Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

is
New Member

Server in the DMZ

PIX 515

6.3.3

PDM 3.01

I can ping the server in the dmz from the inside.

Server in dmz cannot ping anyone.

Cannot get to the server in the dmz from outside.

Please help .. here is my config

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

names

name 10.1.1.1 int-ns1

name 10.1.1.8 int-ns2

name a.b.c.225 knet-gw

name a.b.c.227 ext-ns1

name a.b.c.228 ext-ns2

name a.b.c.229 ext-mail

name a.b.c.230 ext-rem

name a.b.c.231 ext-rtr

name 10.1.1.15 int-mail

name 10.1.1.254 int-rtr

name 10.1.1.230 int-rem

name a.b.c.232 ext-rem-2

name 10.1.1.189 int-rem-2

name a.b.c.233 ext-rem-3

name 10.1.1.125 int-rem-3

name 10.168.0.2 webserver

access-list outside permit icmp any any

access-list outside permit tcp any host ext-mail eq smtp

access-list outside permit tcp any host ext-mail eq pop3

access-list outside permit tcp any host ext-mail eq www

access-list outside permit tcp any host ext-ns1 eq domain

access-list outside permit udp any host ext-ns1 eq domain

access-list outside permit tcp any host ext-ns2 eq domain

access-list outside permit udp any host ext-ns2 eq domain

access-list outside permit tcp host knet-gw host ext-rtr eq telnet

access-list outside permit tcp any host ext-ns1 eq 3389

access-list outside permit udp any host ext-ns1 eq 3389

access-list outside permit tcp any host ext-rem eq 6000

access-list outside permit tcp any host ext-rem eq 6001

access-list outside permit tcp any host ext-rem eq pcanywhere-data

access-list outside permit tcp any host ext-rem eq 5362

access-list outside permit tcp any host ext-rem eq 5632

access-list outside permit tcp any host ext-rem-2 eq 6000

access-list outside permit tcp any host ext-rem-2 eq 6001

access-list outside permit tcp any host ext-rem-2 eq pcanywhere-data

access-list outside permit tcp any host ext-rem-2 eq 5362

access-list outside permit tcp any host ext-rem-2 eq 5632

access-list outside permit tcp any host ext-rem-3 eq 6000

access-list outside permit tcp any host ext-rem-3 eq 6001

access-list outside permit tcp any host a.b.c.234 eq www

access-list outbound-nat deny ip any host a.b.c.7

access-list outbound-nat deny ip any host a.b.c.7

access-list outbound-nat deny ip any host a.b.c.7

access-list outbound-nat deny ip any host a.b.c.7

access-list outbound-nat permit ip any any

pager lines 24

logging on

logging timestamp

logging buffered debugging

logging trap debugging

logging history emergencies

logging facility 7

logging host inside 10.1.1.2

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside a.b.c.226 255.255.255.240

ip address inside 10.100.1.254 255.255.255.0

ip address dmz 10.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 10.1.2.1-10.1.2.254

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

arp timeout 14400

global (outside) 1 a.b.c.236

global (outside) 1 a.b.c.237

global (outside) 1 a.b.c.238

global (dmz) 1 10.168.0.10-10.168.0.20

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 10.168.0.0 255.255.255.0 0 0

static (inside,outside) ext-mail int-mail netmask 255.255.255.255 0 0

static (inside,outside) ext-ns1 int-ns1 netmask 255.255.255.255 0 0

static (inside,outside) ext-ns2 int-ns2 netmask 255.255.255.255 0 0

static (inside,outside) ext-rtr int-rtr netmask 255.255.255.255 0 0

static (inside,outside) ext-rem int-rem netmask 255.255.255.255 0 0

static (inside,outside) ext-rem-2 int-rem-2 netmask 255.255.255.255 0 0

static (inside,outside) ext-rem-3 int-rem-3 netmask 255.255.255.255 0 0

static (dmz,outside) a.b.c.234 webserver netmask 255.255.255.255 0 0

access-group outside in interface outside

access-group outside in interface dmz

route outside 0.0.0.0 0.0.0.0 knet-gw 1

route inside 10.0.0.0 255.0.0.0 10.100.1.253 1

3 REPLIES
New Member

Re: Server in the DMZ

Hello,

I assume, given the config, that your dmz server is the webserver (10.168.0.2).

OK, so let's remember a couple of things first. In order to get traffic pass from a lower security interface to a higher security interface we need basically two things:

1. An xlate created on the PIX Firewall (this would be done with an static NAT).

2. An access-list on the lower security interface to allow that traffic in.

OK, so given that config, I do not see any static translation created between the inside and the dmz, so that's basically why you won't be able to ping anything on the inside, even though the first line of the outside ACL reads permit icmp any any.

Now, regarding that ACL outside, Cisco does not recommend to have the same ACL applied to more than one interface, or use it for other purposes... You can create a different one for the dmz...

So, you could create a self translation for the inside hosts (or actually for the whole inside subnet) with the following command:

static (inside,dmz) 10.100.1.0 10.100.1.0 netmask 255.255.255.0

What this would do is to create a translation for every host on the inside to the dmz, and actually they would be 'translated' to themselves, keeping the same IP address (actually the only purpose of this is to have the xlate created so we can have inbound traffic from the lower security interface, in this case, the dmz).

With that 'static' done, you should be able to ping hosts on the inside, from the dmz.

Now, about not being able reach the webserver from the outside...

What is the output of 'show xlate local 10.168.0.2'?

My guess here is that there is no xlate created yet for that webserver, therefore cannot access it from the outside even thought the ACL is there.

So, a good and fast way to force the PIX to create the xlate is to initiate traffic out from the webserver. Then do the 'show xlate local 10.168.0.2' command; if the xlate is there you should be able to access it from the outside.

Federico.

is
New Member

Re: Server in the DMZ

got it working .. sorry i do not know how to check this off that its solved.

New Member

Re: Server in the DMZ

Well, glad you had it working. I do not know either how to 'mark it solved' myself... You must have an option when you reply to this message, or something like that.

Federico.

238
Views
0
Helpful
3
Replies