Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX 8.04 515E three interface DMZ newbie trouble config attached

Unanswered Question

<p>Sorry for the newbie question but I'm just not sure what I need to do here.&nbsp; I have a PIX 515E running 8.04.&nbsp; I have an inside network and a network on the DMX; the inside is security level 100; DMZ is 10 and the outside is 0.&nbsp; I can nat out to the world from the inside and the DMZ and my inside can access resources on the DMZ.&nbsp; What I'm having trouble with is DMZ TCP 80 traffic getting to the server on the DMZ.&nbsp; My web server cannot be accessed from the outside.&nbsp; If attach a copy of the config for review.&nbsp; I have an idea it has something to do with the implicit rules but not sure what. Thanks in advance.</p>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hunnetvl01 Sat, 01/31/2009 - 12:04
User Badges:

I am not sure this will work , but AFAIK it should.

Try adding the traffic to the webserver to NAT 0 .

Let me know if it worked!

hunnetvl01 Sun, 02/01/2009 - 05:50
User Badges:

Can you post the output of sh logg as I am not sure about the translation you are doing there.

Sorry I did not see that static previously.

At a 1st look it should work with the config you have , but please do a sh logg when you try a telnet from outside to the webserver.



pstebner10 Sun, 02/01/2009 - 09:59
User Badges:

You don't really need the global (dmz) statement, and you need an access-list for the dmz that will allow web traffic in from the outside - without one you have an implicit 'deny-all' rule on the dmz interface for anthing except traffic coming from the inside interface (traffic is always permited from a higher security interface to a lower security interface unless specifically excluded). Make another acl, say, acl_dmz, and allow the same traffic that you're allowing on your outside interface: acl_dmz extended permit tcp any host webserver eq 80 access-group acl_dmz in dmz

HTH, Paul

hunnetvl01 Mon, 02/02/2009 - 01:59
User Badges:

Thats why I asked the logging.

I was curious of the transaltion group for that DMZ.


Jithesh K Joy Mon, 02/02/2009 - 04:56
User Badges:


Sorry to jump in the middle but I doubt the follow conf.

access-list acl_out extended permit tcp any host webserver eq www

access-group acl_out in interface outside

Instead of 'webserver' ,is it the outside IP address to be mentioned??? Becoz


name webserver

It is a private IP address in the names list. More over We can specifically direct the traffic to port 80

static (dmz,outside) tcp interface 80 webserver 80 netmask



hunnetvl01 Mon, 02/02/2009 - 05:05
User Badges:


you right!

The public ip should be mentioned there!



hunnetvl01 Mon, 02/02/2009 - 12:24
User Badges:


did you try what Jithesh says?

Allowing the public IP of the web server in the outside ACL?




This Discussion