02-04-2003 02:35 PM - edited 03-09-2019 01:58 AM
People:
I would be eternally grateful if somebody can help me out of this problem!!... It's driving me crazy!!
I have a PIX 515E with three interfaces... inside,ourside and dmz. Also I have NAT configured on the PIX. I have a T1 connection with another cisco router that works fine... I need the PIX to allow access to the DMZ servers from outside and inside....
My problem is that right now.. I can access the servers on my DMZ from outside (the internet) but not from the inside (my internal users). I followed cisco's configuration examples and I've been trying different configurations but with no success.... to clarify the problem...for example.. if one user in the inside with IP address 192.168.1.213 wants to access the server 200.200.200.36 on the DMZ cannot do it.. cannot ping.. or access any port... is
totally bloqued...
I am attaching the configuration file with the external IP addresses changed, the rest is the actual configuration.
the only thing I have not tried is using conduit instead of access-list.. but should be the same ha?
thanks a lot in advance... will send beer!!
Luis.
-----------------------------------------------------------------------
PIX01(config)# wr term
Building configuration...
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
hostname PIX01
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol skinny 2000
names
access-list 100 permit tcp any host 200.200.200.37 eq smtp
access-list 100 permit tcp any host 200.200.200.37 eq pop3
access-list 100 permit tcp any host 200.200.200.37 eq domain
access-list 100 permit udp any host 200.200.200.37 eq domain
access-list 100 permit tcp any host 200.200.200.35 eq www
access-list 100 permit tcp any host 200.200.200.35 eq 443
access-list 100 permit tcp any host 200.200.200.36 eq www
access-list 100 permit tcp any host 200.200.200.36 eq 443
access-list 100 permit icmp any any
access-list 100 permit tcp any host 200.200.200.35 eq ftp
access-list 100 permit tcp any host 200.200.200.36 eq ftp
access-list 100 permit tcp any host 200.200.200.36 eq 3389
access-list 100 permit tcp any host 200.200.200.35 eq 3389
access-list 100 permit tcp any host 200.200.200.36 eq domain
access-list 100 permit udp any host 200.200.200.36 eq domain
access-list 100 permit tcp any host 200.200.200.38 eq www
access-list 100 permit tcp any host 200.200.200.38 eq 443
access-list 100 permit tcp any host 200.200.200.38 eq 3389
access-list 100 permit tcp any host 200.200.200.37 eq www
access-list 100 permit tcp any host 200.200.200.38 eq 1547
access-list 100 permit tcp any host 200.200.200.39 eq 3389
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 200.200.200.34 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 200.200.200.45-200.200.200.61 netmask 255.255.255.224
global (outside) 1 200.200.200.62 netmask 255.255.255.224
global (dmz) 1 192.168.2.100-192.168.2.150 netmask 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (dmz) 1 192.168.2.0 255.255.255.0 0 0
static (dmz,outside) 200.200.200.36 192.168.2.11 netmask 255.255.255.255 0 0
static (dmz,outside) 200.200.200.35 192.168.2.10 netmask 255.255.255.255 0 0
static (inside,outside) 200.200.200.37 192.168.1.133 netmask 255.255.255.255 0 0
static (inside,outside) 200.200.200.38 192.168.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 200.200.200.39 192.168.1.186 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 200.200.200.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd dns 207.155.183.72 206.173.119.72
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
: end
[OK]
PIX01(config)#
---------------------------------------------------------------------------------------------------
02-04-2003 02:53 PM
Have you tried removing the following statement?
global (dmz) 1 192.168.2.100-192.168.2.150 netmask 255.255.255.0
That tells me that anything coming from the inside interface is tranlated to that range but you already have a staticin place for that. I could be wrong, I do not use nat, I only use the static. So it has been a while since I configured nat and global. But if I remember correctly, you have a conflicting statement there.
Kevin
02-04-2003 03:13 PM
Kevin:
thanks a lot for your help.. actually I tried with the global (dmz) and without... with the static (inside,dmz) and without... and mixing both.... still not working...
looks like for some reason all packets from the internal network with destination on 200.200.200.x (the outside addresses) or 192.168.2.x (the dmz addresses) are droped!!....
Ciao
Luis
02-05-2003 12:26 AM
Luis,
Don't you need a access-group to permit the traffic back from dmz to inside?
Simone
02-05-2003 01:21 AM
Sorry! cancel my previous reply, I didn't notice you don't have traffic originating from the dmz to the inside :-)
Simone
02-05-2003 10:15 AM
Simone:
thank you.. actually it's working... but I can only access my servers on the DMZ using the DMZ IP addresses (in my case is 192.168.2.x ) It would be neat to access my servers with the public addresses (200.200.200.x) but I have to see how that can be done....
I am attaching the final configuration in case anybody finds it useful!...
Luis.
-------------------------------------------------
IX01(config)# wr term
Building configuration...
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
hostname PIX01
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol skinny 2000
names
access-list 100 permit tcp any host 200.200.200.37 eq smtp
access-list 100 permit tcp any host 200.200.200.37 eq pop3
access-list 100 permit tcp any host 200.200.200.37 eq domain
access-list 100 permit udp any host 200.200.200.37 eq domain
access-list 100 permit tcp any host 200.200.200.35 eq www
access-list 100 permit tcp any host 200.200.200.35 eq 443
access-list 100 permit tcp any host 200.200.200.36 eq www
access-list 100 permit tcp any host 200.200.200.36 eq 443
access-list 100 permit icmp any any
access-list 100 permit tcp any host 200.200.200.35 eq ftp
access-list 100 permit tcp any host 200.200.200.36 eq ftp
access-list 100 permit tcp any host 200.200.200.36 eq 3389
access-list 100 permit tcp any host 200.200.200.35 eq 3389
access-list 100 permit tcp any host 200.200.200.36 eq domain
access-list 100 permit udp any host 200.200.200.36 eq domain
access-list 100 permit tcp any host 200.200.200.38 eq www
access-list 100 permit tcp any host 200.200.200.38 eq 443
access-list 100 permit tcp any host 200.200.200.38 eq 3389
access-list 100 permit tcp any host 200.200.200.37 eq www
access-list 100 permit tcp any host 200.200.200.38 eq 1547
access-list 100 permit tcp any host 200.200.200.39 eq 3389
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 200.200.200.34 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 200.200.200.45-200.200.200.61 netmask 255.255.255.224
global (outside) 1 200.200.200.62 netmask 255.255.255.224
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (dmz,outside) 200.200.200.36 192.168.2.11 netmask 255.255.255.255 0
0
static (dmz,outside) 200.200.200.35 192.168.2.10 netmask 255.255.255.255 0
0
static (inside,outside) 200.200.200.37 192.168.1.133 netmask 255.255.255.255
0 0
static (inside,outside) 200.200.200.38 192.168.1.2 netmask 255.255.255.255
0 0
static (inside,outside) 200.200.200.39 192.168.1.186 netmask 255.255.255.255
0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 200.200.200.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
: end
[OK]
PIX01(config)#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide