Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DMZ not able to Browse Internet or Ping Inside !!!

Hi, I have A pix 515UR with Version 6.20 and working on a simple setup.

Router

to

Pix to DMZ

to

Inside

Inside Netowrk can Ping the DMZ on ip 192.168.4.2

Inside Network can Browse Internet.

DMZ cannot Ping Inside Servers/Network

DMZ cannot browse Internet UNTILL allow TCP any, and UDP domain Protocol. !!!

How do I enable Ping from DMZ to Inside Full Network.

Is it as such normal to allow tcp ports for allowing browsing of DMZ or something amiss. PLEASE ADVISE.

Cisco PIX Firewall Version 6.2(2)

Cisco PIX Device Manager Version 2.1(1)

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

nameif ethernet3 intf3 security15

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

enable password xxxxxxx

passwd xxxxxx

hostname KA-PIX

domain-name ka-cec.ae

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.4.2 KAWAN

access-list outside_access_dmz permit icmp any any

access-list outside_access_dmz permit tcp host KAWAN any

access-list outside_access_dmz permit udp host KAWAN any eq domain

access-list outside_access_dmz deny ip any any

access-list outside_access_in permit tcp any host X.Y.Z.54 eq smtp

access-list outside_access_in permit tcp any host X.Y.Z.54 eq www

access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp any host X.Y.Z.54 eq ftp

access-list outside_access_in permit tcp any host X.Y.Z.54 eq domain

access-list outside_access_in deny ip any any

pager lines 24

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside X.Y.Z.50 255.255.255.240

ip address inside 192.168.3.14 255.255.255.0

ip address intf2 192.168.4.1 255.255.255.0

ip address intf3 127.0.0.1 255.255.255.255

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address intf2 0.0.0.0

failover ip address intf3 0.0.0.0

failover ip address intf4 0.0.0.0

failover ip address intf5 0.0.0.0

pdm location 192.168.3.17 255.255.255.255 inside

pdm location 192.168.3.123 255.255.255.255 inside

pdm location KAWAN 255.255.255.255 intf2

pdm history enable

arp timeout 14400

global (outside) 1 X.Y.Z.51-X.Y.Z.53 netmask 255.255.255.240

global (intf2) 1 192.168.4.20-192.168.4.200

nat (inside) 1 192.168.3.0 255.255.255.0 0 0

nat (intf2) 1 192.168.4.0 255.255.255.0 0 0

static (intf2,outside) X.Y.Z.54 KAWAN netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group outside_access_dmz in interface intf2

route outside 0.0.0.0 0.0.0.0 X.Y.Z.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.3.123 255.255.255.255 inside

http 192.168.3.17 255.255.255.255 inside

http KAWAN 255.255.255.255 intf2

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.3.0 255.255.255.0 inside

telnet timeout 5

4 REPLIES
Gold

Re: DMZ not able to Browse Internet or Ping Inside !!!

Hi,

Check the following document and let me know if it helps:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

Regards, Jay.

New Member

Re: DMZ not able to Browse Internet or Ping Inside !!!

Hey,

Thank you for your guidance, but its what I tried first, and if you go through my configuration carefully you will see the same.

Even before I configured to allow TCP any and UDP to DOMAIN the configuration looked excatly as the one in the excample you had shown.

Appreciate your time,but ifyou do have any other hints to direct me to It would be much appreciated.

Thanx !

Tauseef

Gold

Re: DMZ not able to Browse Internet or Ping Inside !!!

Tauseef,

Can you post some of the syslogs for me pls, either post here or to me at jmia@ohgroup.co.uk

logging on

logging buffer debug

sho logging

Thanks/Regards,

Jay.

Gold

Re: DMZ not able to Browse Internet or Ping Inside !!!

you need a translation statement from dmz to inside

164
Views
0
Helpful
4
Replies