Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Configure ousdie/internet access to DMZ on PIX515E

Status
Not open for further replies.
Sikkie

Sikkie

Technical User
May 7, 2010
6
0
0
NL
Hi im new with pix515.
I have a fix ip range form 92.67.197.96 to 92.67.197.103
92.67.197.97 router
92.67.197.98 pix
92.67.197.100 web server

I cant access my web server on the net.
And i can't brows from the inside to the dmz.

I can ping from inside to the dmz and i can ping from the inside/dmz to the outside world.
And i can brows the net from the inside and dmz.

Can some body help me ...

PIX Version 7.0(1)
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 92.67.197.98 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 10
ip address 172.16.1.1 255.255.255.0
!
enable password ********* encrypted
passwd ********* encrypted
hostname pixpirewall
domain-name sikkie.nl
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group network Public_Web
description Public Web Server IP address
network-object host 172.16.1.10
object-group service Public_Web-TCP tcp
description Allowable inbound TCP traffic
port-object eq www
port-object eq https
port-object range ftp-data ftp
port-object eq smtp
port-object eq pop3
port-object eq 3306
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list outside_access_in extended permit tcp host 92.67.197.100 host 172.16.1.10 object-group Public_Web-TCP
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging trap debugging
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
monitor-interface inside
monitor-interface dmz
monitor-interface outside
asdm image flash:/asdm.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 172.16.1.0 255.255.255.0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,outside) 92.67.197.100 172.16.1.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 92.67.197.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:*********
: end

grtzz,
Sikkie
 
Sort by date Sort by votes
Code: 
[b]
access-list outside_access_in extended deny ip any any
access-list outside_access_in extended permit tcp host 92.67.197.100 host 172.16.1.10 object-group Public_Web-TCP
[/b]
these need to change. you need to completely omit the deny ip any any ACE and you need to change the other ACE to read something like:
Code: 
access-list outside_access_in extended permit tcp any host 92.67.197.100 object-group Public_Web-TCP
for your second problem, you need to issue another static:
Code: 
static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thanks i have changed it to :

access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 92.67.197.100 object-group Public_Web-TCP

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 172.16.1.0 255.255.255.0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,outside) 92.67.197.100 172.16.1.10 netmask 255.255.255.255
static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 92.67.197.97 1

I can access my web server from the net :)
But not yet form the inside :-(
 
Upvote 0 Downvote
i have edit the config a bit, but stil the same problem ...

i can't access my web server form the inside.

PIX Version 7.0(1)
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 92.67.197.98 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 10
ip address 172.16.1.1 255.255.255.0
!
enable password ********* encrypted
passwd ********* encrypted
hostname pixpirewall
domain-name sikkie.nl
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

object-group network description All servers providing to the outside
network-object host 92.67.197.100
object-group network https_services
description All servers providing https services to the outside
network-object host 92.67.197.100
object-group network mysql_services
description All servers providing MySql services to the outside
network-object host 92.67.197.101

access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 92.67.197.100 eq www
access-list outside_access_in extended permit tcp any host 92.67.197.100 eq https
access-list outside_access_in extended permit tcp any host 92.67.197.100 eq ftp
access-list outside_access_in extended permit tcp any host 92.67.197.101 eq 3306

pager lines 24
logging enable
logging timestamp
logging standby
logging console critical
logging monitor debugging
logging buffered debugging
logging trap informational
logging history informational
logging asdm informational
logging queue 3000
mtu inside 1500
mtu dmz 1500
mtu outside 1500
monitor-interface inside
monitor-interface dmz
monitor-interface outside
asdm image flash:/asdm.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 172.16.1.0 255.255.255.0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,outside) 92.67.197.100 172.16.1.10 netmask 255.255.255.255
static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (dmz,outside) 92.67.197.101 172.16.1.11 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 92.67.197.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:*********
: end
 
Upvote 0 Downvote
let's try this:
1) remove these lines:
Code: 
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
2) add these lines:
Code: 
access-list nonat_inside extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat_dmz extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat_inside
nat (dmz) 0 access-list nonat_dmz
3) issue this command:
Code: 
no nat-control

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
i have deleted

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

and add

access-list nonat_inside extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat_dmz extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat_inside
nat (dmz) 0 access-list nonat_dmz

still the same
i can ping 172.16.1.10 and 172.16.1.11
but when i open my web browser and i try to open my webpage
i can't access it :-(
 
