08-28-2003 04:19 AM - edited 02-20-2020 10:57 PM
I have pix 515 with UR liscence . Currently my mail and www server are outside my pix . I had installed a dmz interface and put both of them on the dmz but it is not working . I am following the standard method . Can you please check what could be the possible problem in the configuration(DNS IS ON THE ISP SIDE . COULD THIS BE PROBLEM?) I had open all the ports but still not working . Configurations:-
pixfirewall# sh ver
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)
Compiled on Fri 07-Jun-02 17:49 by morlee
pixfirewall up 7 mins 55 secs
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5
0: ethernet0: address is 000a.b79e.5449, irq 10
1: ethernet1: address is 000a.b79e.544a, irq 11
2: ethernet2: address is 0003.47ac.5c73, irq 5
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
Serial Number: 806342412 (0x300fcf0c)
Running Activation Key: 0xee400caf 0xd29872dd 0x03c643ab 0x43f86be7
Configuration last modified by enable_15 at 14:49:30.456 UTC Thu Aug 28 2003
pixfirewall# sh config
: Saved
: Written by enable_15 at 14:40:28.625 UTC Thu Aug 28 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxx encrypted
passwd xxxxxencrypted
hostname pixfirewall
domain-name http://www.sh.com.kw
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 102 (1) permit tcp any host x.x.81.26
access-list 102 (1) permit udp any host x.x.81.26
access-list 102 (1) permit ip any host x.x.81.26
access-list 102 (1) permit tcp any host x.x.81.27
access-list 102 (1) permit udp any host x.x.81.27
access-list 102 (1) permit ip any host x.x.81.27
access-list 102 (1) permit tcp any host x.x.81.26 eq smtp
access-list 102 (1) permit tcp any host x.x.81.26 eq pop3
access-list 102 (1) permit tcp any host x.x.81.26 eq domain
access-list 102 (1) permit tcp any host x.x.81.26 eq www
access-list 102 (1) permit tcp any host x.x.81.26 eq imap4
access-list 102 (1) permit udp any host x.x.81.26 eq 25
access-list 102 (1) permit udp any host x.x.81.26 eq 110
access-list 102 (1) permit udp any host x.x.81.26 eq 143
access-list 102 (1) permit udp any host x.x.81.27 eq 80
access-list 102 (1) permit udp any host x.x.81.27 eq 143
access-list 102 (1) permit tcp any host x.x.81.27 eq www
access-list 102 (1) permit tcp any host x.x.81.27 eq domain
access-list 102 (1) permit tcp any host x.x.81.27 eq imap4
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.81.2 255.255.255.240
ip address inside x.x.200.1 255.255.255.0
ip address dmz x.x.81.25 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm location x.x.200.48 255.255.255.255 inside
pdm location x.x.81.26 255.255.255.255 dmz
pdm location x.x.81.27 255.255.255.255 dmz
pdm history enable
arp timeout 14400
global (outside) 1 x.x.81.14 netmask 255.255.255.255
nat (inside) 1 200.200.200.0 255.255.255.0 0 0
nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
static (inside,dmz) 200.200.200.0 200.200.200.0 netmask 255.255.255.0 0 0
static (dmz,outside) x.x.81.27 x.x.81.27 dns netmask 255.255.255.255 0 0
static (dmz,outside) x.x.81.26 168.187.81.26 dns netmask 255.255.255.255 0 0
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 168.187.81.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 200.200.200.48 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 200.200.200.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:xxxxxx
pixfirewall#
08-28-2003 04:41 AM
Hi Abdul,
Please read this document and if this helps:
Hope this helps - Jay
08-28-2003 05:05 AM
Abdul, also here are some grate documents from a world reknowned expert and mentor:
http://www.netcraftsmen.net/welcher/papers/pix01.html
http://www.netcraftsmen.net/welcher/papers/pix02.html
and try changing this: nat (dmz) 0 0.0.0.0 0.0.0.0 0 0 to this: nat(dmz)1 0.0.0.0 0.0.0.0 0 0
Thanks -
08-28-2003 05:07 AM
I am not able to ping any of your ip addresses, nor your default gateway. I also cannot telnet to any of your ports (smtp, etc) to test. Are you able to ping your default gateway - 168.187.81.1 from the pix?
Your dns settings with your isp look fine, and so does your pix config.
08-28-2003 11:02 PM
i can access the internet and these 2 servers from my inside network . And even i can ping my router from dmz servers also . But browsing does'nt work also on the dmz servers . I wil try to change nat statments as you had said .
thanks for your reply
08-30-2003 08:48 PM
i had changed the nat statement but this did not working still the same problem is coming . What else could be the problem ?
08-31-2003 05:44 AM
Hi, you mentioned that you can access your servers, the ones into the DMZ, but i can't figured out how you may achieved that since you don't have a global statement applied to the DMZ. The NAT (inside) 1... statement must match with a global (dmz) 1 statement.
First, make your dmz's servers accessible from inside. This will prove correct servers config.
Regards,
Ben
08-31-2003 12:30 PM
For that i had configured static command . Static command takes priority over NAT command and i can also access the servers in DMZ from my inside network .
ONE MORE STRANGE PROBLEM IS that i can't access the internet from the dmz servers but I CAN PING MY ISP DNS AND I CAN ALSO PING ANOTHER NETWORK WHICH IS ALSO CONNECTED TO SAME ISP . So do you think so this could be the problem from isp side ?
Another exception is that may be dmz interface is faulty but again if it is then from dmz i should not ping anyone outside .
08-31-2003 06:27 PM
It's the first time i heard that it's possible to give access from higher security interface(inside) to lower security interface (DMZ) using "static". What i know, static permits the converse situation, lower to higher sec i/f.
If you are reaching servers within your DMZ, is it possible they are accessible through another path ?
Are you able to surf Web from inside ?
Ben
09-05-2003 01:36 PM
Dear haseeb,
Please, do not use ping to test your connections. Ping uses ICMP and is not statefully inspected and is handled differently then TCP and UDP traffic within the PIX Adaptive Security Algorithm (in fact, ICMP isnt handled by ASA at all).
Zo, whatever you are testing with ping (ICMP' does not necessarily represent what your PIX is doing with UDP and/or TCP traffic.
Just a tip, little of topic, but in my humble opnion quite important to know.
Kind regards,
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide