Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Accessing www from computers on dmz

I just installed the third ethernet port for a dmz on our PIX 515 (6.2). That install went fine and I have put a web server on the dmz. I want to access the web from the dmz to get fixes but any system on the dmz will not access the web. I thought it is configured correctly with 'nat (dmz) 1 172.x.x.0 255.255.255.0 0 0'. The global (outside) command is set for all inside users to access the web, but the dmz cannot access the web. What am I missing?

Thanks for your help.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Accessing www from computers on dmz

Hi,

just to make sure:

- is the default gateway of the web server pointing to the ip address of the dmz interface of the firewall?

-is DNS correctly configured on the web server?

Kind Regards,

Tom

9 REPLIES

Re: Accessing www from computers on dmz

Hi,

could you check the following things:

- the line speed on the dmz interface, make sure the interface is not in shutdown mode (done with the 'interface' command).

- can you ping the dmz interface from the dmz servers?

- are the servers in the dmz in the 172.x.x.0 address range?

- is the 'global' command starting with: global (outside) 1 .....

Kind Regards,

Tom

Re: Accessing www from computers on dmz

I accomplished this by specyfying the default gateway on my servers as the private IP address of the DMZ interface

New Member

Re: Accessing www from computers on dmz

"interface ethernet2 "dmz" is up, line protocol is up"

Yes, I can ping the dmz interface from the web server on the dmz

the addresses are 172.31.253.250 for the server and 172.31.253.1 for the interface

global (outside) 1 208.xxx.xxx.200-208.xxx.xxx.204 netmask 255.255.255.240

global (outside) 1 208.xxx.xxx.205 netmask 255.255.255.240

global (dmz) 1 172.31.253.10-172.31.253.50 netmask 255.255.255.0

Here are your requests, thanks for looking at it.

Re: Accessing www from computers on dmz

Hi,

there should only be one 'global (outside) 1' command in place.

Could you try removing the first or the second 'global' command?

Kind Regards,

Tom

New Member

Re: Accessing www from computers on dmz

My understanding was that the second global (outside) command was for a pat translation for overflow. I removed the third one, but still no www.

Re: Accessing www from computers on dmz

Hi,

sorry, my mistake, the second line is indeed for pat.

Is it possible to post the config or part of it? (!!replace public addresses and passwords!!)

Kind Regards,

Tom

New Member

Re: Accessing www from computers on dmz

Here you go. I took out some pdm location and fixup statements and some others. If they are necessary, let me know and I'll paste them in.

Thanks for your time.

names

name 172.31.253.250 web

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 208.x.x.x 255.255.255.240

ip address inside 192.168.x.x 255.255.255.0

ip address dmz 172.31.x.x 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface dmz

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 208.x.x.x-208.x.x.x netmask 255.255.255.240

global (outside) 1 208.x.x.x netmask 255.255.255.240

global (dmz) 1 172.31.253.10-172.x.253.x netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 172.31.253.0 255.255.255.0 0 0

static (inside,outside) 208.x.x.x 192.168.x.x netmask 255.255.255.255 0 0

static (inside,outside) 208.x.x.x x.x.x.x netmask 255.255.255.255 0 0

static (dmz,outside) 208.x.x.x web netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

conduit permit tcp host 208.x.x.x eq smtp any

conduit permit tcp host 208.x.x.x eq pop3 any

conduit permit tcp host 208.x.x.x eq lotusnotes any

conduit permit tcp host 208.x.x.y eq www any

conduit permit tcp host 208.x.x.z eq www any

conduit permit tcp host 208.x.x.x eq www any

conduit permit icmp any any

conduit permit tcp host 192.168.x.x eq 3351 host web

conduit permit tcp host 192.168.x.x eq 1583 host web

route outside 0.0.0.0 0.0.0.0 208.x.x.x 1

route inside 192.168.0.0 255.255.0.0 192.168.1.1 1

route inside 200.0.0.0 255.0.0.0 192.168.1.1 1

Re: Accessing www from computers on dmz

Hi,

just to make sure:

- is the default gateway of the web server pointing to the ip address of the dmz interface of the firewall?

-is DNS correctly configured on the web server?

Kind Regards,

Tom

New Member

Re: Accessing www from computers on dmz

is the default gateway of the web server pointing to the ip address of the dmz interface of the firewall? - Yes

is DNS correctly configured on the web server?

No they were not. I had to call our Internet provider for the addresses. I plugged in the addresses and it worked.

Thanks for your direction and help, much appreciated.

Gary

117
Views
5
Helpful
9
Replies
CreatePlease to create content