Upvote 0 Downvote
Ok, try accessing the web server. Then issue sh logg asdm. The logs will give a better indication of what is going on.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
i have change the config back to :

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

and deleted the lines :
access-list nonat_inside extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat_dmz extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat_inside
nat (dmz) 0 access-list nonat_dmz

pixpirewall(config)# sh logg asdm
6|May 16 2010 01:45:10|305011: Built dynamic TCP translation from inside:192.168
.1.50/55215 to outside:92.67.197.98/1477
6|May 16 2010 01:45:10|302013: Built outbound TCP connection 1010 for outside:92
.123.64.42/80 (92.123.64.42/80) to inside:192.168.1.50/55215 (92.67.197.98/1477)

6|May 16 2010 01:45:10|305011: Built dynamic TCP translation from inside:192.168
.1.50/55216 to outside:92.67.197.98/1478
6|May 16 2010 01:45:10|302013: Built outbound TCP connection 1011 for outside:92
.123.64.42/80 (92.123.64.42/80) to inside:192.168.1.50/55216 (92.67.197.98/1478)

6|May 16 2010 01:45:10|302014: Teardown TCP connection 949 for outside:84.53.148
.170/443 to inside:192.168.1.50/55183 duration 0:01:54 bytes 18084 TCP Reset-I
4|May 16 2010 01:45:10|106023: Deny tcp src outside:84.53.148.170/443 dst inside
:92.67.197.98/1444 by access-group "outside_access_in"
4|May 16 2010 01:45:10|106023: Deny tcp src outside:84.53.148.170/443 dst inside
:92.67.197.98/1444 by access-group "outside_access_in"
6|May 16 2010 01:45:10|302016: Teardown UDP connection 1005 for outside:195.59.4
3.133/53 to inside:192.168.1.10/53300 duration 0:00:00 bytes 104
6|May 16 2010 01:45:10|609002: Teardown local-host outside:195.59.43.133 duratio
n 0:00:00
6|May 16 2010 01:45:10|609001: Built local-host outside:92.123.64.11
6|May 16 2010 01:45:10|305011: Built dynamic TCP translation from inside:192.168
.1.50/55217 to outside:92.67.197.98/1479
6|May 16 2010 01:45:10|302013: Built outbound TCP connection 1012 for outside:92
.123.64.11/80 (92.123.64.11/80) to inside:192.168.1.50/55217 (92.67.197.98/1479)

6|May 16 2010 01:45:11|305012: Teardown dynamic UDP translation from inside:192.
168.1.10/39020 to outside:92.67.197.98/1155 duration 0:00:30
6|May 16 2010 01:45:11|305012: Teardown dynamic TCP translation from inside:192.
168.1.50/55189 to outside:92.67.197.98/1451 duration 0:00:30
6|May 16 2010 01:45:11|305012: Teardown dynamic UDP translation from inside:192.
168.1.10/21231 to outside:92.67.197.98/1156 duration 0:00:30
6|May 16 2010 01:45:11|305012: Teardown dynamic TCP translation from inside:192.
168.1.50/55190 to outside:92.67.197.98/1452 duration 0:00:30
6|May 16 2010 01:45:11|609001: Built local-host outside:216.239.32.10
6|May 16 2010 01:45:11|305011: Built dynamic UDP translation from inside:192.168
.1.10/56053 to outside:92.67.197.98/1176
6|May 16 2010 01:45:11|302015: Built outbound UDP connection 1013 for outside:21
6.239.32.10/53 (216.239.32.10/53) to inside:192.168.1.10/56053 (92.67.197.98/117
6)
 
Upvote 0 Downvote
are you by chance trying to connect via the public FQDN as opposed to the private name?? what i mean by that is if you can access it outside by are you trying to access it from the inside by also?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Ahhh, that is why. You need to configure dns doctoring for it to work properly. I'm Typing on an iPhone right now so I'm not going to try and write the entire statement, but google cisco pix dns rewrite and you'll find out how to get it done.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
136
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
136
Johnkite
Johnkite
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
165
Shmid
Shmid
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
114
nnaarrnn
nnaarrnn
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
53
kythri
kythri

Part and Inventory Search

Sponsor

Back
Top