05-05-2003 12:32 PM - edited 02-20-2020 10:43 PM
I have a PIX 515e with 6 interfaces (5 in use) - inside, outside, dmz, dmz2 and vpn.
I am unable to telnet (or anything else) from dmz2 to dmz or dmz to vpn (possibly other combinations), but I am able to get from inside to anywhere or outside to anywhere, dmz to outside or inside, vpn to inside, etc. (of course, all
these are restricted based on access-lists).
When I attempt to make a connection from dmz2 to dmz, I get the following log messages:
302013: Built inbound TCP connection 375382 for dmz2:10.64.16.25/1168 (10.64.16.
25/1168) to dmz:10.216.120.69/23 (10.216.120.69/23)
106015: Deny TCP (no connection) from 10.216.120.69/23 to 10.64.16.25/1168 flag
s SYN ACK on interface dmz
Here is my PIX configuration:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 vpn security60
nameif ethernet4 dmz2 security40
names
name 10.216.120.22 dcvpn02-public
name 10.216.120.19 dcnet02r-fa0-0
name 10.216.120.21 dcvpn01-public
name 10.216.120.18 dcnet01r-fa0-0
name 10.216.120.17 dcnet0Xr-hsrp
name 10.216.120.69 dcvpn01-private
name 10.216.120.70 dcvpn02-private
name 10.216.120.4 dcnet0X-intrcnct
name 10.216.120.2 dcnet02r-lo0
name 10.216.120.1 dcnet01r-lo0
name 10.216.120.0 dcnet0X-lo0
name 10.216.120.20 dcvpn-pub-lbvip
name 10.216.120.6 dcnet02r-fa0-1
name 10.216.120.5 dcnet01r-fa0-1
name 192.168.239.3 dc6509a-16
name 192.168.239.2 dc6509a-15
name 10.36.172.0 ISP-IP-Addrs
name 10.216.120.16 Outside_Network
name 10.216.120.64 DMZ_Network
name 10.216.120.71 dcdmz01s
name 10.216.120.72 dcdmz02s
name 10.216.120.73 sid
name 10.216.120.74 zurg
name 10.64.32.0 VPN_Clients_32
name 10.64.33.0 VPN_Clients_33
name 172.20.53.204 host1
name 10.3.185.20 host2
object-group network DCNET0X_INTERFACES
description All interfaces on the Internet routers
network-object dcnet01r-lo0 255.255.255.255
network-object dcnet02r-lo0 255.255.255.255
network-object dcnet01r-fa0-1 255.255.255.255
network-object dcnet02r-fa0-1 255.255.255.255
network-object dcnet01r-fa0-0 255.255.255.255
network-object dcnet02r-fa0-0 255.255.255.255
object-group network VPN_CLIENTS
description All VPN Clients
network-object VPN_Clients_32 255.255.255.0
network-object VPN_Clients_33 255.255.255.0
object-group network INSIDE_NETWORKS
description All Inside Networks
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 10.0.0.0 255.0.0.0
object-group network VPNC_PRIVATE_INT
description Private Interfaces of VPN Concentrators
network-object dcvpn01-private 255.255.255.255
network-object dcvpn02-private 255.255.255.255
network-object 10.64.24.11 255.255.255.255
network-object 10.64.24.12 255.255.255.255
object-group network MGMT_STATIONS
description Network Management Workstations
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group network DMZ_SWITCHES
description Management Interfaces of the DMZ switches
network-object dcdmz01s 255.255.255.255
network-object dcdmz02s 255.255.255.255
network-object 10.64.16.11 255.255.255.255
network-object 10.64.16.12 255.255.255.255
object-group network DNS_SERVERS
description External/Public DNS Servers
network-object sid 255.255.255.255
network-object zurg 255.255.255.255
object-group network DMZ_HOSTS
description These are hosts that are on the DMZ
network-object DMZ_Network 255.255.255.224
object-group network INSIDE_DENIED_INTERNET
description These are inside hosts that are denied Internet access
network-object 10.32.96.0 255.255.252.0
network-object 10.32.24.0 255.255.252.0
object-group network INSIDE_DENIED_DMZ
description These hosts are denied access to the DMZ
network-object 10.32.96.0 255.255.252.0
network-object 10.32.24.0 255.255.252.0
object-group service VPNC_INTERNAL_SERVICES tcp-udp
description TCP and UDP Ports that the VPN Concentrators need to use
port-object eq domain
port-object eq tacacs
port-object eq 69
port-object eq 161
port-object eq 162
port-object eq 514
port-object eq 1645
port-object eq 1646
port-object eq 123
object-group network DO_VPN_CLIENTS
description Clients on remote VPN segments
network-object 10.68.0.0 255.255.0.0
access-list dont_nat permit ip object-group DCNET0X_INTERFACES object-group MGMT_STATIONS
access-list dont_nat permit ip object-group VPNC_PRIVATE_INT object-group INSIDE_NETWORKS
access-list dont_nat permit ip object-group DMZ_SWITCHES object-group MGMT_STATIONS
access-list dont_nat permit ip object-group DNS_SERVERS any
access-list outside_inbound permit udp object-group DCNET0X_INTERFACES any eq tftp
access-list outside_inbound permit udp object-group DCNET0X_INTERFACES any eq ntp
access-list outside_inbound permit udp any object-group DNS_SERVERS eq domain
access-list outside_inbound permit tcp host host2 host 10.216.120.26 eq 8080
access-list outside_inbound permit tcp host 10.216.120.35 any eq www
access-list outside_inbound permit tcp host 10.216.120.35 any eq https
access-list dmz_inbound permit udp object-group DMZ_SWITCHES object-group MGMT_STATIONS eq tftp
access-list dmz_inbound permit udp object-group DMZ_SWITCHES object-group MGMT_STATIONS eq ntp
access-list dmz_inbound permit tcp object-group DNS_SERVERS object-group INSIDE_NETWORKS eq smtp
access-list dmz_inbound permit udp object-group DNS_SERVERS object-group INSIDE_NETWORKS eq ntp
access-list dmz_inbound deny udp object-group DNS_SERVERS object-group INSIDE_NETWORKS eq domain
access-list dmz_inbound permit udp object-group DNS_SERVERS any eq domain
access-list dmz_inbound permit udp object-group VPNC_PRIVATE_INT object-group INSIDE_NETWORKS object-group VPNC_INTERNAL_SERVICES
access-list dmz_inbound permit ip object-group VPN_CLIENTS any
access-list dmz_inbound permit ip object-group DO_VPN_CLIENTS any
access-list inside_inbound deny ip object-group INSIDE_DENIED_DMZ object-group DMZ_HOSTS
access-list inside_inbound deny ip object-group INSIDE_DENIED_INTERNET any
access-list inside_inbound permit ip object-group INSIDE_NETWORKS any
access-list vpn_inbound permit udp object-group VPNC_PRIVATE_INT object-group INSIDE_NETWORKS object-group VPNC_INTERNAL_SERVICES
access-list vpn_inbound permit ip object-group VPN_CLIENTS any
access-list vpn_inbound permit ip object-group DO_VPN_CLIENTS any
access-list vpn_inbound permit ip object-group VPNC_PRIVATE_INT VPN_Clients_32 255.255.255.0
access-list dmz2_inbound permit udp object-group DMZ_SWITCHES object-group MGMT_STATIONS eq tftp
access-list dmz2_inbound permit udp object-group DMZ_SWITCHES object-group MGMT_STATIONS eq ntp
access-list dmz2_inbound permit ip host 10.64.17.35 object-group INSIDE_NETWORKS
access-list dmz2_inbound permit ip 10.64.16.0 255.255.255.0 10.64.24.0 255.255.255.0
access-list dmz2_inbound permit ip 10.64.16.0 255.255.255.0 10.32.0.0 255.255.0.0
access-list dmz2_inbound permit ip host 10.64.16.25 host dcvpn01-private
access-list dont_nat_vpn permit ip 10.64.24.0 255.255.255.0 VPN_Clients_32 255.255.255.0
access-list dont_nat_vpn permit ip VPN_Clients_32 255.255.255.0 10.64.24.0 255.255.255.0
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
ip address outside 10.216.120.23 255.255.255.240
ip address inside 192.168.225.15 255.255.255.0
ip address dmz 10.216.120.66 255.255.255.224
ip address vpn 10.64.24.1 255.255.252.0
ip address dmz2 10.64.16.1 255.255.252.0
ip address intf5 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip verify reverse-path interface vpn
ip verify reverse-path interface dmz2
global (outside) 100 10.216.120.25
global (outside) 160 10.216.120.26
nat (inside) 0 access-list dont_nat
nat (inside) 100 0.0.0.0 0.0.0.0 0 0
nat (dmz) 100 VPN_Clients_32 255.255.255.0 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.240.0.0 0 0
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (dmz,outside) sid sid netmask 255.255.255.255 0 0
static (dmz,outside) zurg zurg netmask 255.255.255.255 0 0
static (inside,outside) 10.216.120.26 host1 netmask 255.255.255.255 0 0
static (inside,dmz) 10.32.0.0 10.32.0.0 netmask 255.255.0.0 0 0
static (inside,vpn) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
static (inside,vpn) 172.16.0.0 172.16.0.0 netmask 255.240.0.0 0 0
static (inside,vpn) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (dmz2,outside) 10.216.120.35 10.64.17.35 netmask 255.255.255.255 0 0
static (inside,dmz2) 172.16.0.0 172.16.0.0 netmask 255.240.0.0 0 0
static (inside,dmz2) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
static (inside,dmz2) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (vpn,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (vpn,dmz2) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (dmz,dmz2) DMZ_Network DMZ_Network netmask 255.255.255.224 0 0
access-group outside_inbound in interface outside
access-group inside_inbound in interface inside
access-group dmz_inbound in interface dmz
access-group dmz2_inbound in interface dmz2
rip dmz passive version 2
rip vpn passive version 2
route outside 0.0.0.0 0.0.0.0 dcnet0Xr-hsrp 1
route dmz 10.1.1.0 255.255.255.0 dcvpn01-private 1
route dmz 10.1.2.0 255.255.255.0 dcvpn02-private 1
route inside 10.32.0.0 255.255.0.0 192.168.225.1 1
route inside 10.33.0.0 255.255.0.0 192.168.225.1 1
route dmz VPN_Clients_32 255.255.255.0 dcvpn01-private 1
route vpn VPN_Clients_33 255.255.255.0 10.64.24.12 1
route outside ISP-IP-Addrs 255.255.255.0 dcnet0Xr-hsrp 1
route inside 172.16.0.0 255.240.0.0 192.168.225.1 1
route inside 192.168.0.0 255.255.0.0 192.168.225.1 1
05-06-2003 12:11 PM
HI.
I would try the following:
> ip verify reverse-path interface dmz
Try without the above line - just for the test.
> static (dmz,dmz2) DMZ_Network DMZ_Network netmask 255.255.255.224
Try to remove that line and add:
access-list nonatdmz permit ip 10.216.120.64 255.255.255.224 10.64.16.0 255.255.252.0
nat (dmz) 0 access-list nonatdmz
Does it change anything?
05-06-2003 06:42 PM
I noticed in my original post that I forgot to actually say what I wanted to do. I think you figured it out, though. I need to be able to get traffic from dmz or dmz2 to vpn and vice versa.
I've tried what you suggested already, but I did it again.
I'm a bit frustrated, the various configurations I've tried have either gotten me
"305005: No translation group found for tcp src dmz:10.64.32.1/1336 dst vpn:10.64.24.12/23" (this is what I got with your suggestions)
or I get the "deny TCP" that I posted in the original.
Turning off reverse-path didn't change anything.
--kan--
05-06-2003 09:34 PM
You need to fix up these, they'll definately be causing strange things:
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,vpn) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,dmz2) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (vpn,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (vpn,dmz2) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
In one command you're telling the PIX the whole 10.0.0.0 subnet sits on the inside interface, then you're telling it it sits on the vpn interface (yes, these override the static routes when the PIX receives packets on interfaces). Make all your statics reference the specific subnets only that are on each interface (there doen't seem to be too many going by your static routes), and see how you go.
Try plugging your config into the Output Interpretor (https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl) and it'll tell you a wealth of information.
05-07-2003 05:22 PM
I was suspecting that these overlaps may be problems, but nothing that I could find indicated it was for sure. They are. I put the more specific statics in the config and it fired right up.
Thanks for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide