08-17-2007 07:17 AM - edited 03-11-2019 03:59 AM
I'm trying to setup an SSL VPN box within a DMZ using a PIX 515.
Basically I've setup the SSL box with a DMZ IP and NAT'd this to an external IP. I've put the following ACLs in:
access-list INCOMING permit tcp any object-group SSL_BOX object-group WEB_BROWSING_PORTS
access-list DMZ permit tcp host 172.17.1.100 object-group INTRANET_SERVERS eq www
access-list DMZ permit tcp host 172.17.1.100 object-group DOMAIN_CTRLRS object-group DC_PORTS
access-list DMZ permit tcp host 172.17.1.100 object-group CITRIX_SERVERS object-group CITRIX_PORTS
access-list DMZ deny ip any any
However, I can get to the SSL box externally, but it's not passing from there to the internal LAN.
I've done a show ACL DMZ, but the hit count on all entries is 0. Is there a way I can troubleshoot this to see where it's getting held up. I've tried viewing on a SYSLOG server with a DEBUG ACL but it's not helping much.
any help much apprec.
08-17-2007 08:10 AM
Hi
Quick check. Do you have static translations for the internal servers to the DMZ eg if one of your DC's was 192.168.5.10
static (inside,DMZ) 192.168.5.10 192.168.5.10 netmask 255.255.255.255
if so could you post config ?
What version of pix software are you running ?
Jon
08-20-2007 01:02 AM
Thanks Jon, PIX s/w is ver 6.3(4)
I was kind of thinking along the lines of what you were saying here. I have a:
static (outside,DMZ) 172.17.1.100 194.x.x.x netmask 255.255.255.255
but all the internal servers are on 10 addresses. I presume that I need some kind of translations for the Netilla box (172.17.1.100) to be able to see them internally ?
Andrew
08-20-2007 01:56 AM
Andrew
What is the static (outside,DMZ) 172.17.1.100 194.x.x.x netmask 255.255.255.255 meant to do ?
if you are presenting your Netilla box to the outside as 194.x.x.x your statement should be
static (DMZ,outside) 194.x.x.x 172.17.1.100 netmask 255.255.255.255
As for your internal servers yes you need to present them to the DMZ ie.
static (inside,DMZ) "internal 10.x.x.x server address" "internal 10.x.x.x server address" netmask 255.255.255.255
HTH
Jon
08-20-2007 03:39 AM
Jon,
tRyping error, did it from memory rather than cut and paste (it's been a heavy wkd !!) - will try what you said. That sounds like it should sort it.
Andrew
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide