04-02-2007 03:35 AM - edited 03-11-2019 02:54 AM
Hello,
I test a pix with several configurations. I'm able to configure my Pix with inside an outside (no dmz).
Now I activate dmz, but I've a problem.
-I'm able to access everything from inside to outside
-I'm able to access everything from inside to dmz (with 192.168.3.2)
-I'm able to access everything from dmz to outside
-I'm able to access in http from outside to dmz (with 192.168.1.241)
-I'm able to access to port 1433 and vpn (pptp+gre) from outside to inside (with 192.168.1.242)
But I'm not able to access to port 1433 from dmz to inside.
Here is the config with just the "I'm able to" thinks. I don't know how I can access port 1433 from outside to my SQL Server in inside.
Another think: I can't use IP from outside interface (192.168.1.240) to access to port 1433 and vpn. It' not really a problem, but I don't understand why.
And the last question: Is the Cisco VPN client free to download? I'm not able to use l2tp/ipsec vpn connection with MS vpn client.
Thanks in advance to all.
PS: please be patient, i'm not completely stupid (I hope :o), just beginer and I've some difficulties with English.
****************************************************
: Saved
:
PIX Version 7.2(2)14
!
hostname pix
domain-name test.com
enable password xxx
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.240 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 10
ip address 192.168.3.1 255.255.255.0
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
access-list outside_access_in extended permit tcp any host 192.168.1.241 eq www
access-list outside_access_in extended permit tcp host 192.168.1.222 host 192.168.1.242 eq 1433
access-list outside_access_in extended permit tcp host 192.168.1.222 host 192.168.1.242 eq pptp
access-list outside_access_in extended permit gre host 192.168.1.222 host 192.168.1.242
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm522-58.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 192.168.1.241 192.168.3.2 netmask 255.255.255.255
static (inside,outside) 192.168.1.242 192.168.2.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.222 255.255.255.255 outside
http 192.168.2.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.2-192.168.2.254 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
04-02-2007 04:14 AM
Hi
if you want to access an inside server from the DMZ you are missing a static statement ie.
you have
"static (inside,outside) 192.168.1.242 192.168.2.2 netmask 255.255.255.255"
You need a static for the inside to the DMZ
ie. static (inside,DMZ) 192.168.1.242 192.168.1.242 netmask 255.255.255.255
You will also need an access-list to allow the traffic to come from the DMZ to your inside server.
HTH
Jon
04-03-2007 12:40 AM
Hello,
I've tried something like your exemple and that's work.
Thank you.
JLE
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: