dmz configuration- not working

Unanswered Question
Jan 10th, 2006
User Badges:

i have a pix firewall with 3 interface configuration without NAT or PAT. I put my webserver on the DMZ. however, i cant ping or talk to my webserver either on the inside or outside. i need some assistance as to why its not working.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
turnbull Tue, 01/10/2006 - 18:35
User Badges:

Hi,


Try the revised config attached.


You will not be able to ping from outside as it is using port redirection but should be able to ping from inside as well as browse and telnet from outside.


Cheers,


Paul



npagadua69 Thu, 01/12/2006 - 16:23
User Badges:

Paul - I have one more request to make. I also want to open port 554 & 1755 on this server on the DMZ. I want to be able to get to my server from the public side.


Here is the statemenet i had and it does not work:


access-list acl_out permit tcp any host 68.16.128.2 eq 554

access-list acl_out permit tcp any host 68.16.128.2 eq 1755


please help

ashishpanda Thu, 01/12/2006 - 16:54
User Badges:

Hi


Just add these two lines to the configuration..it should work.


static (dmz,outside) tcp interface 554 172.16.128.5 554 netmask 255.255.255.255

static (dmz,outside) tcp interface 1755 172.16.128.5 1755 netmask 255.255.255.255


Ashish

npagadua69 Fri, 01/13/2006 - 14:35
User Badges:

Thanks, I will let you know if it works. I am still new at this and just trying to get my way around it.


One more question, i would also like to allow Remote Admin from the Inside to the DMZ which mean i want to be able to remote desktop into this machine from the inside to DMZ.


Thanks

ashishpanda Sat, 01/14/2006 - 05:56
User Badges:

hi


As in the configuration you have already bypassed NAT between inside and dmz no extra configurartion is required.You will be able to login to your server through remote admin.


ashish


jackko Sat, 01/14/2006 - 06:31
User Badges:
  • Gold, 750 points or more

just an add-on.


pix be default permits traffic from higher security level to lower security level providing proper nat/global/static is configured.


inside interface default security level is 100;

outside interface default security level is 0;

dmz interface security level is any number in between.


so, the traffic originated from inside and destined for dmz/outside will be permitted by default by pix.

Actions

This Discussion