01-31-2009 11:17 AM - edited 03-11-2019 07:44 AM
<p>Sorry for the newbie question but I'm just not sure what I need to do here. I have a PIX 515E running 8.04. I have an inside network 192.168.1.0/24 and a network on the DMX 192.168.100.0/30. the inside is security level 100; DMZ is 10 and the outside is 0. I can nat out to the world from the inside and the DMZ and my inside can access resources on the DMZ. What I'm having trouble with is DMZ TCP 80 traffic getting to the server on the DMZ. My web server cannot be accessed from the outside. If attach a copy of the config for review. I have an idea it has something to do with the implicit rules but not sure what. Thanks in advance.</p>
01-31-2009 12:04 PM
I am not sure this will work , but AFAIK it should.
Try adding the traffic to the webserver to NAT 0 .
Let me know if it worked!
01-31-2009 07:24 PM
Thanks, for your response. Can you explain? Can you detail from the cfg what you think looks wrong. Again, thanks
02-01-2009 05:50 AM
Can you post the output of sh logg as I am not sure about the translation you are doing there.
Sorry I did not see that static previously.
At a 1st look it should work with the config you have , but please do a sh logg when you try a telnet from outside to the webserver.
Thanks,
Vlad
01-31-2009 07:20 PM
02-01-2009 09:59 AM
You don't really need the global (dmz) statement, and you need an access-list for the dmz that will allow web traffic in from the outside - without one you have an implicit 'deny-all' rule on the dmz interface for anthing except traffic coming from the inside interface (traffic is always permited from a higher security interface to a lower security interface unless specifically excluded). Make another acl, say, acl_dmz, and allow the same traffic that you're allowing on your outside interface: acl_dmz extended permit tcp any host webserver eq 80 access-group acl_dmz in dmz
HTH, Paul
02-02-2009 01:59 AM
Thats why I asked the logging.
I was curious of the transaltion group for that DMZ.
Vlad
02-02-2009 04:56 AM
Hi,
Sorry to jump in the middle but I doubt the follow conf.
access-list acl_out extended permit tcp any host webserver eq www
access-group acl_out in interface outside
Instead of 'webserver' ,is it the outside IP address to be mentioned??? Becoz
names
name 192.168.100.2 webserver
It is a private IP address in the names list. More over We can specifically direct the traffic to port 80
static (dmz,outside) tcp interface 80 webserver 80 netmask 255.255.255.255
Regards
Jithesh
02-02-2009 05:05 AM
Jithesh,
you right!
The public ip should be mentioned there!
Regards,
Vlad
02-02-2009 12:24 PM
Shawn,
did you try what Jithesh says?
Allowing the public IP of the web server in the outside ACL?
Regards,
Vlad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide