All,
I have just installed a CISCO PIX 515e Firewall. At this time I have 3 interfaces. One inside, 1 outside and 1 dmz. All my users can get out to the internet and my email server is functioning properly. I currently have two machines in my dmz. The addresses for my dmz are routable. I have a one to one translation set up for the dmz. From the outside I have no trouble gaining access to my dmz machines, but I am not able to access those machine from the inside. My inside interface has a security level of 100, my outside interface is set to 0 and my dmz s set to 50.
I have tried different rules and translations, but nothing seems to work. Below is my current configuration. Hopefully somebody has some ideas that may help.
Thanks in advance,
Greg
Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 inside security100
nameif ethernet1 dmz security50
nameif ethernet2 intf2 security90
nameif ethernet3 outside security0
nameif ethernet4 outside-cav1 security5
nameif ethernet5 outside-cav2 security10
enable password BH81javVoXQgGk64 encrypted
passwd BH81javVoXQgGk64 encrypted
hostname ndfw01
domain-name netdecide.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol http 80
names
name 10.1.x.xxx viweb
name xx.xxx.xxx.xx viweb-outside
name 10.1.x.x ndexch1
name xx.xxx.xx.xxx nddmzweb1
name xx.xxx.xx.xxx nddemo2
name xx.xxx.xxx.xx ndexch1-outside
object-group service mail tcp
port-object eq imap4
port-object eq smtp
object-group service webservers tcp
port-object eq www
port-object eq https
object-group service javaservers tcp
port-object eq 8080
port-object eq 9080
port-object eq https
port-object eq www
object-group service terminalservices tcp-udp
port-object eq 80
port-object eq 3389
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit ip any any
access-list outside_access_in permit tcp any host viweb-outside object-group webservers
access-list outside_access_in permit tcp any host ndexch1-outside object-group mail
access-list outside_access_in permit tcp any host nddmzweb1 object-group webservers
access-list outside_access_in permit tcp any host nddemo2 object-group javaservers
pager lines 24
logging timestamp
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
icmp permit any inside
icmp permit host xx.xx.xxx.89 inside
icmp permit any dmz
icmp permit any outside
mtu inside 1500
mtu dmz 1500
mtu intf2 1500
mtu outside 1500
mtu outside-cav1 1500
mtu outside-cav2 1500
ip address inside 10.1.1.1 255.255.0.0
ip address dmz xx.xxx.xx.xxx 255.255.255.240
ip address intf2 127.0.0.1 255.255.255.0
ip address outside xx.xxx.xxx.xx 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address outside 0.0.0.0
pdm location 10.1.1.3 255.255.255.255 inside
arp timeout 14400
global (dmz) 2 interface
global (outside) 1 interface
nat (inside) 1 10.1.0.0 255.255.0.0 0 0
static (inside,outside) viweb-outside viweb netmask 255.255.255.255 0 0
static (inside,outside) ndexch1-outside ndexch1 netmask 255.255.255.255 0 0
static (dmz,outside) nddmzweb1 nddmzweb1 netmask 255.255.255.255 0 0
static (dmz,outside) nddemo2 nddemo2 netmask 255.255.255.255 0 0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.1.3 255.255.255.255 inside
http 10.1.1.5 255.255.255.255 inside
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.1.1.5 tftp-root
floodguard enable
sysopt noproxyarp inside
no sysopt route dnat
service resetinbound
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:db08f4258b346b84b158abd93cbf8478
: end
[OK]
I have just installed a CISCO PIX 515e Firewall. At this time I have 3 interfaces. One inside, 1 outside and 1 dmz. All my users can get out to the internet and my email server is functioning properly. I currently have two machines in my dmz. The addresses for my dmz are routable. I have a one to one translation set up for the dmz. From the outside I have no trouble gaining access to my dmz machines, but I am not able to access those machine from the inside. My inside interface has a security level of 100, my outside interface is set to 0 and my dmz s set to 50.
I have tried different rules and translations, but nothing seems to work. Below is my current configuration. Hopefully somebody has some ideas that may help.
Thanks in advance,
Greg
Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 inside security100
nameif ethernet1 dmz security50
nameif ethernet2 intf2 security90
nameif ethernet3 outside security0
nameif ethernet4 outside-cav1 security5
nameif ethernet5 outside-cav2 security10
enable password BH81javVoXQgGk64 encrypted
passwd BH81javVoXQgGk64 encrypted
hostname ndfw01
domain-name netdecide.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol http 80
names
name 10.1.x.xxx viweb
name xx.xxx.xxx.xx viweb-outside
name 10.1.x.x ndexch1
name xx.xxx.xx.xxx nddmzweb1
name xx.xxx.xx.xxx nddemo2
name xx.xxx.xxx.xx ndexch1-outside
object-group service mail tcp
port-object eq imap4
port-object eq smtp
object-group service webservers tcp
port-object eq www
port-object eq https
object-group service javaservers tcp
port-object eq 8080
port-object eq 9080
port-object eq https
port-object eq www
object-group service terminalservices tcp-udp
port-object eq 80
port-object eq 3389
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit ip any any
access-list outside_access_in permit tcp any host viweb-outside object-group webservers
access-list outside_access_in permit tcp any host ndexch1-outside object-group mail
access-list outside_access_in permit tcp any host nddmzweb1 object-group webservers
access-list outside_access_in permit tcp any host nddemo2 object-group javaservers
pager lines 24
logging timestamp
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
icmp permit any inside
icmp permit host xx.xx.xxx.89 inside
icmp permit any dmz
icmp permit any outside
mtu inside 1500
mtu dmz 1500
mtu intf2 1500
mtu outside 1500
mtu outside-cav1 1500
mtu outside-cav2 1500
ip address inside 10.1.1.1 255.255.0.0
ip address dmz xx.xxx.xx.xxx 255.255.255.240
ip address intf2 127.0.0.1 255.255.255.0
ip address outside xx.xxx.xxx.xx 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address outside 0.0.0.0
pdm location 10.1.1.3 255.255.255.255 inside
arp timeout 14400
global (dmz) 2 interface
global (outside) 1 interface
nat (inside) 1 10.1.0.0 255.255.0.0 0 0
static (inside,outside) viweb-outside viweb netmask 255.255.255.255 0 0
static (inside,outside) ndexch1-outside ndexch1 netmask 255.255.255.255 0 0
static (dmz,outside) nddmzweb1 nddmzweb1 netmask 255.255.255.255 0 0
static (dmz,outside) nddemo2 nddemo2 netmask 255.255.255.255 0 0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.1.3 255.255.255.255 inside
http 10.1.1.5 255.255.255.255 inside
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.1.1.5 tftp-root
floodguard enable
sysopt noproxyarp inside
no sysopt route dnat
service resetinbound
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:db08f4258b346b84b158abd93cbf8478
: end
[OK]