Configuring DMZ on Pix 515e to access the internet

[joerdg]

Hello everyone,

We recently added a DMZ to our Pix. The only thing on the DMZ is a public wireless access point so our clients can access the internet and not have access to our internal network.

Clients of the access point are on 172.31.2.0 network and the WAN side of the AP is 172.31.1.1. Clients are able to ping the DMZ interface 172.31.1.254 but are not able to access the internet.

Below is the current config of the Pix. I'm sure I'm missing something silly, so any help you can give would be greatly appreciated.

PIX Version 7.2(1)
!
hostname pix
domain-name xxxxx.xxxxxx.com
enable password xxxxxxxxx encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 70.xxx.xxx.236 255.255.255.224
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.19.254 255.255.255.0
!
interface Ethernet2
shutdown
nameif DMZ
security-level 50
ip address 172.31.1.254 255.255.255.0
!
passwd xxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxx.xxxxxx.com
access-list no_nat extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list no_nat extended permit ip 192.168.19.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list no_nat extended permit ip 192.168.10.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list no_nat extended permit ip 192.168.19.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.19.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.10.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.19.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list tcp-traffic extended permit tcp any any
access-list dmz_access_in extended permit ip any any
!
tcp-map allow-probes
tcp-options range 76 77 allow
!
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp permit any echo-reply outside
icmp deny any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group dmz_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 70.xxx.xxx.225 1
route inside 192.168.10.0 255.255.255.0 192.168.19.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username xxxxx password xxxxxxxxxxxxxx encrypted privilege 15
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set esp-aes-256-sha esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 69.xx.xxx.xxx
crypto map outside_map 20 set transform-set esp-aes-256-sha
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 69.xx.xx.xx type ipsec-l2l
tunnel-group 69.xx.xx.xx ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
!
class-map tcp-traffic
match access-list tcp-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class tcp-traffic
set connection advanced-options allow-probes
!
service-policy global_policy global
prompt hostname context

 

[Supergrrover]

Route dmz 172.32.2.0 255.255.255.0 172.31.1.1

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[joerdg]

Hi Brent,

In your reply I think you may have meant to say 172.31.2.0, because I don't have anything on the 172.32.0.0 network. At any rate I added the following command to my config:

route DMZ 172.31.2.0 255.255.255.0 172.31.1.1

It didn't help as clients are still unable to access the internet from the DMZ.

Thanks for your help so far, let me know if you can think of anything else.

 

[Supergrrover]

Sorry, stupid iphone.

Just saw this

interface Ethernet2
shutdown
nameif DMZ
security-level 50
ip address 172.31.1.254 255.255.255.0

just go into the interface and do a
no shut

Should be good to go.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[joerdg]

About an hour ago I did a show interface and noticed on the DMZ it said the line was administratively down. So I did a no shutdown and everything worked.

Thanks for replying back, Brent. If I hadn't have done it I would've at least saw your comment.

Though I have no idea why the dmz interface was disabled.

See, I knew it was something silly.

Thanks again.