I just installed the third ethernet port for a dmz on our PIX 515 (6.2). That install went fine and I have put a web server on the dmz. I want to access the web from the dmz to get fixes but any system on the dmz will not access the web. I thought it is configured correctly with 'nat (dmz) 1 172.x.x.0 255.255.255.0 0 0'. The global (outside) command is set for all inside users to access the web, but the dmz cannot access the web. What am I missing?
Thanks for your help.
Solved! Go to Solution.
could you check the following things:
- the line speed on the dmz interface, make sure the interface is not in shutdown mode (done with the 'interface' command).
- can you ping the dmz interface from the dmz servers?
- are the servers in the dmz in the 172.x.x.0 address range?
- is the 'global' command starting with: global (outside) 1 .....
"interface ethernet2 "dmz" is up, line protocol is up"
Yes, I can ping the dmz interface from the web server on the dmz
the addresses are 172.31.253.250 for the server and 172.31.253.1 for the interface
global (outside) 1 208.xxx.xxx.200-208.xxx.xxx.204 netmask 255.255.255.240
global (outside) 1 208.xxx.xxx.205 netmask 255.255.255.240
global (dmz) 1 172.31.253.10-172.31.253.50 netmask 255.255.255.0
Here are your requests, thanks for looking at it.
there should only be one 'global (outside) 1' command in place.
Could you try removing the first or the second 'global' command?
My understanding was that the second global (outside) command was for a pat translation for overflow. I removed the third one, but still no www.
sorry, my mistake, the second line is indeed for pat.
Is it possible to post the config or part of it? (!!replace public addresses and passwords!!)
Here you go. I took out some pdm location and fixup statements and some others. If they are necessary, let me know and I'll paste them in.
Thanks for your time.
name 172.31.253.250 web
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 208.x.x.x 255.255.255.240
ip address inside 192.168.x.x 255.255.255.0
ip address dmz 172.31.x.x 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 208.x.x.x-208.x.x.x netmask 255.255.255.240
global (outside) 1 208.x.x.x netmask 255.255.255.240
global (dmz) 1 172.31.253.10-172.x.253.x netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 172.31.253.0 255.255.255.0 0 0
static (inside,outside) 208.x.x.x 192.168.x.x netmask 255.255.255.255 0 0
static (inside,outside) 208.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (dmz,outside) 208.x.x.x web netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
conduit permit tcp host 208.x.x.x eq smtp any
conduit permit tcp host 208.x.x.x eq pop3 any
conduit permit tcp host 208.x.x.x eq lotusnotes any
conduit permit tcp host 208.x.x.y eq www any
conduit permit tcp host 208.x.x.z eq www any
conduit permit tcp host 208.x.x.x eq www any
conduit permit icmp any any
conduit permit tcp host 192.168.x.x eq 3351 host web
conduit permit tcp host 192.168.x.x eq 1583 host web
route outside 0.0.0.0 0.0.0.0 208.x.x.x 1
route inside 192.168.0.0 255.255.0.0 192.168.1.1 1
route inside 184.108.40.206 255.0.0.0 192.168.1.1 1
is the default gateway of the web server pointing to the ip address of the dmz interface of the firewall? - Yes
is DNS correctly configured on the web server?
No they were not. I had to call our Internet provider for the addresses. I plugged in the addresses and it worked.
Thanks for your direction and help, much appreciated.