Cannot access my server on the DMZ

admin_2 · ‎02-04-2003

People:

I would be eternally grateful if somebody can help me out of this problem!!... It's driving me crazy!!

I have a PIX 515E with three interfaces... inside,ourside and dmz. Also I have NAT configured on the PIX. I have a T1 connection with another cisco router that works fine... I need the PIX to allow access to the DMZ servers from outside and inside....

My problem is that right now.. I can access the servers on my DMZ from outside (the internet) but not from the inside (my internal users). I followed cisco's configuration examples and I've been trying different configurations but with no success.... to clarify the problem...for example.. if one user in the inside with IP address 192.168.1.213 wants to access the server 200.200.200.36 on the DMZ cannot do it.. cannot ping.. or access any port... is

totally bloqued...

I am attaching the configuration file with the external IP addresses changed, the rest is the actual configuration.

the only thing I have not tried is using conduit instead of access-list.. but should be the same ha?

thanks a lot in advance... will send beer!!

Luis.

-----------------------------------------------------------------------

PIX01(config)# wr term

Building configuration...

: Saved

:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

hostname PIX01

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

no fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol skinny 2000

names

access-list 100 permit tcp any host 200.200.200.37 eq smtp

access-list 100 permit tcp any host 200.200.200.37 eq pop3

access-list 100 permit tcp any host 200.200.200.37 eq domain

access-list 100 permit udp any host 200.200.200.37 eq domain

access-list 100 permit tcp any host 200.200.200.35 eq www

access-list 100 permit tcp any host 200.200.200.35 eq 443

access-list 100 permit tcp any host 200.200.200.36 eq www

access-list 100 permit tcp any host 200.200.200.36 eq 443

access-list 100 permit icmp any any

access-list 100 permit tcp any host 200.200.200.35 eq ftp

access-list 100 permit tcp any host 200.200.200.36 eq ftp

access-list 100 permit tcp any host 200.200.200.36 eq 3389

access-list 100 permit tcp any host 200.200.200.35 eq 3389

access-list 100 permit tcp any host 200.200.200.36 eq domain

access-list 100 permit udp any host 200.200.200.36 eq domain

access-list 100 permit tcp any host 200.200.200.38 eq www

access-list 100 permit tcp any host 200.200.200.38 eq 443

access-list 100 permit tcp any host 200.200.200.38 eq 3389

access-list 100 permit tcp any host 200.200.200.37 eq www

access-list 100 permit tcp any host 200.200.200.38 eq 1547

access-list 100 permit tcp any host 200.200.200.39 eq 3389

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 200.200.200.34 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip address dmz 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 200.200.200.45-200.200.200.61 netmask 255.255.255.224

global (outside) 1 200.200.200.62 netmask 255.255.255.224

global (dmz) 1 192.168.2.100-192.168.2.150 netmask 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (dmz) 1 192.168.2.0 255.255.255.0 0 0

static (dmz,outside) 200.200.200.36 192.168.2.11 netmask 255.255.255.255 0 0

static (dmz,outside) 200.200.200.35 192.168.2.10 netmask 255.255.255.255 0 0

static (inside,outside) 200.200.200.37 192.168.1.133 netmask 255.255.255.255 0 0

static (inside,outside) 200.200.200.38 192.168.1.2 netmask 255.255.255.255 0 0

static (inside,outside) 200.200.200.39 192.168.1.186 netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 200.200.200.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00

si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd dns 207.155.183.72 206.173.119.72

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

: end

[OK]

PIX01(config)#

---------------------------------------------------------------------------------------------------

kevin-reynolds · ‎02-04-2003

Have you tried removing the following statement?

global (dmz) 1 192.168.2.100-192.168.2.150 netmask 255.255.255.0

That tells me that anything coming from the inside interface is tranlated to that range but you already have a staticin place for that. I could be wrong, I do not use nat, I only use the static. So it has been a while since I configured nat and global. But if I remember correctly, you have a conflicting statement there.

Kevin

Report Inappropriate Content · ‎02-04-2003

Kevin:

thanks a lot for your help.. actually I tried with the global (dmz) and without... with the static (inside,dmz) and without... and mixing both.... still not working...

looks like for some reason all packets from the internal network with destination on 200.200.200.x (the outside addresses) or 192.168.2.x (the dmz addresses) are droped!!....

Ciao

Luis

sriccetti · ‎02-05-2003

Luis,

Don't you need a access-group to permit the traffic back from dmz to inside?

Simone

sriccetti · ‎02-05-2003

Sorry! cancel my previous reply, I didn't notice you don't have traffic originating from the dmz to the inside :-)

Simone

Report Inappropriate Content · ‎02-05-2003

Simone:

thank you.. actually it's working... but I can only access my servers on the DMZ using the DMZ IP addresses (in my case is 192.168.2.x ) It would be neat to access my servers with the public addresses (200.200.200.x) but I have to see how that can be done....

I am attaching the final configuration in case anybody finds it useful!...

Luis.

-------------------------------------------------

IX01(config)# wr term

Building configuration...

: Saved

:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

hostname PIX01

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

no fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol skinny 2000

names

access-list 100 permit tcp any host 200.200.200.37 eq smtp

access-list 100 permit tcp any host 200.200.200.37 eq pop3

access-list 100 permit tcp any host 200.200.200.37 eq domain

access-list 100 permit udp any host 200.200.200.37 eq domain

access-list 100 permit tcp any host 200.200.200.35 eq www

access-list 100 permit tcp any host 200.200.200.35 eq 443

access-list 100 permit tcp any host 200.200.200.36 eq www

access-list 100 permit tcp any host 200.200.200.36 eq 443

access-list 100 permit icmp any any

access-list 100 permit tcp any host 200.200.200.35 eq ftp

access-list 100 permit tcp any host 200.200.200.36 eq ftp

access-list 100 permit tcp any host 200.200.200.36 eq 3389

access-list 100 permit tcp any host 200.200.200.35 eq 3389

access-list 100 permit tcp any host 200.200.200.36 eq domain

access-list 100 permit udp any host 200.200.200.36 eq domain

access-list 100 permit tcp any host 200.200.200.38 eq www

access-list 100 permit tcp any host 200.200.200.38 eq 443

access-list 100 permit tcp any host 200.200.200.38 eq 3389

access-list 100 permit tcp any host 200.200.200.37 eq www

access-list 100 permit tcp any host 200.200.200.38 eq 1547

access-list 100 permit tcp any host 200.200.200.39 eq 3389

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 200.200.200.34 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip address dmz 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 200.200.200.45-200.200.200.61 netmask 255.255.255.224

global (outside) 1 200.200.200.62 netmask 255.255.255.224

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (dmz,outside) 200.200.200.36 192.168.2.11 netmask 255.255.255.255 0

0

static (dmz,outside) 200.200.200.35 192.168.2.10 netmask 255.255.255.255 0

0

static (inside,outside) 200.200.200.37 192.168.1.133 netmask 255.255.255.255

0 0

static (inside,outside) 200.200.200.38 192.168.1.2 netmask 255.255.255.255

0 0

static (inside,outside) 200.200.200.39 192.168.1.186 netmask 255.255.255.255

0 0

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 200.200.200.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00

si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

: end

[OK]

PIX01(config)#