cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
532
Views
0
Helpful
6
Replies

Outside not accessing dmz

mwmahan
Level 1
Level 1

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

Users on the inside can a go out on the internet and access servers on the dmz. Users on the dmz cannot go out on the internet. Outside users cannot access servers on the dmz.

Here is my configuration on the PIX515E-can any see what's missing?

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password xxxxxxxxxx encrypted

passwd xxxxxxxxx encrypted

hostname tulepix

domain-name mycompany.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 192.168.1.7 nasdo

name 192.168.1.8 nasmedia

name 192.168.1.3 www

access-list acl_out permit tcp any host nnn.nnn.51.37 eq www

access-list acl_out permit tcp any host nnn.nnn.51.41 eq ftp

access-list acl_out permit tcp any host nnn.nnn.51.42 eq ftp

access-list acl_out permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside nnn.nnn.51.44 255.255.255.224

ip address inside 172.16.0.1 255.255.0.0

ip address dmz 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 172.16.0.10 255.255.255.255 inside

pdm location 172.16.0.10 255.255.255.255 dmz

pdm location www 255.255.255.255 dmz

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) nnn.nnn.51.41 nasdo 255.255.255.255

alias (inside) nnn.nnn.51.42 nasmedia 255.255.255.255

alias (inside) nnn.nnn.51.37 www 255.255.255.255

static (dmz,outside) nnn.nnn.51.37 www netmask 255.255.255.255 0 0

static (dmz,outside) nnn.nnn.51.41 nasdo netmask 255.255.255.255 0 0

static (dmz,outside) nnn.nnn.51.42 nasmedia netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 nnn.nnn.51.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 172.16.0.10 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 172.16.0.10 255.255.255.255 inside

telnet 172.16.0.10 255.255.255.255 dmz

telnet timeout 15

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxx

: end

[OK]

6 Replies 6

jmia
Level 7
Level 7

Hi Mark -

Pls. read the following document and see if it helps your situation:

http://www.cisco.com/warp/public/707/28.html

Thanks --

david.benes
Level 1
Level 1

Configuration seems to be OK. Certainly except "access-list acl_out permit ip any any" line that opens your firewall entirely.

1. It is Cisco so try "clear xlate" and reload :-).

2. Turn on logging "logging on", "logging buffered debugging" and try to find something interesting in "show logging".

I turned on logging then went to an outside host and tried accessing the web server on the dmz-no access. Then tried going on the internet from the web server on the dmz-no access. Went to a computer on the inside and accessed the web server on the dmz okay. showed the log and there is no mention of that outside computer or the server, but the inside computer is shown as accessing the server.

I removed the access-list permit ip any any. I only had it in to see if I could get anything through

dsamaan
Level 1
Level 1

It looks fine to me. Try removing the ALIAS commands. Also create an outbound access-list for the DMZ.

access-list acl_dmz permit tcp any any

access-group acl_dmz in interface dmz

If I remove the alias commands then I can't get to the dmz servers from the inside.

add the access-list/group to the dmz interface--still no luck

mwmahan
Level 1
Level 1

Thanks for all your help-After somemore troubleshooting with the Fluke I've determined that the dmz ethernet card is not working properly. For now I've shifted my servers to the inside interface and everything is working fine

Mark

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: