Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
261
Views
0
Helpful
1
Replies

PIX DMZ configuration problem

kk.ng
Level 1
Level 1

‎09-01-2003 03:55 AM - edited ‎02-20-2020 10:57 PM

Hi,

I do have some trouble to get my dmz settings working. I have a reverse proxy, located in the dmz, which is supposed to redirect all http traffice to a certain domain to web server that is in the inside network. The PIX does NAT all connections originating for inside and dmz (perimeter):

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (perimeter) 1 0.0.0.0 0.0.0.0 0 0

First of all I created a static to outside for my reverse proxy:

static (perimeter,outside) x.x.x.x 192.168.109.52 netmask 255.255.255.255 0 0

Then I permitted access to the reverse proxy:

access-list 100 permit tcp any host x.x.x.x eq www

And bound the access-list to the outside interface:

access-group 100 in interface outside

So far so good, everything’s working at this point. But as soon as I add an access-list for using the web server in the inside network, it interrupts my connection flow.

Excemption to nat from inside to dmz:

static (inside,perimeter) 192.168.108.0 192.168.108.0 netmask 255.255.255.0 0 0

static (inside,perimeter) 192.168.107.0 192.168.107.0 netmask 255.255.255.0 0 0

Permit access to the inside web server:

access-list 200 permit tcp host 192.168.109.52 host 192.168.108.34 eq 7777

Now what happens is (or at least I assume it): A host connections to the IP x.x.x.x for a http request. The PIX passes the request to the reverse proxy using the acl 100. The reverse proxy picks up the request and processes it respectively forwards it to the internal web server. The answer is sent back to the reverse proxy and then it tries to transmit the response back to the requester. Actually this should work based on the inferface definition of the security level: inside 100, perimeter 50, outside 0. But the responses does not get through to the outside anymore. I guess it must be somewhere between the reverse proxy and the PIX since the network connections (a) is hold between reverse proxy and requester and a new connection (b) is hold by reverse proxy and inside web server.

Does anyone have a clue on how to solve this problem?

Thanks in advance.

Kai Keong Ng

0 Helpful
1 Reply 1

bdube
Level 2
Level 2

‎09-01-2003 04:40 AM

Hi Kay Keong,

Your config look good. You can capture packets in DMZ to examine incoming & outgoing packets, you should be able to identify where is the problem. If not, you need to go deeper by using debug/syslog feature on PIX to see if it has something wrong.

Regards

Ben

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card