Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 515 with DMZ probs

I'm trying to setup an SSL VPN box within a DMZ using a PIX 515.

Basically I've setup the SSL box with a DMZ IP and NAT'd this to an external IP. I've put the following ACLs in:

access-list INCOMING permit tcp any object-group SSL_BOX object-group WEB_BROWSING_PORTS

access-list DMZ permit tcp host 172.17.1.100 object-group INTRANET_SERVERS eq www

access-list DMZ permit tcp host 172.17.1.100 object-group DOMAIN_CTRLRS object-group DC_PORTS

access-list DMZ permit tcp host 172.17.1.100 object-group CITRIX_SERVERS object-group CITRIX_PORTS

access-list DMZ deny ip any any

However, I can get to the SSL box externally, but it's not passing from there to the internal LAN.

I've done a show ACL DMZ, but the hit count on all entries is 0. Is there a way I can troubleshoot this to see where it's getting held up. I've tried viewing on a SYSLOG server with a DEBUG ACL but it's not helping much.

any help much apprec.

4 REPLIES
Hall of Fame Super Blue

Re: PIX 515 with DMZ probs

Hi

Quick check. Do you have static translations for the internal servers to the DMZ eg if one of your DC's was 192.168.5.10

static (inside,DMZ) 192.168.5.10 192.168.5.10 netmask 255.255.255.255

if so could you post config ?

What version of pix software are you running ?

Jon

New Member

Re: PIX 515 with DMZ probs

Thanks Jon, PIX s/w is ver 6.3(4)

I was kind of thinking along the lines of what you were saying here. I have a:

static (outside,DMZ) 172.17.1.100 194.x.x.x netmask 255.255.255.255

but all the internal servers are on 10 addresses. I presume that I need some kind of translations for the Netilla box (172.17.1.100) to be able to see them internally ?

Andrew

Hall of Fame Super Blue

Re: PIX 515 with DMZ probs

Andrew

What is the static (outside,DMZ) 172.17.1.100 194.x.x.x netmask 255.255.255.255 meant to do ?

if you are presenting your Netilla box to the outside as 194.x.x.x your statement should be

static (DMZ,outside) 194.x.x.x 172.17.1.100 netmask 255.255.255.255

As for your internal servers yes you need to present them to the DMZ ie.

static (inside,DMZ) "internal 10.x.x.x server address" "internal 10.x.x.x server address" netmask 255.255.255.255

HTH

Jon

New Member

Re: PIX 515 with DMZ probs

Jon,

tRyping error, did it from memory rather than cut and paste (it's been a heavy wkd !!) - will try what you said. That sounds like it should sort it.

Andrew

127
Views
0
Helpful
4
Replies
CreatePlease to create content