Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

PIX 8.04 515E three interface DMZ newbie trouble config attached

<p>Sorry for the newbie question but I'm just not sure what I need to do here.&nbsp; I have a PIX 515E running 8.04.&nbsp; I have an inside network 192.168.1.0/24 and a network on the DMX 192.168.100.0/30.&nbsp; the inside is security level 100; DMZ is 10 and the outside is 0.&nbsp; I can nat out to the world from the inside and the DMZ and my inside can access resources on the DMZ.&nbsp; What I'm having trouble with is DMZ TCP 80 traffic getting to the server on the DMZ.&nbsp; My web server cannot be accessed from the outside.&nbsp; If attach a copy of the config for review.&nbsp; I have an idea it has something to do with the implicit rules but not sure what. Thanks in advance.</p>

9 REPLIES
New Member

Re: PIX 8.04 515E three interface DMZ newbie trouble config atta

I am not sure this will work , but AFAIK it should.

Try adding the traffic to the webserver to NAT 0 .

Let me know if it worked!

New Member

Re: PIX 8.04 515E three interface DMZ newbie trouble config atta

Thanks, for your response.  Can you explain?  Can you detail from the cfg what you think looks wrong.  Again, thanks

New Member

Re: PIX 8.04 515E three interface DMZ newbie trouble config atta

Can you post the output of sh logg as I am not sure about the translation you are doing there.

Sorry I did not see that static previously.

At a 1st look it should work with the config you have , but please do a sh logg when you try a telnet from outside to the webserver.

Thanks,

Vlad

New Member

Re: PIX 8.04 515E three interface DMZ newbie trouble config atta

Sorry, here is the config...

New Member

Re: PIX 8.04 515E three interface DMZ newbie trouble config atta

You don't really need the global (dmz) statement, and you need an access-list for the dmz that will allow web traffic in from the outside - without one you have an implicit 'deny-all' rule on the dmz interface for anthing except traffic coming from the inside interface (traffic is always permited from a higher security interface to a lower security interface unless specifically excluded). Make another acl, say, acl_dmz, and allow the same traffic that you're allowing on your outside interface: acl_dmz extended permit tcp any host webserver eq 80 access-group acl_dmz in dmz

HTH, Paul

New Member

Re: PIX 8.04 515E three interface DMZ newbie trouble config atta

Thats why I asked the logging.

I was curious of the transaltion group for that DMZ.

Vlad

New Member

Re: PIX 8.04 515E three interface DMZ newbie trouble config atta

Hi,

Sorry to jump in the middle but I doubt the follow conf.

access-list acl_out extended permit tcp any host webserver eq www

access-group acl_out in interface outside

Instead of 'webserver' ,is it the outside IP address to be mentioned??? Becoz

names

name 192.168.100.2 webserver

It is a private IP address in the names list. More over We can specifically direct the traffic to port 80

static (dmz,outside) tcp interface 80 webserver 80 netmask 255.255.255.255

Regards

Jithesh

New Member

Re: PIX 8.04 515E three interface DMZ newbie trouble config atta

Jithesh,

you right!

The public ip should be mentioned there!

Regards,

Vlad

New Member

Re: PIX 8.04 515E three interface DMZ newbie trouble config atta

Shawn,

did you try what Jithesh says?

Allowing the public IP of the web server in the outside ACL?

Regards,

Vlad

185
Views
0
Helpful
9
Replies
CreatePlease to create content