Solved: PIX 515E config help

jay.ratliff · ‎11-15-2005

I am a new user and I am trying to configure a PIX 515e Ver 6.3(3). How do I give my inside users access to my webfarm which is on dmz1. I am able to access the inside and dzm1 test websites from the outside. I can not access the dmz1 websites from the inside. Here is my current config:

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security50

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password xxxx

passwd xxxx

hostname pix1

domain-name ae.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.10.10.1 aetest

name 10.10.10.2 aetest1

name 13.13.13.3 aetestdmz

name 13.13.13.4 aetestdmz1

access-list from-out-to-in permit tcp any any eq www

pager lines 24

logging on

logging buffered debugging

mtu outside 1500

mtu inside 1500

mtu dmz1 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 12.x.x.x.255.255.0

ip address inside 10.10.10.2 255.255.255.0

ip address dmz1 13.x.x.x.255.255.0

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz1

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

static (inside,outside) 12.12.12.15 aetest netmask 255.255.255.255 0 0

static (inside,outside) 12.12.12.16 aetest1 netmask 255.255.255.255 0 0

static (dmz1,outside) 12.12.12.17 aetestdmz netmask 255.255.255.255 0 0

static (dmz1,outside) 12.12.12.18 aetestdmz1 netmask 255.255.255.255 0 0

access-group from-out-to-in in interface outside

route outside 0.0.0.0 0.0.0.0 12.12.12.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.10.10.207 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.10.10.0 255.255.255.0 inside

telnet timeout 20

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxxx

: end

Thanks....Jay

jackko · ‎11-15-2005

with pix v6.x, nat/global or static is a must do before the pix will start forwarding packet between two interfaces.

the current static statements don't cover the translation between inside and dmz. since the traffic between pix inside net and dmz is private, i suggest you to configure no-nat between the two.

e.g.

static (inside,dmz1) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

clear xlate

with the sample above, pix inside host should be able to access the dmz webserver by pointing to the dmz webserver private ip.

if you prefer the pix inside host to access the dmz webserver by name, then "alias" command needs to be applied.

e.g.

alias (inside) 13.13.13.3 12.12.12.17 255.255.255.255

the need of the command "alias" is due to the fact that when pix inside host attempts to access the dmz webserver by name, the public dns will point to the dmz webserver public ip. now, since the static created for dmz webserver is directional i.e. public ip will only be accessible from the outside, not the pix inside net. thus the "alias" command will enable the pix to manipulate the dns response, and point the name to the dmz webserver private ip for the pix inside host.

View solution in original post

stomasko · ‎11-15-2005

See the following weblink for an example of what you are trying to do:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

You will need to use the alias command.

Hope that helps.

Steve

jackko · ‎11-15-2005

with pix v6.x, nat/global or static is a must do before the pix will start forwarding packet between two interfaces.

the current static statements don't cover the translation between inside and dmz. since the traffic between pix inside net and dmz is private, i suggest you to configure no-nat between the two.

e.g.

static (inside,dmz1) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

clear xlate

with the sample above, pix inside host should be able to access the dmz webserver by pointing to the dmz webserver private ip.

if you prefer the pix inside host to access the dmz webserver by name, then "alias" command needs to be applied.

e.g.

alias (inside) 13.13.13.3 12.12.12.17 255.255.255.255

the need of the command "alias" is due to the fact that when pix inside host attempts to access the dmz webserver by name, the public dns will point to the dmz webserver public ip. now, since the static created for dmz webserver is directional i.e. public ip will only be accessible from the outside, not the pix inside net. thus the "alias" command will enable the pix to manipulate the dns response, and point the name to the dmz webserver private ip for the pix inside host.

jay.ratliff · ‎11-25-2005

Thanks jackko, it works great.

jackko · ‎11-25-2005

it's good to learn that your issue has been resolved.

according to cisco:

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.

jay.ratliff · ‎11-29-2005

Your advice worked for my lab. When I changed the IP addresses to match the current Symantec firewall and replaced it on the network, it did not work. I can ping the inside websites, dmz1 websites and the outside router from the PIX. When I try to access a web page from the inside to dmz1 or outside to inside, I get “This page can not be displayed”. I read an article that suggested clearing arp on the outside router and the inside switch and that did not work either. Here is a copy of the config that worked in the lab.

PIX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security50

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password ?????? encrypted

passwd ????? encrypted

hostname pix1

domain-name ?????

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list out-to-in permit tcp any host 12.108.53.146 eq www

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz1 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 12.108.53.130 255.255.255.224

ip address inside 10.10.1.210 255.255.0.0

ip address dmz1 172.18.1.2 255.255.255.224

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz1

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

static (inside,outside) 12.108.53.146 10.10.9.39 netmask 255.255.255.255 0 0

static (inside,dmz1) 10.10.0.0 10.10.0.0 netmask 255.255.0.0 0 0

access-group out-to-in in interface outside

route outside 0.0.0.0 0.0.0.0 12.108.53.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.10.0.0 255.255.0.0 inside

telnet timeout 20

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxx

Again, all that was done to the above config was changing the IP addresses to match the current firewall config.

Any ideas?

Thanks…

Jay