Help me please as I have run into a wall and can't figure this out. I have a PIX 515-BUN-UR running ver 6.2 of the PIX Firewall IOS with a 4-port serial card and the 3DES accellerator board. I have the VPN up and running sucessfully but now need to add a web server on the DMZ-1 interface.
The PIX is located directly after the Telco Border Router and has been assigned the address range of 188.8.131.52/29. Router interface is 184.108.40.206, PIX is 220.127.116.11. NAT is set to 18.104.22.168 and PAT is set to 22.214.171.124. I want the WEB service on 126.96.36.199. 188.8.131.52 is used for the IDS box between the Firewall and the Border Router.
I have added the following lines to the Firewall Config to set up the http access, but am unable to get into the web server:
access-list VPN permit ip ODH 255.255.0.0 192.168.127.0 255.255.255.0
access-list WEB permit tcp any host 184.108.40.206 eq www
What you're saying here is that any packets coming from the inside interface going to the DMZ will be translated to the web server's address, not good. Basically you've told the PIX that it owns the web servers address, so it will answer ARP queries for it, etc, etc.
If you have users going from inside to DMZ then do something like the following:
global (DMZ-1) 1 192.168.136.50 netmask 255.255.255.0
nat (inside) 1 ODH 255.255.0.0 0 64
where 192.168.136.50 is any UNUSED IP address on the DMZ. The static that you have should take care of the outside -> DMZ translation and let everything in.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...