03-17-2004 11:27 AM - edited 03-09-2019 06:47 AM
PIX 515
6.3.3
PDM 3.01
I can ping the server in the dmz from the inside.
Server in dmz cannot ping anyone.
Cannot get to the server in the dmz from outside.
Please help .. here is my config
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
names
name 10.1.1.1 int-ns1
name 10.1.1.8 int-ns2
name a.b.c.225 knet-gw
name a.b.c.227 ext-ns1
name a.b.c.228 ext-ns2
name a.b.c.229 ext-mail
name a.b.c.230 ext-rem
name a.b.c.231 ext-rtr
name 10.1.1.15 int-mail
name 10.1.1.254 int-rtr
name 10.1.1.230 int-rem
name a.b.c.232 ext-rem-2
name 10.1.1.189 int-rem-2
name a.b.c.233 ext-rem-3
name 10.1.1.125 int-rem-3
name 10.168.0.2 webserver
access-list outside permit icmp any any
access-list outside permit tcp any host ext-mail eq smtp
access-list outside permit tcp any host ext-mail eq pop3
access-list outside permit tcp any host ext-mail eq www
access-list outside permit tcp any host ext-ns1 eq domain
access-list outside permit udp any host ext-ns1 eq domain
access-list outside permit tcp any host ext-ns2 eq domain
access-list outside permit udp any host ext-ns2 eq domain
access-list outside permit tcp host knet-gw host ext-rtr eq telnet
access-list outside permit tcp any host ext-ns1 eq 3389
access-list outside permit udp any host ext-ns1 eq 3389
access-list outside permit tcp any host ext-rem eq 6000
access-list outside permit tcp any host ext-rem eq 6001
access-list outside permit tcp any host ext-rem eq pcanywhere-data
access-list outside permit tcp any host ext-rem eq 5362
access-list outside permit tcp any host ext-rem eq 5632
access-list outside permit tcp any host ext-rem-2 eq 6000
access-list outside permit tcp any host ext-rem-2 eq 6001
access-list outside permit tcp any host ext-rem-2 eq pcanywhere-data
access-list outside permit tcp any host ext-rem-2 eq 5362
access-list outside permit tcp any host ext-rem-2 eq 5632
access-list outside permit tcp any host ext-rem-3 eq 6000
access-list outside permit tcp any host ext-rem-3 eq 6001
access-list outside permit tcp any host a.b.c.234 eq www
access-list outbound-nat deny ip any host a.b.c.7
access-list outbound-nat deny ip any host a.b.c.7
access-list outbound-nat deny ip any host a.b.c.7
access-list outbound-nat deny ip any host a.b.c.7
access-list outbound-nat permit ip any any
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap debugging
logging history emergencies
logging facility 7
logging host inside 10.1.1.2
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside a.b.c.226 255.255.255.240
ip address inside 10.100.1.254 255.255.255.0
ip address dmz 10.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
arp timeout 14400
global (outside) 1 a.b.c.236
global (outside) 1 a.b.c.237
global (outside) 1 a.b.c.238
global (dmz) 1 10.168.0.10-10.168.0.20
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 10.168.0.0 255.255.255.0 0 0
static (inside,outside) ext-mail int-mail netmask 255.255.255.255 0 0
static (inside,outside) ext-ns1 int-ns1 netmask 255.255.255.255 0 0
static (inside,outside) ext-ns2 int-ns2 netmask 255.255.255.255 0 0
static (inside,outside) ext-rtr int-rtr netmask 255.255.255.255 0 0
static (inside,outside) ext-rem int-rem netmask 255.255.255.255 0 0
static (inside,outside) ext-rem-2 int-rem-2 netmask 255.255.255.255 0 0
static (inside,outside) ext-rem-3 int-rem-3 netmask 255.255.255.255 0 0
static (dmz,outside) a.b.c.234 webserver netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group outside in interface dmz
route outside 0.0.0.0 0.0.0.0 knet-gw 1
route inside 10.0.0.0 255.0.0.0 10.100.1.253 1
03-17-2004 03:30 PM
Hello,
I assume, given the config, that your dmz server is the webserver (10.168.0.2).
OK, so let's remember a couple of things first. In order to get traffic pass from a lower security interface to a higher security interface we need basically two things:
1. An xlate created on the PIX Firewall (this would be done with an static NAT).
2. An access-list on the lower security interface to allow that traffic in.
OK, so given that config, I do not see any static translation created between the inside and the dmz, so that's basically why you won't be able to ping anything on the inside, even though the first line of the outside ACL reads permit icmp any any.
Now, regarding that ACL outside, Cisco does not recommend to have the same ACL applied to more than one interface, or use it for other purposes... You can create a different one for the dmz...
So, you could create a self translation for the inside hosts (or actually for the whole inside subnet) with the following command:
static (inside,dmz) 10.100.1.0 10.100.1.0 netmask 255.255.255.0
What this would do is to create a translation for every host on the inside to the dmz, and actually they would be 'translated' to themselves, keeping the same IP address (actually the only purpose of this is to have the xlate created so we can have inbound traffic from the lower security interface, in this case, the dmz).
With that 'static' done, you should be able to ping hosts on the inside, from the dmz.
Now, about not being able reach the webserver from the outside...
What is the output of 'show xlate local 10.168.0.2'?
My guess here is that there is no xlate created yet for that webserver, therefore cannot access it from the outside even thought the ACL is there.
So, a good and fast way to force the PIX to create the xlate is to initiate traffic out from the webserver. Then do the 'show xlate local 10.168.0.2' command; if the xlate is there you should be able to access it from the outside.
Federico.
03-18-2004 08:45 AM
got it working .. sorry i do not know how to check this off that its solved.
03-18-2004 11:09 AM
Well, glad you had it working. I do not know either how to 'mark it solved' myself... You must have an option when you reply to this message, or something like that.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide