PIX 8.04 515E three interface DMZ newbie trouble config attached

Shawn1 · ‎01-31-2009

<p>Sorry for the newbie question but I'm just not sure what I need to do here.  I have a PIX 515E running 8.04.  I have an inside network 192.168.1.0/24 and a network on the DMX 192.168.100.0/30.  the inside is security level 100; DMZ is 10 and the outside is 0.  I can nat out to the world from the inside and the DMZ and my inside can access resources on the DMZ.  What I'm having trouble with is DMZ TCP 80 traffic getting to the server on the DMZ.  My web server cannot be accessed from the outside.  If attach a copy of the config for review.  I have an idea it has something to do with the implicit rules but not sure what. Thanks in advance.</p>

hunnetvl01 · ‎01-31-2009

I am not sure this will work , but AFAIK it should.

Try adding the traffic to the webserver to NAT 0 .

Let me know if it worked!

Shawn1 · ‎01-31-2009

Thanks, for your response. Can you explain? Can you detail from the cfg what you think looks wrong. Again, thanks

hunnetvl01 · ‎02-01-2009

Can you post the output of sh logg as I am not sure about the translation you are doing there.

Sorry I did not see that static previously.

At a 1st look it should work with the config you have , but please do a sh logg when you try a telnet from outside to the webserver.

Thanks,

Vlad

Shawn1 · ‎01-31-2009

Sorry, here is the config...

pstebner10 · ‎02-01-2009

You don't really need the global (dmz) statement, and you need an access-list for the dmz that will allow web traffic in from the outside - without one you have an implicit 'deny-all' rule on the dmz interface for anthing except traffic coming from the inside interface (traffic is always permited from a higher security interface to a lower security interface unless specifically excluded). Make another acl, say, acl_dmz, and allow the same traffic that you're allowing on your outside interface: acl_dmz extended permit tcp any host webserver eq 80 access-group acl_dmz in dmz

HTH, Paul

hunnetvl01 · ‎02-02-2009

Thats why I asked the logging.

I was curious of the transaltion group for that DMZ.

Vlad

Jithesh K Joy · ‎02-02-2009

Hi,

Sorry to jump in the middle but I doubt the follow conf.

access-list acl_out extended permit tcp any host webserver eq www

access-group acl_out in interface outside

Instead of 'webserver' ,is it the outside IP address to be mentioned??? Becoz

names

name 192.168.100.2 webserver

It is a private IP address in the names list. More over We can specifically direct the traffic to port 80

static (dmz,outside) tcp interface 80 webserver 80 netmask 255.255.255.255

Regards

Jithesh

hunnetvl01 · ‎02-02-2009

Jithesh,

you right!

The public ip should be mentioned there!

Regards,

Vlad

hunnetvl01 · ‎02-02-2009

Shawn,

did you try what Jithesh says?

Allowing the public IP of the web server in the outside ACL?

Regards,

Vlad