error, did it from memory rather than cut and paste (it's been a heavy wkd !!) - will try what you said. That sounds like it should sort it.

Andrew

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card