Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX DMZ configuration problem

Hi,

I do have some trouble to get my dmz settings working. I have a reverse proxy, located in the dmz, which is supposed to redirect all http traffice to a certain domain to web server that is in the inside network. The PIX does NAT all connections originating for inside and dmz (perimeter):

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (perimeter) 1 0.0.0.0 0.0.0.0 0 0

First of all I created a static to outside for my reverse proxy:

static (perimeter,outside) x.x.x.x 192.168.109.52 netmask 255.255.255.255 0 0

Then I permitted access to the reverse proxy:

access-list 100 permit tcp any host x.x.x.x eq www

And bound the access-list to the outside interface:

access-group 100 in interface outside

So far so good, everything’s working at this point. But as soon as I add an access-list for using the web server in the inside network, it interrupts my connection flow.

Excemption to nat from inside to dmz:

static (inside,perimeter) 192.168.108.0 192.168.108.0 netmask 255.255.255.0 0 0

static (inside,perimeter) 192.168.107.0 192.168.107.0 netmask 255.255.255.0 0 0

Permit access to the inside web server:

access-list 200 permit tcp host 192.168.109.52 host 192.168.108.34 eq 7777

Now what happens is (or at least I assume it): A host connections to the IP x.x.x.x for a http request. The PIX passes the request to the reverse proxy using the acl 100. The reverse proxy picks up the request and processes it respectively forwards it to the internal web server. The answer is sent back to the reverse proxy and then it tries to transmit the response back to the requester. Actually this should work based on the inferface definition of the security level: inside 100, perimeter 50, outside 0. But the responses does not get through to the outside anymore. I guess it must be somewhere between the reverse proxy and the PIX since the network connections (a) is hold between reverse proxy and requester and a new connection (b) is hold by reverse proxy and inside web server.

Does anyone have a clue on how to solve this problem?

Thanks in advance.

Kai Keong Ng

1 REPLY
New Member

Re: PIX DMZ configuration problem

Hi Kay Keong,

Your config look good. You can capture packets in DMZ to examine incoming & outgoing packets, you should be able to identify where is the problem. If not, you need to go deeper by using debug/syslog feature on PIX to see if it has something wrong.

Regards

Ben

108
Views
0
Helpful
1
Replies