Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
6
Replies

PIX 515e inside access to dmz

pmichaelson
Level 1
Level 1

‎04-01-2004 10:51 AM - edited ‎02-20-2020 11:19 PM

I have an issue that i can not seem to see, i am trying to allow inside users access to the dmz, mainly for ftp and www. i know i am overlooking something simple. thanks in advance

Here is the portion of the config that i have

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list dmz permit ip any any

pager lines 24

ip address outside xxx.xxx.xxx.xxx 255.255.255.240

ip address inside yyy.yyy.yyy.yyy 255.255.255.0

ip address dmz zzz.zzz.zzz.zzz 255.255.255.240

ip audit info action alarm

ip audit attack action alarm

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

static (inside,dmz) yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy netmask 255.0.0.0 0 0

static (dmz,outside) zzz.zzz.zzz.zzz zzz.zzz.zzz.zzz netmask 255.255.255.255 0 0

static (inside,dmz) zzz.zzz.zzz.zzz yyy.yyy.yyy.yyy netmask 255.255.255.255 0 0

access-group dmz in interface dmz

0 Helpful
6 Replies 6

pmichaelson
Level 1
Level 1

‎04-01-2004 10:56 AM

The error i seem to have is

Deny TCP (no connection) from zzz.zzz.zzz.zzz/21 to yyy.yyy.yyy.yyy/44038 flags SYN ACK on interface dmz

0 Helpful

pmichaelson
Level 1
Level 1

‎04-02-2004 06:30 AM

Here is something odd. i can ping and trace to the dmz with no problem. does anyone have an insight on this?

Phil

0 Helpful

soylo
Level 1
Level 1

‎04-02-2004 07:23 AM

Hi;

First, Ia don't see ACL inside_outbound_nat0_acl defined.

If you want that internal users allow to access dmz, I don't necesary static (inside,dmz) zzz.zzz.zzz.zzz yyy.yyy.yyy.yyy netmask 255.255.255.255 0 0

This URL can help you.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm

Sergio

0 Helpful

pmichaelson
Level 1
Level 1
In response to soylo

‎04-02-2004 07:43 AM

i have added this

access-list no_dmz_nat permit ip 207.250.100.144 255.255.255.240 10.0.0.0 255.0.0.0

nat (dmz) 0 access-list no_nat_dmz....

still can not access services on the dmz...but i can ping

0 Helpful

pmichaelson
Level 1
Level 1
In response to soylo

‎04-02-2004 08:04 AM

i have added this

access-list no_dmz_nat permit ip 207.250.100.144 255.255.255.240 10.0.0.0 255.0.0.0

nat (dmz) 0 access-list no_nat_dmz....

still can not access services on the dmz...but i can ping

0 Helpful

pmichaelson
Level 1
Level 1

‎04-02-2004 08:05 AM

the log shows this when trying to ftp

Deny TCP (no connection) from 207.250.100.149/21 to 10.8.15.10/54278 flags SYN ACK on interface dmz

looks like some kind of translation is missing, but i cant make heads or tails of it....anyone see the issue?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card