PIX DMZ access problem

Unanswered Question
Jan 2nd, 2008

I have a subnet 172.28.85.x on my pix dmz interface.

below mention subnets are on my inside interface.

172.28.64.x

172.28.78.x

172.28.32.x

172.28.92.x

I want my Inside to access the dmz and dmz to inside at the same time.

High to low and low to high any side can initiate the connection.

my inside 100 secuirty level

my dmz 90 secuirty level

From low to high access can be enable my doing static and acl on dmz interface.

access-list edn_acl extended permit ip any any

static (inside,edn) 172.28.64.4 172.28.64.4 netmask 255.255.255.255

static (inside,edn) 172.28.64.6 172.28.64.6 netmask 255.255.255.255

static (inside,edn) 172.28.64.5 172.28.64.5 netmask 255.255.255.255

static (inside,edn) 172.28.64.102 172.28.64.102 netmask 255.255.255.255

static (inside,edn) 172.28.32.23 172.28.32.23 netmask 255.255.255.255

static (inside,edn) 172.28.78.0 172.28.78.0 netmask 255.255.255.255

Inside Interface configuration

nat (inside) 3 172.28.32.0 255.255.255.0

nat (inside) 4 172.28.33.0 255.255.255.0

nat (inside) 5 172.28.80.0 255.255.255.0

nat (inside) 1 172.28.90.0 255.255.255.0

nat (inside) 2 172.28.92.0 255.255.255.0

global (edn) 3 172.28.95.11 netmask 255.255.255.0

global (edn) 4 172.28.95.12 netmask 255.255.255.255

global (edn) 5 172.28.95.13 netmask 255.255.255.0

global (edn) 2 172.28.95.10 netmask 255.255.255.255

but i m not able to communicate in either way. untill or unless i am not allow my inside subets in inside acl that is applied on inside interface.

access-list inside_acl extended permit ip host 172.28.80.11 any

access-list inside_acl extended permit ip host 172.28.80.10 any

access-list inside_acl extended permit ip 172.28.93.0 255.255.255.0 any

access-list inside_acl extended permit ip host 172.28.32.23 any

access-list inside_acl extended permit ip host 172.28.32.11 any

access-list inside_acl extended permit ip host 172.28.32.25 any

access-list inside_acl extended permit ip host 172.28.32.14 any

access-list inside_acl extended permit ip host 172.28.32.10 any

access-list inside_acl extended permit ip host 172.28.32.24 any

access-list inside_acl extended permit ip host 172.28.64.6 any

access-list inside_acl extended permit ip host 172.28.64.4 any

access-list inside_acl extended permit ip host 172.28.64.5 any

access-list inside_acl extended permit ip host 172.28.64.102 any

access-list inside_acl extended permit ip host 172.28.32.13 any

access-list inside_acl extended permit ip 172.28.78.0 255.255.255.0 172.28.85.0 255.255.255.0

why it is behaving like this. Y i have to allow the inside subnet on inside access list for commuincation.

Can u please tell me what is wrong with my configuration.

High to low nat and global.

Low to high access-list plus static.

This is general practice.

I m tottally unable to understand this.

waiting for reply.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
rajbhatt Wed, 01/02/2008 - 02:27

Hi,

When u r using static it is bidirectional.

So u can replace the nat and global statements u wud need

static inside and dmz access lists with access groups only .

When u add an inside access list there is an implicit deny .

So if u do not explicitly permit there is no communication.

If u r not using access list on the inside then it should work with nat and global only

Raj

wasiimcisco Wed, 01/02/2008 - 03:34

Thanks for the immediate reply,

I cant remove anything, because it is live enviroment and critical servers are up and running.

so now can i say High to Low Nat and Global is enough for both side Commuication.

From Low to High static will work bidirectional. Only Lower secuirty interface has permit acl entry.

I have put remark in my access-list now i am not able to see the hitcount on my acl.

Can u tell me how i can see the hitcount on acl as i could see before putting remark in my acl.

I have nat my inside subet 172.28.92.0 while accessing dmz into 172.28.95.10

nat (inside) 2 172.28.92.0 255.255.255.0

global (edn) 2 172.28.95.10 netmask 255.255.255.255

while i access my dmz i cant see the translation in SHOW XLATE.

Also SHOW CONN command is not working.

Can you please tell me how can i see the translation that is occuring while accessing dmz from inside.

and hitcount on acl after adding remark in acl

rajbhatt Wed, 01/02/2008 - 04:13

Hi,

Please try this :

sh xl | i 172.28.92.x

and sh conn | in 172.28.92.x

If u r going from high to low and u have a static then that takes preferenace over nat and global.

Plz check for access lists hits that should give u an idea.

In 7.0 version it may work with and without xlates but u should see conn .

Raj

wasiimcisco Wed, 01/02/2008 - 05:58

Hi,

If from inside to dmz i m going via static.

static (inside,edn) 172.28.92.0 172.28.92.0 netmask 255.255.255.0

not with nat

nat (inside) 2 172.28.92.0 255.255.255.0

global (edn) 2 172.28.95.10 netmask 255.255.255.255

Interestingly i have another firewall in dmz which only permit 172.28.95.x as source.

If i m going there as static how come 2nd firewall letting me in even though i am not in translating myself in 172.28.95.x.

Please tell me how to see hitcount in access-list after adding remark statement.

Normally i can see the hitcount in access-list, but now i have modify my acl by adding some notes(remark) in it, now it is not showing me hitcount.

wasiimcisco Fri, 01/04/2008 - 07:08

I have made an acess-list

access-list edn_acl line 20 remark RA_ACL extended permit ip 172.28.37.0 255.255.255.0 172.28.64.0 255.255.255.0

now i cant see hitcount on this ACL. Though this acl is working fine.

Can you tell me how to the hitcount on access-list that has remark statement.

access-list edn_acl line 1 extended permit ip host 192.168.249.133 any (hitcnt=6)

This type of acl is showing the hitcnt but not the above mention acl.

please tell me how to check hitcnt.

Actions

This Discussion