Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

From Outside no access to DMZ Server's

Status
Not open for further replies.
miguelchora

miguelchora

MIS
Oct 22, 2002
3
US
Hi,

I'm configuring a PIX515E with 6.1(2), but I'm having quite a few problems configuring my Web server on the DMZ. This is my configuration:

hostname PIX

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
ip address outside x.x.x.130 255.255.255.240
ip address inside 192.168.1.250 255.255.255.0
ip address dmz 10.1.0.254 255.255.255.0
route outside 0.0.0.0 0.0.0.0 x.x.x.129

global (dmz) 1 10.1.0.1-10.1.0.250
global (outside) 1 x.x.x.131
nat (inside) 1 192.168.1.0 255.255.255.0

static (dmz,outside) x.x.x.133 10.1.0.3
access-list fromoutside permit tcp any host x.x.x.133 eq http
access-group fromoutside in interface outside

http server enable
telnet timeout 5
ssh timeout 5
telnet 192.168.1.249 255.255.255.255 inside

From the inside I can go to my server on the DMZ but from the outside no one can connect to that server.

What I'm doing bad ??? Can you guys help me ???

Thank's
Miguel Rodrigues
 
Sort by date Sort by votes
I think you need to create a seperate access-list for the DMZ interface for example...

access-list dmzin permit tcp any host x.x.x.133 eq http
access-group dmzin in interface dmz

Also enable logging on the PIX and see what is being denied in the log, this will help troubleshooting in the future.

----

Sunyasee B-)
 
Upvote 0 Downvote
sunyasee,

Sorry but your help didn't resolved my problem. The problem continues, and when we are logging we see the connections made to the web server, but no result (or no traffic if you want) to the other end.

One question:

This is a 515E with one optional NIC doing the DMZ, do you thing if I change slots that NIC I could resolve the problem ???

Thanks for all your help
Miguel Rodrigues
 
Upvote 0 Downvote
HI.


***

There is a conflict here:

global (dmz) 1 10.1.0.1-10.1.0.250
static (dmz,outside) x.x.x.133 10.1.0.3


***

The problem that you described seems to be related to other device rather then the pix only.
Here are some checks that can be done:

What kind of web server is it, and on what OS?
Is the web server using IDENT protocol, and/or reverse DNS lookup on incoming connections?
Are you using port 80 only or maybe also https?

Check TCP/IP settings on the web server - did you set the default gateway?
Clear ARP cache on the router, and check that the ip address x.x.x.133 is realy routed to your pix. Check
also ip addressing subneting and routing tables of the router.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
713
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
607
Johnkite
Johnkite
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
737
Shmid
Shmid
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
234
hairlessupportmonkey
hairlessupportmonkey
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
122
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top