05-12-2006 06:29 AM - edited 02-20-2020 09:36 PM
Hi, I'm trying to setup an ACL that permits certain traffic from a host in the DMZ to hosts on the inside. It will be a timesheets application server that needs to talk to a SQL DB, and also need to communicate with our DCs to authenticate a service account that exists in Active Dir. My PIX log keeps telling me
106023: Deny udp src DMZ:192.168.32.4/3648 dst inside:10.4.0.47/389 by access-gr
oup "dmz_access_in"
but I can't see the problem with my config
access-list dmz_access_in; 15 elements
access-list dmz_access_in line 1 remark access from dmz hosts to Internet
access-list dmz_access_in line 2 permit udp any any eq domain (hitcnt=57)
access-list dmz_access_in line 3 permit tcp 192.168.32.0 255.255.255.0 any eq www (hitcnt=0)
access-list dmz_access_in line 4 permit tcp 192.168.32.0 255.255.255.0 any eq https (hitcnt=0)
access-list dmz_access_in line 5 permit tcp 192.168.32.0 255.255.255.0 any eq smtp (hitcnt=0)
access-list dmz_access_in line 6 permit tcp 192.168.32.0 255.255.255.0 any eq pop3 (hitcnt=0)
access-list dmz_access_in line 8 permit tcp 192.168.32.0 255.255.255.0 host 208.206.232.55 eq ftp (hitcnt=0)
access-list dmz_access_in line 9 permit esp 192.168.32.0 255.255.255.0 any (hitcnt=0)
access-list dmz_access_in line 10 permit udp 192.168.32.0 255.255.255.0 any eq isakmp (hitcnt=0)
access-list dmz_access_in line 11 permit udp 192.168.32.0 255.255.255.0 any eq 4500 (hitcnt=0)
access-list dmz_access_in line 12 remark access from timesheets to DCs
access-list dmz_access_in line 13 permit udp host 192.168.32.4 host 192.168.32.46 eq 389 (hitcnt=0)
access-list dmz_access_in line 14 permit udp host 192.168.32.4 host 192.168.32.47 eq 389 (hitcnt=0)
access-list dmz_access_in line 15 permit udp host 192.168.32.4 host 192.168.32.46 eq 88 (hitcnt=0)
access-list dmz_access_in line 16 permit udp host 192.168.32.4 host 192.168.32.47 eq 88 (hitcnt=0)
access-list dmz_access_in line 17 permit icmp any any (hitcnt=4)
HummPIX-515# sh run | include static
static (inside,DMZ) 192.168.32.46 10.4.0.46 netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.32.47 10.4.0.47 netmask 255.255.255.255 0 0
HummPIX-515#
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
ip address outside 10.1.10.11 255.255.255.0
ip address inside 10.4.0.2 255.255.255.0
ip address DMZ 192.168.32.1 255.255.255.0
Thank you,
Bill
Solved! Go to Solution.
05-12-2006 06:51 AM
Hello Bill
Your configuration seems ok.
But your server on the DMZ 192.168.32.4 is trying to contact your inside server with its actual IP 10.4.0.47.
The problem is that with these lines :
static (inside,DMZ) 192.168.32.46 10.4.0.46 netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.32.47 10.4.0.47 netmask 255.255.255.255 0 0
you are translating your inside hosts IP from 10.4.0.46/47 to 192.168.32.46/47,
meaning your servers on inside network will appear on DMZ with different addreses,
being them 192.168.32.46/47.
There are 2 solutions :
First solution modify your pix config:
You can change your statics to
static (inside,DMZ) 10.4.0.46 10.4.0.46 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.4.0.47 10.4.0.47 netmask 255.255.255.255 0 0
and the ACL to
access-list dmz_access_in line 13 permit udp host 192.168.32.4 host 10.4.0.46 eq 389
access-list dmz_access_in line 14 permit udp host 192.168.32.4 host 10.4.0.47 eq 389
access-list dmz_access_in line 15 permit udp host 192.168.32.4 host 10.4.0.46 eq 88
access-list dmz_access_in line 16 permit udp host 192.168.32.4 host 10.4.0.47 eq 88
Second solution modify the application at server 192.168.32.4 :
You will have to reconfigure the application on server timesheets to contact your inside servers with the translated addresess 192.168.32.46/47.
Hope this helps ... rate if it helps !
Regards
05-12-2006 06:51 AM
Hello Bill
Your configuration seems ok.
But your server on the DMZ 192.168.32.4 is trying to contact your inside server with its actual IP 10.4.0.47.
The problem is that with these lines :
static (inside,DMZ) 192.168.32.46 10.4.0.46 netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.32.47 10.4.0.47 netmask 255.255.255.255 0 0
you are translating your inside hosts IP from 10.4.0.46/47 to 192.168.32.46/47,
meaning your servers on inside network will appear on DMZ with different addreses,
being them 192.168.32.46/47.
There are 2 solutions :
First solution modify your pix config:
You can change your statics to
static (inside,DMZ) 10.4.0.46 10.4.0.46 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.4.0.47 10.4.0.47 netmask 255.255.255.255 0 0
and the ACL to
access-list dmz_access_in line 13 permit udp host 192.168.32.4 host 10.4.0.46 eq 389
access-list dmz_access_in line 14 permit udp host 192.168.32.4 host 10.4.0.47 eq 389
access-list dmz_access_in line 15 permit udp host 192.168.32.4 host 10.4.0.46 eq 88
access-list dmz_access_in line 16 permit udp host 192.168.32.4 host 10.4.0.47 eq 88
Second solution modify the application at server 192.168.32.4 :
You will have to reconfigure the application on server timesheets to contact your inside servers with the translated addresess 192.168.32.46/47.
Hope this helps ... rate if it helps !
Regards
05-12-2006 10:27 AM
awesome, it's working. Just needed a few finishing touches with DNS to the DCs, but everything is working. Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide