Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help with DMZ

I'm currently using a Pix 515 and would like to setup a DMZ so I can put my

playstation and mail/web servers in it. I have a fiber connection with only 1 public IP address.

What would be the best and easiest way to setup a DMZ and put my PS3 and other servers in the DMZ so that they will be open to all ports and I won't have to worry about games being blocked and etc on the PS3?

Everyone's tags (5)
4 REPLIES
Cisco Employee

Re: Help with DMZ

what we need to understand here is if the webservers need to be accessed from internet and on which ports

since you have only 1 ip you will have to do port forwarding to these ip's and again, to do that you must make sure that you do not have any servers in the inside which already have port forwarding rule

Some clarity on topology will help us understand better

New Member

Re: Help with DMZ

Yes, to handle the ports issues, I'm using apache as a reverse proxy. In the pix I'm adding a static route for the ports. I just wanted to setup the DMZ so I can put the PS3 and webservers in it. The PS3 is killing me as I like to get on the PS network to kill time in between task and etc.

Cisco Employee

Re: Help with DMZ

so what kind of nat do you have on your asa, and where is this apache server

could you please attach your config parsing public ip's

and what kind of access do you need for the ps stations, wher eis the connection going to be initiate from

New Member

Re: Help with DMZ

ZELLA-PIX-01# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ** encrypted
passwd **  encrypted
hostname ZELLA-PIX-01
domain-name zellatech.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 66.186.*.* pix_outside
name 192.168.1.1 pix_inside
access-list ping_acl permit ip any any
access-list outbound permit udp 192.168.1.0 255.255.255.0 any eq domain
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq 3260
access-list outbound permit udp 192.168.1.0 255.255.255.0 any eq 3260
access-list outbound permit tcp any interface inside eq 3260
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq 995
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq 465
access-list outbound permit udp 192.168.1.0 255.255.255.0 any eq syslog
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq 1468
access-list outbound permit udp 192.168.1.0 255.255.255.0 any eq isakmp
access-list outbound permit udp 192.168.1.0 255.255.255.0 any eq 4500
access-list outbound permit udp 192.168.1.0 255.255.255.0 any eq 10000
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq 8000
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq 9000
access-list outside_access_in permit tcp any interface outside eq ftp
access-list ouside_access_in permit udp any any eq 3658
pager lines 24
logging on
logging timestamp
logging console debugging
logging monitor debugging
logging buffered warnings
logging trap errors
logging facility 6
logging host inside 192.168.1.10 17/1026
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside pix_outside 255.255.255.252
ip address inside pix_inside 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface ftp 192.168.1.250 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ssh 192.168.1.177 ssh netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3658 192.168.1.56 3658 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group outbound in interface inside
outbound  10 permit 0.0.0.0 0.0.0.0 0 ip
outbound  11 permit 0.0.0.0 0.0.0.0 80 tcp
outbound  11 permit 0.0.0.0 0.0.0.0 443 tcp
outbound  11 permit 0.0.0.0 0.0.0.0 8000 tcp
outbound  11 permit 0.0.0.0 0.0.0.0 9000 tcp
outbound  12 permit 0.0.0.0 0.0.0.0 62255 tcp
outbound  12 permit 0.0.0.0 0.0.0.0 62251 tcp
outbound  12 permit 0.0.0.0 0.0.0.0 3658 udp
route outside 0.0.0.0 0.0.0.0 66.186.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:86b3a0093619cbf84292f4ea2bd38190
: end

578
Views
0
Helpful
4
Replies