Incoming traffic on 515, whats wrong with my config

[LedZepRock]

Hi all, and thanks for looking.

I have no trouble with outgoing traffic, but currently my config will not allow DNS traffic from my DMZ to my LAN, and also allowing access to our website from the internet is also not working. I have checked my book over and over and this looks fine, but I must be missing something as it does not work. If you see a problem please let me know (also if you see any other problems, no no's or any other useful bits of info)

Thanks, and here is my config (with changes to external address)


PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 4343434343434 encrypted
passwd 3343434343434 encrypted
hostname pix
domain-name ******.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service service_allowed tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ssh
port-object eq smtp
port-object eq 3389
port-object eq pop3
port-object eq ftp-data
port-object eq 1489
port-object eq 5050
port-object eq daytime
port-object eq 1863
port-object eq telnet
object-group service service_allowed_tcp_udp tcp-udp
port-object eq domain
port-object eq 13
port-object eq 123
object-group service dmz_allowed_tcp_udp tcp-udp
port-object eq domain
object-group service dmz_allowed tcp
port-object eq smtp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group network our_subnet
network-object 192.168.101.0 255.255.255.0
object-group network dmz_subnet
network-object 192.168.103.0 255.255.255.0
object-group icmp-type icmp
icmp-object echo-reply
icmp-object echo
icmp-object unreachable
object-group network web_servers
network-object host 192.168.103.254
object-group service http_https tcp
port-object eq www
port-object eq https
access-list nonatinside permit ip object-group our_subnet object-group dmz_subnet
access-list nonatdmz permit ip object-group dmz_subnet object-group our_subnet
access-list inside_in permit tcp object-group our_subnet any object-group service_allowed
access-list inside_in permit icmp any any
access-list dmz_in permit udp object-group dmz_subnet object-group our_subnet eq domain
access-list outside_in permit tcp any object-group web_servers object-group http_https
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 111.111.111.5 255.255.255.192
ip address inside 192.168.101.1 255.255.255.0
ip address dmz 192.168.103.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 111.111.111.1
nat (inside) 0 access-list nonatinside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list nonatdmz
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 111.111.111.2 192.168.103.254 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.103.0 192.168.103.0 netmask 255.255.255.0 0 0
access-group inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 111.111.111.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
snmp-server location 192.168.101.250
snmp-server contact Simon
snmp-server community public
snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 192.168.101.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
username simon password 535353535353 encrypted privilege 15
terminal width 150
Cryptochecksum:30783afa506e85bad79be69871c68039
: end

 

[LedZepRock]

Opps these had disapeared

access-group dmz_in in interface dmz
access-group outside_in in interface outside

But I do have them underneath the following command

access-group inside_in in interface inside


Ta

 

[dopehead]

A good test is always to check if the service is running from the inside first, then open from outside. Is it running, is the ip addr. correct on the web server ? Is the default gateway set to the pix dmz interface ?

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[LedZepRock]

The webpages are all up, the problem is though that I cant get my DMZ to resolve names to my DNS server (LAN). ie, when I do a nslookup from my DMZ it tells me the DNS server is not avalible (but it is), so TCP port 53 is not getting from the DMZ to the LAN (even though I thought my setup was OK).

Thanks

 

[dopehead]

Domain lookups use UDP53 not TCP, TCP is used for Zone transfers.


Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[LedZepRock]

Yep, sorry you are correct, UDP not TCP, that was me not thinking when I was typing, but as you can see from my config it is UDP there, so I am still unsure why it dont work.

Ta

 

[dopehead]

Hmm, this looks wrong :

static (inside,dmz) 192.168.103.0 192.168.103.0 netmask 255.255.255.0 0 0

Now that you have nat 0 enabled between dmz and inside subnets you don't need that, could be the problem.

btw, does the debug say anything about this ? can you see matches increasing on the acls when you try ?


Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[LedZepRock]

Jan

OK ta, I will remove that line and test. I am getting counts when I debug the ACL.

I will let you know

Ta