Solved: PIX Firewall Problem

wasiimcisco · ‎03-06-2008

I have two servers one located in pix inside and one in dmz. I wanted to configure them so that they can communicate with routers and switches

located outside of pix firewall.

My inside server is working fine, able to go Internet and able to comminicate with all devices located on outside of Pix firewall. below mention is configuration

of insideserver.

access-list outside_acl extended permit ip x.223.188.0 255.255.255.0 host 172.28.32.50

access-list outside_acl extended permit ip host x.219.212.217 host 172.28.32.50

access-list nonat extended permit ip host 172.28.32.50 host x.219.212.217

access-list nonat extended permit ip host 172.28.32.50 x.223.188.0 255.255.255.0

access-list inside_acl extended permit ip host 172.28.32.50 any

But my DMZ server is not working. Though I did the same configuration as for Inside server. DMZ server not able to communicate with outside

network.

access-list outside_acl extended permit ip x.223.188.0 255.255.255.0 host 172.28.92.72

access-list outside_acl extended permit ip host x.219.212.217 host 172.28.92.72

access-list nonat extended permit ip host 172.28.92.72 host x.219.212.217

access-list nonat extended permit ip host 172.28.92.72 x.223.188.0 255.255.255.0

access-list dmz_acl extended permit ip host 172.28.92.72 any

If i creat a static entry for DMZ SNMP server,

static (edn,outside) 172.28.92.72 172.28.92.72 netmask 255.255.255.255

it starts communicating with outside devices but Internet stop working on that server. same configuration

works with INside server but not with dmz server.

nat (inside) 0 access-list nonat

nat (inside) 3 172.28.32.0 255.255.255.0

nat (dmz) 3 172.28.92.0 255.255.255.0

global (outside) 3 interface

michelcaissie · ‎03-06-2008

Your static entry is by-passing your nat (dmz) 3 entry . You can do NAT exemption instead, like you do on your inside

1-Remove the static entry (followed by clear xlate)

Add - nat (dmz) 0 access-list nonat

I suggest using two different nonat acl , one for each interface.

Ex: nonat_inside

nonat_dmz

View solution in original post

michelcaissie · ‎03-06-2008

Your static entry is by-passing your nat (dmz) 3 entry . You can do NAT exemption instead, like you do on your inside

1-Remove the static entry (followed by clear xlate)

Add - nat (dmz) 0 access-list nonat

I suggest using two different nonat acl , one for each interface.

Ex: nonat_inside

nonat_dmz

wasiimcisco · ‎03-06-2008

It is rocking. It is working. Thanks for the help, u r excellent. now please help me out in concentrator configuration. I will be very helpful to you.

I have 3020 VPN Concentrator. Everything is running fine. Now management wanted to add second VPN 3020 Concentrator. Of course i will configure the VRRP and three global Ip addresses is required for it. Two for Concentrators and one for VRRP IP. Now I wanted to know, How the configuration will replicate. After configuring VRRP, My currently concentrator will become master. If I will Configure New VPN Conncection. Will i configure on Master concentrator or I suppose to configure Both master and Slave. Kindly guide me and help me out.

Will slave also connect to Internet Router or its Public Interface will connect with Master Concentrator only. How Private interface will configure how routing will be occur. Right now concentrator public is connected with Internet Router and Private Interface is connected with Lan Switch. How I will plug the Second Slave Conncentrator in network.

How the network topology will be. Please help me out as you did with firewall problem