11-15-2005 06:17 AM - edited 02-21-2020 12:31 AM
I am a new user and I am trying to configure a PIX 515e Ver 6.3(3). How do I give my inside users access to my webfarm which is on dmz1. I am able to access the inside and dzm1 test websites from the outside. I can not access the dmz1 websites from the inside. Here is my current config:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password xxxx
passwd xxxx
hostname pix1
domain-name ae.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.10.1 aetest
name 10.10.10.2 aetest1
name 13.13.13.3 aetestdmz
name 13.13.13.4 aetestdmz1
access-list from-out-to-in permit tcp any any eq www
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 12.x.x.x.255.255.0
ip address inside 10.10.10.2 255.255.255.0
ip address dmz1 13.x.x.x.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz1
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
static (inside,outside) 12.12.12.15 aetest netmask 255.255.255.255 0 0
static (inside,outside) 12.12.12.16 aetest1 netmask 255.255.255.255 0 0
static (dmz1,outside) 12.12.12.17 aetestdmz netmask 255.255.255.255 0 0
static (dmz1,outside) 12.12.12.18 aetestdmz1 netmask 255.255.255.255 0 0
access-group from-out-to-in in interface outside
route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.10.207 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxxx
: end
Thanks....Jay
Solved! Go to Solution.
11-15-2005 03:14 PM
with pix v6.x, nat/global or static is a must do before the pix will start forwarding packet between two interfaces.
the current static statements don't cover the translation between inside and dmz. since the traffic between pix inside net and dmz is private, i suggest you to configure no-nat between the two.
e.g.
static (inside,dmz1) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
clear xlate
with the sample above, pix inside host should be able to access the dmz webserver by pointing to the dmz webserver private ip.
if you prefer the pix inside host to access the dmz webserver by name, then "alias" command needs to be applied.
e.g.
alias (inside) 13.13.13.3 12.12.12.17 255.255.255.255
the need of the command "alias" is due to the fact that when pix inside host attempts to access the dmz webserver by name, the public dns will point to the dmz webserver public ip. now, since the static created for dmz webserver is directional i.e. public ip will only be accessible from the outside, not the pix inside net. thus the "alias" command will enable the pix to manipulate the dns response, and point the name to the dmz webserver private ip for the pix inside host.
11-15-2005 08:34 AM
See the following weblink for an example of what you are trying to do:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
You will need to use the alias command.
Hope that helps.
Steve
11-15-2005 03:14 PM
with pix v6.x, nat/global or static is a must do before the pix will start forwarding packet between two interfaces.
the current static statements don't cover the translation between inside and dmz. since the traffic between pix inside net and dmz is private, i suggest you to configure no-nat between the two.
e.g.
static (inside,dmz1) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
clear xlate
with the sample above, pix inside host should be able to access the dmz webserver by pointing to the dmz webserver private ip.
if you prefer the pix inside host to access the dmz webserver by name, then "alias" command needs to be applied.
e.g.
alias (inside) 13.13.13.3 12.12.12.17 255.255.255.255
the need of the command "alias" is due to the fact that when pix inside host attempts to access the dmz webserver by name, the public dns will point to the dmz webserver public ip. now, since the static created for dmz webserver is directional i.e. public ip will only be accessible from the outside, not the pix inside net. thus the "alias" command will enable the pix to manipulate the dns response, and point the name to the dmz webserver private ip for the pix inside host.
11-25-2005 11:58 AM
Thanks jackko, it works great.
11-25-2005 03:03 PM
it's good to learn that your issue has been resolved.
according to cisco:
Why should I rate posts?
If you see a post that you think deserves recognition, please take a moment to rate it.
You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.
11-29-2005 10:11 AM
Your advice worked for my lab. When I changed the IP addresses to match the current Symantec firewall and replaced it on the network, it did not work. I can ping the inside websites, dmz1 websites and the outside router from the PIX. When I try to access a web page from the inside to dmz1 or outside to inside, I get This page can not be displayed. I read an article that suggested clearing arp on the outside router and the inside switch and that did not work either. Here is a copy of the config that worked in the lab.
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password ?????? encrypted
passwd ????? encrypted
hostname pix1
domain-name ?????
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out-to-in permit tcp any host 12.108.53.146 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 12.108.53.130 255.255.255.224
ip address inside 10.10.1.210 255.255.0.0
ip address dmz1 172.18.1.2 255.255.255.224
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz1
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
static (inside,outside) 12.108.53.146 10.10.9.39 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.10.0.0 10.10.0.0 netmask 255.255.0.0 0 0
access-group out-to-in in interface outside
route outside 0.0.0.0 0.0.0.0 12.108.53.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 20
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxx
Again, all that was done to the above config was changing the IP addresses to match the current firewall config.
Any ideas?
Thanks
Jay
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: