Pb conf pix 515

Unanswered Question
Aug 28th, 2006
User Badges:

Hi


I have a little pb with my pix.*

I have open the all port between DMZ and INSIDE but the inside users could not connect to the proxy(in DMZ) and open an internet pages.


Please help me


My configuration is :


PIX Version 7.0(4)

!

hostname pixfirewall

domain-name default.domain.invalid

enable password xxxx

names

name 192.168.38.201 SRV-DC1

name 192.168.38.205 SRV-ANTIVIRUS

name 192.168.38.203 SRV-MAIL

name 192.168.38.202 SRV-DC2

name 192.168.40.10 ISVW

!

interface Ethernet0

nameif Outside

security-level 0

ip address 192.168.2.50 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.39.251 255.255.255.0

!

interface Ethernet2

nameif DMZ

security-level 30

ip address 192.168.40.254 255.255.255.0

!

passwd xxx

ftp mode passive


access-list Outside_access_in extended permit tcp any any eq smtp

access-list Outside_access_in extended deny ip any any



access-list DMZ_access_in extended permit tcp any any eq domain

access-list DMZ_access_in extended permit udp any any eq domain

access-list DMZ_access_in extended permit tcp any any eq https

access-list DMZ_access_in extended permit tcp any any eq 8080

access-list DMZ_access_in extended permit tcp any any eq www

access-list DMZ_access_in extended permit tcp any any eq pptp

access-list DMZ_access_in extended permit tcp any any eq smtp

access-list DMZ_access_in extended permit tcp any eq smtp any eq smtp

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_in extended permit tcp any eq 8080 any



access-list inside_access_in extended permit tcp any any eq smtp

access-list inside_access_in extended permit tcp any any eq www

access-list inside_access_in extended permit tcp any any eq https

access-list inside_access_in extended permit tcp any any eq 8080

access-list inside_access_in extended permit ip any any



pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu inside 1500

mtu DMZ 1500

failover

monitor-interface Outside

monitor-interface inside

monitor-interface DMZ

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

global (Outside) 1 192.168.2.32-192.168.2.39 netmask 255.255.255.0

global (DMZ) 1 192.168.40.20-192.168.40.50 netmask 255.255.255.0

nat (inside) 1 192.168.38.0 255.255.255.0

nat (DMZ) 1 192.168.40.0 255.255.255.0

access-group Outside_access_in in interface Outside

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 192.168.2.1 1

route inside 192.168.38.0 255.255.255.0 192.168.39.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username admin password xxx encrypted privilege 15

http server enable

http 192.168.39.0 255.255.255.0 inside

http 192.168.38.0 255.255.255.0 inside

http 192.168.40.0 255.255.255.0 DMZ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.39.252-192.168.39.254 inside

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

Cryptochecksum:xxx

: end


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vijayasankar Mon, 08/28/2006 - 07:43
User Badges:
  • Silver, 250 points or more

Hi,


From which ip segment in the inside network you are trying to access the proxy server.

There is no nat statements for the inside network 192.168.39.0 /24.


You should have this statement also to include the inside network in the nat translation.


nat (inside) 1 192.168.39.0 255.255.255.0



HTH


-VJ


m-haddad Mon, 08/28/2006 - 08:01
User Badges:
  • Silver, 250 points or more

You have to PAT the inside subnet to the DMZ otherwise they won't be able to connect to the proxy.



Therefore your NAT should look like this

global (Outside) 1 192.168.2.32-192.168.2.39 netmask 255.255.255.0

global (DMZ) 2 192.168.40.20-192.168.40.50 netmask 255.255.255.0

nat (inside) 1 192.168.38.0 255.255.255.0

nat (Inside) 2 192.168.38.0 255.255.255.0


Let me know if this solves your problem and rate please,


hassanimagid Mon, 08/28/2006 - 08:20
User Badges:

HI


Thank you for your answers but it's not ok!!

I have installed the soft "ethereal" and the pb is that the proxy couldn't answer to the user.

xx-->8080(of DMZ proxy) ok

8080-->xx(inside port) not ok!


please help me thanks!!!

m-haddad Mon, 08/28/2006 - 10:40
User Badges:
  • Silver, 250 points or more

From where are the clients are comming? 192.168.39.0 or 192.168.38?

m-haddad Mon, 08/28/2006 - 10:40
User Badges:
  • Silver, 250 points or more

Also did you clear xlate after I sent you applied the config I sent?


THanks,


hassanimagid Tue, 08/29/2006 - 02:32
User Badges:

Hi


The client are comming from 192.168.39.0


and I clear the xlate


Please help me

a.kiprawih Tue, 08/29/2006 - 04:33
User Badges:
  • Gold, 750 points or more

Actions

This Discussion