PIX 515e inside access to dmz

Unanswered Question
Apr 1st, 2004
User Badges:

I have an issue that i can not seem to see, i am trying to allow inside users access to the dmz, mainly for ftp and www. i know i am overlooking something simple. thanks in advance


Here is the portion of the config that i have


interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names




access-list dmz permit ip any any


pager lines 24


ip address outside xxx.xxx.xxx.xxx 255.255.255.240

ip address inside yyy.yyy.yyy.yyy 255.255.255.0

ip address dmz zzz.zzz.zzz.zzz 255.255.255.240

ip audit info action alarm

ip audit attack action alarm



global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0


static (inside,dmz) yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy netmask 255.0.0.0 0 0

static (dmz,outside) zzz.zzz.zzz.zzz zzz.zzz.zzz.zzz netmask 255.255.255.255 0 0

static (inside,dmz) zzz.zzz.zzz.zzz yyy.yyy.yyy.yyy netmask 255.255.255.255 0 0


access-group dmz in interface dmz



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pmichaelson Thu, 04/01/2004 - 10:56
User Badges:

The error i seem to have is


Deny TCP (no connection) from zzz.zzz.zzz.zzz/21 to yyy.yyy.yyy.yyy/44038 flags SYN ACK on interface dmz

pmichaelson Fri, 04/02/2004 - 06:30
User Badges:

Here is something odd. i can ping and trace to the dmz with no problem. does anyone have an insight on this?


Phil

pmichaelson Fri, 04/02/2004 - 07:43
User Badges:

i have added this


access-list no_dmz_nat permit ip 207.250.100.144 255.255.255.240 10.0.0.0 255.0.0.0


nat (dmz) 0 access-list no_nat_dmz....


still can not access services on the dmz...but i can ping

pmichaelson Fri, 04/02/2004 - 08:04
User Badges:

i have added this


access-list no_dmz_nat permit ip 207.250.100.144 255.255.255.240 10.0.0.0 255.0.0.0


nat (dmz) 0 access-list no_nat_dmz....


still can not access services on the dmz...but i can ping

pmichaelson Fri, 04/02/2004 - 08:05
User Badges:

the log shows this when trying to ftp


Deny TCP (no connection) from 207.250.100.149/21 to 10.8.15.10/54278 flags SYN ACK on interface dmz


looks like some kind of translation is missing, but i cant make heads or tails of it....anyone see the issue?

Actions

This Discussion