08-28-2006 06:50 AM - edited 02-21-2020 01:08 AM
Hi
I have a little pb with my pix.*
I have open the all port between DMZ and INSIDE but the inside users could not connect to the proxy(in DMZ) and open an internet pages.
Please help me
My configuration is :
PIX Version 7.0(4)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password xxxx
names
name 192.168.38.201 SRV-DC1
name 192.168.38.205 SRV-ANTIVIRUS
name 192.168.38.203 SRV-MAIL
name 192.168.38.202 SRV-DC2
name 192.168.40.10 ISVW
!
interface Ethernet0
nameif Outside
security-level 0
ip address 192.168.2.50 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.39.251 255.255.255.0
!
interface Ethernet2
nameif DMZ
security-level 30
ip address 192.168.40.254 255.255.255.0
!
passwd xxx
ftp mode passive
access-list Outside_access_in extended permit tcp any any eq smtp
access-list Outside_access_in extended deny ip any any
access-list DMZ_access_in extended permit tcp any any eq domain
access-list DMZ_access_in extended permit udp any any eq domain
access-list DMZ_access_in extended permit tcp any any eq https
access-list DMZ_access_in extended permit tcp any any eq 8080
access-list DMZ_access_in extended permit tcp any any eq www
access-list DMZ_access_in extended permit tcp any any eq pptp
access-list DMZ_access_in extended permit tcp any any eq smtp
access-list DMZ_access_in extended permit tcp any eq smtp any eq smtp
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp any eq 8080 any
access-list inside_access_in extended permit tcp any any eq smtp
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq 8080
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu DMZ 1500
failover
monitor-interface Outside
monitor-interface inside
monitor-interface DMZ
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (Outside) 1 192.168.2.32-192.168.2.39 netmask 255.255.255.0
global (DMZ) 1 192.168.40.20-192.168.40.50 netmask 255.255.255.0
nat (inside) 1 192.168.38.0 255.255.255.0
nat (DMZ) 1 192.168.40.0 255.255.255.0
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route inside 192.168.38.0 255.255.255.0 192.168.39.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password xxx encrypted privilege 15
http server enable
http 192.168.39.0 255.255.255.0 inside
http 192.168.38.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 DMZ
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.39.252-192.168.39.254 inside
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
!
service-policy global_policy global
Cryptochecksum:xxx
: end
08-28-2006 07:43 AM
Hi,
From which ip segment in the inside network you are trying to access the proxy server.
There is no nat statements for the inside network 192.168.39.0 /24.
You should have this statement also to include the inside network in the nat translation.
nat (inside) 1 192.168.39.0 255.255.255.0
HTH
-VJ
08-28-2006 08:01 AM
You have to PAT the inside subnet to the DMZ otherwise they won't be able to connect to the proxy.
Therefore your NAT should look like this
global (Outside) 1 192.168.2.32-192.168.2.39 netmask 255.255.255.0
global (DMZ) 2 192.168.40.20-192.168.40.50 netmask 255.255.255.0
nat (inside) 1 192.168.38.0 255.255.255.0
nat (Inside) 2 192.168.38.0 255.255.255.0
Let me know if this solves your problem and rate please,
08-28-2006 08:20 AM
HI
Thank you for your answers but it's not ok!!
I have installed the soft "ethereal" and the pb is that the proxy couldn't answer to the user.
xx-->8080(of DMZ proxy) ok
8080-->xx(inside port) not ok!
please help me thanks!!!
08-28-2006 10:40 AM
From where are the clients are comming? 192.168.39.0 or 192.168.38?
08-28-2006 10:40 AM
Also did you clear xlate after I sent you applied the config I sent?
THanks,
08-29-2006 02:32 AM
Hi
The client are comming from 192.168.39.0
and I clear the xlate
Please help me
08-29-2006 04:33 AM
Do a quick test, and see can help:
static (inside, DMZ) 192.168.38.0 192.168.38.0 netmask 255.255.255.0
static (inside, DMZ) 192.168.39.0 192.168.39.0 netmask 255.255.255.0
* delete/add as required.
The above will allow inside & DMZ to talk to each other via respective@original IP Address. Maintain ACL on the DMZ & inside interface.
Rgds,
AK
08-29-2006 05:11 AM
Hi,
Thank you very much its OK!!!!!!
08-29-2006 05:14 AM
看一下能支持中文吗
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide