I can ping the real address of the pix, and access the web server inside the DMZ from an outside box using the static address for the DMZ, from the inside using the address assigned to the inside interface, from one DMZ box to another. I can run a TTY session and log in to the PIX. The clock is using the correct time (4 hours greater than EST, which is right since we're still under daylight savings), I just can't launch a PDM session. Here's all of my configuration, copied & pasted from a write terminal command:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password xxxxencrypted

passwd xxxxencrypted

hostname DWRpix

domain-name ehnr.state.nc.us

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name x.x.114.19 Lee

access-list into_outside permit tcp any host 149.168.114.99 eq www

access-list into_outside permit tcp any host 149.168.114.99 eq ftp

access-list into_outside permit tcp host 149.168.114.92 host 149.168.114.99 eq 10945

access-list into_outside permit tcp host Lee host 149.168.114.99 eq 10945

access-list into_outside permit tcp host 149.168.114.92 host 10.1.114.65 eq 10000

access-list into_outside permit tcp host 149.168.114.52 any eq 6101

access-list no_nat_inside permit ip x.x.x.0 255.255.255.0 10.1.114.0 255.255.255.0

access-list no_nat_dmz permit ip x.x.x.0 255.255.255.0 10.2.114.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside x.x.x.2 255.255.255.0

ip address inside 10.2.114.1 255.255.255.0

ip address dmz 10.1.114.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.2.114.90 255.255.255.255 inside

pdm location 10.2.114.91 255.255.255.255 inside

pdm location 10.2.114.92 255.255.255.255 inside

pdm location 10.2.114.93 255.255.255.255 inside

pdm location 10.2.114.94 255.255.255.255 inside

pdm location 10.2.114.95 255.255.255.255 inside

pdm location 10.1.114.60 255.255.255.255 dmz

pdm location x.x.x.96 255.255.255.224 outside

pdm location x.x.x.92 255.255.255.255 outside

pdm location Lee 255.255.255.255 outside

pdm history enable

arp timeout 14400

global (outside) 1 x.x.114.100-149.168.114.198

global (outside) 1 x.x.114.199

nat (inside) 0 access-list no_nat_inside

nat (inside) 1 10.2.114.0 255.255.255.0 0 0

nat (dmz) 0 access-list no_nat_dmz

static (dmz,outside) x.x.x.99 10.1.114.60 netmask 255.255.255.255 0 0

access-group into_outside in interface outside

route outside 0.0.0.0 0.0.0.0 149.168.114.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media

0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.2.114.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh x.x.x.92 255.255.255.255 outside

ssh x.x.x.96 255.255.255.224 outside

ssh x.x.x.0 255.255.255.0 outside

ssh 10.2.114.90 255.255.255.255 inside

ssh 10.2.114.91 255.255.255.255 inside

ssh 10.2.114.92 255.255.255.255 inside

ssh 10.2.114.93 255.255.255.255 inside

ssh 10.2.114.94 255.255.255.255 inside

ssh 10.2.114.95 255.255.255.255 inside

ssh timeout 5

dhcpd address 10.2.114.100-10.2.114.199 inside

dhcpd dns 149.168.11.11 192.101.21.1

dhcpd lease 86400

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

I didn't want to include all of this info in a clear text message, but there it is. Do I need to install a newer version of PDM, or just tweak the acl for the inside interface?

thanks.

Hi Charles,

1st, is the config you posted above the actual config from the PIX, if so you have left your network to open abuse, I hope that the above config is not the real config of your PIX.

2nd, What happens if your use a static (reserved) IP for your inside PDM access i.e.

> http server enable

> http 255.255.255.255 inside

save with command: write memory

and open up IE on the inside of the above IP address client with https://

Hope this helps and let me know how you get on - Thanks.

Still not working - I even issued a clear http, enalbe http, specified an internal static address with the netmask of all 255's, saved it to memory, and then tried to access the PDM, to no avail.

I had the same problem, one day it worked fine, the other day it didn't. Till I cleared the cache (temp files) in MS Internet Explorer, then it worked again.

Still I don't know it's a known problem.

Regards

Aad

Could you elaborate how the network is open to abuse. What lines are incorrect and how would you fix them,

Thanks,

Scott