Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Configuration assistance, PIX 515e

Hello all. I would like to preface this post by saying I am very new to firewall configuration. I have a PIX 515E O/S version 7.0(2). I am trying to implement a most basic configuration in a test

environment. My goal is to have our webservers in the DMZ with access to them from the inside and outside interface.

From the inside network in our test environment I am able to access internet sites via ip address, but DNS is not working. Also, from the inside network I am unable to reach internet ip addresses of the

webservers in our current production DMZ. Could this be a subneting issue? We own 12x.17x.24x.128-161. We use 12x.17x.24x.128-144 in our production environment. Our test environment uses

12x.17x.24x.145-161.

Secondly I have configured a webserver in the test DMZ. At this point I have been unable to contact the lone DMZ webserver from either the inside or outside interface.

I know the current firewall configuration is wide open. It will be required to be more restrictive once in production. I have just been trying to communicate with anything at this point.

Any help is appreciated! I have pasted the config below. Thank you in advance.

~kris

: Saved

:

PIX Version 7.0(2)

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 12x.17x.24x.145 255.255.252.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2

nameif dmz

security-level 50

ip address 10.0.0.1 255.0.0.0

!

enable password xxxx

passwd xxxx

hostname pixfirewall

ftp mode passive

dns retries 2

dns timeout 2

dns domain-lookup outside

dns name-server xxx.xxx.xxx.xxx

access-list internet extended permit icmp any any

access-list internet extended permit icmp any any echo

access-list internet extended permit icmp any any echo-reply

access-list internet extended permit tcp any any eq www

access-list internet extended permit tcp any host 12x.17x.24x.146 eq www

access-list internet extended permit udp any any

pager lines 20

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

monitor-interface outside

monitor-interface inside

monitor-interface dmz

icmp permit any outside

icmp permit any inside

icmp permit any dmz

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (dmz) 1 10.0.0.2-10.0.0.10

nat (inside) 1 192.168.1.0 255.255.255.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) 12x.17x.24x.146 10.0.0.2 netmask 255.255.255.255

access-group internet in interface outside

access-group internet out interface outside

access-group internet in interface inside

access-group internet out interface inside

access-group internet in interface dmz

access-group internet out interface dmz

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxxx

: end

2 REPLIES
Cisco Employee

Re: Configuration assistance, PIX 515e

where is your DNS server located?

remove all these

access-group internet in interface outside

access-group internet out interface outside

access-group internet in interface inside

access-group internet out interface inside

access-group internet in interface dmz

access-group internet out interface dmz

see if you are able to communicate from inside/outside via dns

for inside to dmz you want to use public ip addresses of the dmz? you can try this

static (dmz,inside) 12x.17x.24x.146 10.0.0.2 netmask 255.255.255.255

at this point you should be able to communicate from inside/outside and from inside to dmz

for outside to dmz you need

access-group internet in interface outside

New Member

Re: Configuration assistance, PIX 515e

Okay, a lot has changed from the first post. Current behavior is the inside host has internet access with DNS. The webserver does not have internet access and is currently not serving to any hosts on the public address (inside or outside), but it does serve to the inside host and itself on the local address (10.0.0.2).

Oh, and I moved the whole test environment up to 155+.

Here is the current config:

*****************************

: Saved

:

PIX Version 7.0(2)

names

!

interface Ethernet0

nameif outside

security-level 0

ip address x.y.z.155 255.255.252.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2

nameif dmz

security-level 50

ip address 10.0.0.1 255.255.255.0

!

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

ftp mode passive

dns retries 2

dns timeout 2

dns domain-lookup outside

dns name-server xxx.xxx.xxx.98

access-list internet extended permit icmp any any

access-list internet extended permit tcp any host x.y.z.156 eq www

access-list dmz extended permit ip any any

pager lines 20

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

monitor-interface outside

monitor-interface inside

monitor-interface dmz

icmp permit any outside

icmp permit any inside

icmp permit any dmz

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (dmz,outside) x.y.z.156 10.0.0.2 netmask 255.255.255.255

access-group internet in interface outside

access-group dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd dns xxx.xxx.xxx.98 xxx.xxx.xxx.66

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect http

!

service-policy global_policy global

Cryptochecksum:728f1ff24b802cc4239de1f52c6f79ad

: end

92
Views
0
Helpful
2
Replies