Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

PIX 520 with 3 Interface Cards

Hi There!

On a PIX 520, I have three interface cards.

OUTSIDE -- Connnected to our ISP 65.203.54.1/24

INSIDE -- A private network 20.0.0.1/24

PRN (DMZ) -- Another firm's (FIRM X) private network 56.238.64.128/26

I have a conduit established from the OUTSIDE to an server INSIDE

at 20.0.0.179 to support www and 443 port access. Works great!

I can further access the 20.0.0.174 server from the PRN(DMZ) mini-network from a

client PC I established at a static address of 58.238.64.145. I used another

conduit statement (see below) to provide this access for port 80 and 443. Works great!

Now my problem: I have a remote tester on the FIRM X's private network working from a

terminal address 56.8.3.160. He tries to access the 20.0.0.174 server via port

443, but he gets no response. I *do* see his request in the PIX firewall log

like this:

<190>%PIX-6-302001: Built inbound TCP connection 358446 for faddr

56.80.3.160/1050 gaddr 56.238.64.141/443 laddr 20.0.0.174/443

<190>%PIX-6-302002: Teardown TCP connection 358552 faddr 56.80.3.160/1058 gaddr

56.238.64.141/443 laddr 20.0.0.174/443 duration 1:00:40 bytes 0 (Conn-timeout)

So basically, he makes it in but gets no response (timeout).

Further, looking at my server log, I don't see his request hitting my default

web page. (I'm not totally sure of this, but this is my current understanding.)

I've posted my configuration (abbreviated) below. Can anyone

see why my tester is having access problems while I can access the server through

the firewall from my 58.238.64.145 test machine? I'm concerned that my global statement

for the PRN does not specify a range (I won't have any internal communications initiated

from the 20.0.0.1 network to the 56.x.x.x world), that I'm not fully specifying

the limited subnet of the PRN (DMZ) network, and that I have a single "route outside"

statement (although the PIX instructions indicate that you should have only one

route outside statement if you have more than 2 interface cards).

I'm over my head! Can anyone help me?

TIA

Harry

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 prn security50

fixup protocol ftp 21

fixup protocol http 80

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol http 443

no fixup protocol rsh 514

no fixup protocol h323 1720

names

interface ethernet0 10baset

interface ethernet1 10baset

interface ethernet2 10baset

mtu outside 1500

mtu inside 1500

mtu prn 1500

ip address outside 65.203.54.180 255.255.255.0

ip address inside 20.0.0.1 255.0.0.0

ip address prn 56.238.64.135 255.255.255.0

global (outside) 1 65.203.54.160-65.203.54.178

global (prn) 1 56.238.64.160

nat (inside) 0 access-list 101

nat (inside) 1 20.0.0.0 255.0.0.0 0 0

static (inside,outside) 65.203.54.174 20.0.0.174 netmask 255.255.255.255 0 0

static (inside,prn) 56.238.64.141 20.0.0.174 netmask 255.255.255.255 0 0

conduit permit tcp host 65.203.54.174 eq 443 any

conduit permit tcp host 65.203.54.174 eq www any

conduit permit tcp host 56.238.64.141 eq www any

conduit permit tcp host 56.238.64.141 eq 443 any

route outside 0.0.0.0 0.0.0.0 65.203.54.1 1

conduit permit icmp any any echo-reply

1 REPLY
Community Member

Re: PIX 520 with 3 Interface Cards

I think a route to 56.80.3.160 is missing :

your default route is :

route outside 0.0.0.0 0.0.0.0 65.203.54.1 1

and you should also have a route 56.80.3.160 through the prn interface.

Jean-Marc

116
Views
0
Helpful
1
Replies
CreatePlease to create content