Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Outside not accessing dmz

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

Users on the inside can a go out on the internet and access servers on the dmz. Users on the dmz cannot go out on the internet. Outside users cannot access servers on the dmz.

Here is my configuration on the PIX515E-can any see what's missing?

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password xxxxxxxxxx encrypted

passwd xxxxxxxxx encrypted

hostname tulepix


fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


name nasdo

name nasmedia

name www

access-list acl_out permit tcp any host nnn.nnn.51.37 eq www

access-list acl_out permit tcp any host nnn.nnn.51.41 eq ftp

access-list acl_out permit tcp any host nnn.nnn.51.42 eq ftp

access-list acl_out permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside nnn.nnn.51.44

ip address inside

ip address dmz

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm location dmz

pdm location www dmz

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 0 0

nat (dmz) 1 0 0

alias (inside) nnn.nnn.51.41 nasdo

alias (inside) nnn.nnn.51.42 nasmedia

alias (inside) nnn.nnn.51.37 www

static (dmz,outside) nnn.nnn.51.37 www netmask 0 0

static (dmz,outside) nnn.nnn.51.41 nasdo netmask 0 0

static (dmz,outside) nnn.nnn.51.42 nasmedia netmask 0 0

access-group acl_out in interface outside

route outside nnn.nnn.51.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet inside

telnet dmz

telnet timeout 15

ssh timeout 5

console timeout 0

terminal width 80


: end



Re: Outside not accessing dmz

Hi Mark -

Pls. read the following document and see if it helps your situation:

Thanks --

New Member

Re: Outside not accessing dmz

Configuration seems to be OK. Certainly except "access-list acl_out permit ip any any" line that opens your firewall entirely.

1. It is Cisco so try "clear xlate" and reload :-).

2. Turn on logging "logging on", "logging buffered debugging" and try to find something interesting in "show logging".

New Member

Re: Outside not accessing dmz

I turned on logging then went to an outside host and tried accessing the web server on the dmz-no access. Then tried going on the internet from the web server on the dmz-no access. Went to a computer on the inside and accessed the web server on the dmz okay. showed the log and there is no mention of that outside computer or the server, but the inside computer is shown as accessing the server.

I removed the access-list permit ip any any. I only had it in to see if I could get anything through

New Member

Re: Outside not accessing dmz

It looks fine to me. Try removing the ALIAS commands. Also create an outbound access-list for the DMZ.

access-list acl_dmz permit tcp any any

access-group acl_dmz in interface dmz

New Member

Re: Outside not accessing dmz

If I remove the alias commands then I can't get to the dmz servers from the inside.

add the access-list/group to the dmz interface--still no luck

New Member

Re: Outside not accessing dmz

Thanks for all your help-After somemore troubleshooting with the Fluke I've determined that the dmz ethernet card is not working properly. For now I've shifted my servers to the inside interface and everything is working fine