PIX 515 W/VPN and Web access

Unanswered Question

Help me please as I have run into a wall and can't figure this out. I have a PIX 515-BUN-UR running ver 6.2 of the PIX Firewall IOS with a 4-port serial card and the 3DES accellerator board. I have the VPN up and running sucessfully but now need to add a web server on the DMZ-1 interface.


The PIX is located directly after the Telco Border Router and has been assigned the address range of 1.2.3.224/29. Router interface is 1.2.3.225, PIX is 1.2.3.230. NAT is set to 1.2.3.226 and PAT is set to 1.2.3.227. I want the WEB service on 1.2.3.228. 1.2.3.229 is used for the IDS box between the Firewall and the Border Router.



I have added the following lines to the Firewall Config to set up the http access, but am unable to get into the web server:


access-list VPN permit ip ODH 255.255.0.0 192.168.127.0 255.255.255.0

access-list WEB permit tcp any host 1.2.3.228 eq www

access-group WEB in interface outside


ip address outside 1.2.3.230 255.255.255.248

ip address inside 192.168.128.5 255.255.255.0

ip address DMZ-1 192.168.136.1 255.255.255.0


global (outside) 1 1.1.2.226

global (outside) 1 1.2.3.227

global (DMZ-1) 1 WebServer netmask 255.255.255.0

nat (inside) 0 access-list VPN

nat (inside) 1 ODH 255.255.0.0 0 64

nat (DMZ-1) 1 0.0.0.0 0.0.0.0 0 10

static (DMZ-1,outside) 1.2.3.228 WebServer netmask 255.255.255.255 0 10

route outside 0.0.0.0 0.0.0.0 1.2.3.225 1

route inside 192.168.127.0 255.255.255.0 192.168.128.2 1

route inside OSHQ 255.255.128.0 192.168.128.2 1


If it makes any difference, I am also unable to ping the host on the DMZ-1 interface from the PIX console. The Web Host can be ping'd from a switch console, however the PIX interface cannot.


Can anyone please point me in the right direction.


Thanks in advance.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gfullage Thu, 11/27/2003 - 15:44
User Badges:
  • Cisco Employee,

Remove this:


global (DMZ-1) 1 WebServer netmask 255.255.255.0


What you're saying here is that any packets coming from the inside interface going to the DMZ will be translated to the web server's address, not good. Basically you've told the PIX that it owns the web servers address, so it will answer ARP queries for it, etc, etc.


If you have users going from inside to DMZ then do something like the following:


global (DMZ-1) 1 192.168.136.50 netmask 255.255.255.0

nat (inside) 1 ODH 255.255.0.0 0 64


where 192.168.136.50 is any UNUSED IP address on the DMZ. The static that you have should take care of the outside -> DMZ translation and let everything in.

Actions

This Discussion