Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 515e Internal to DMZ access issues.

Hello, I hope that you guys can help me out here.

Currently I am trying to get FTP access to a machine from inside my DMZ from our private network via the external network. I have set up static commands for a number of machines that will be put into the DMZ however the FTP server is the only one in there at this time.I have set up access-lists for access to the DMZ on port 25.

Here is my config. Any advice would be greatly appreciated.

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list FMPTraffic permit tcp any host xxx.yyy.zzz.98 eq 5003

access-list FMPTraffic permit tcp any host xxx.yyy.zzz.98 eq 3389

access-list FMPTraffic permit tcp any host xxx.yyy.zzz.105 eq www

access-list FMPTraffic permit tcp any host xxx.yyy.zzz.105 eq ftp

access-list FMPTraffic deny ip any any

access-list outbound permit ip any any

access-list outbound deny ip 192.168.3.128 255.255.255.224 any

access-list outbound deny ip 192.168.3.96 255.255.255.224 any

pager lines 50

logging on

logging monitor informational

logging buffered informational

logging trap notifications

logging host inside 192.168.2.223

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside xxx.yyy.zzz.98 255.255.255.224

ip address inside 192.168.2.6 255.255.254.0

ip address dmz 172.16.1.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

pdm location 192.168.1.0 255.255.255.0 inside

pdm location 192.168.2.26 255.255.255.255 inside

pdm location 192.168.2.29 255.255.255.255 inside

pdm location 192.168.2.105 255.255.255.255 inside

pdm location 192.168.2.201 255.255.255.255 inside

pdm location 192.168.2.223 255.255.255.255 inside

pdm location 192.168.3.96 255.255.255.224 inside

pdm location 192.168.3.128 255.255.255.224 inside

pdm location 192.168.4.0 255.255.255.128 inside

pdm location 172.16.1.2 255.255.255.255 dmz

pdm location 172.16.1.3 255.255.255.255 dmz

pdm location 172.16.1.4 255.255.255.255 dmz

pdm location 172.16.1.5 255.255.255.255 dmz

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 2 192.168.2.39

nat (inside) 1 192.168.2.0 255.255.254.0 0 0

static (inside,outside) tcp interface 5003 192.168.2.26 5003 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.2.29 3389 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.yyy.zzz.102 172.16.1.2 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.yyy.zzz.103 172.16.1.3 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.yyy.zzz.104 172.16.1.4 netmask 255.255.255.255 0 0

static (dmz,outside) xxx.yyy.zzz.105 172.16.1.5 netmask 255.255.255.255 0 0

access-group FMPTraffic in interface outside

access-group outbound in interface inside

route outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.97 1

route inside 192.168.4.0 255.255.255.128 192.168.3.20 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

  • Other Security Subjects
4 REPLIES

Re: PIX 515e Internal to DMZ access issues.

Hello,

I don't see anything wrong with your config as far as inbound traffic to your x.x.x.105 server.

Your static and access-list with access-group are all inplace.

Try clearing your xlate and then make sure you have connectivity to your server from the pix.

Patrick

New Member

Re: PIX 515e Internal to DMZ access issues.

Thanks for the response.

I was editing my original post as you posted. I had made some mistakes about the issue I was having. The problem is only occurring when attempting to connect to the external IP Address from the internal network (essentially making a U-Turn on the firewall).

New Member

Re: PIX 515e Internal to DMZ access issues.

Hi ,

As rightly said in the previous post ,PIX does not support what we call one-arm routing.that is routing the packet back on the interface it was received from.

correct me if I am wrong .

Do you want to access that server on DMZ from the inside through the public IP.

If that is correct then you can configure D-NAT

Assuming the local IP of the server is 172.16.1.5 and public IP is x.x.x.x.

static (dmz,inside) x.x.x.x 172.16.1.5

Regards,

Tanveer

137
Views
0
Helpful
4
Replies
This widget could not be displayed.