Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Internet access from DMZ

Status
Not open for further replies.
jdl508

jdl508

Technical User
Apr 30, 2001
242
US
Hello,
I have been trying to get internet access from a my pix FW to no avail. The PIX 515-R has 3 int, outside, inside and dmz. I will post the relevant parts of the config. If I remove the access-list to allow can surf otherwise I cannot. Let me know what you think, thanks jdl


nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50

access-list 101 permit tcp any host 207.x.x.x eq www
access-list 101 permit icmp any any
access-list 201 permit tcp host 10.1.10.5 host 10.0.20.7 eq 1433
access-list 201 permit icmp any any
<--- More --->

access-list 201 permit tcp host 10.1.10.11 host 10.0.20.7 eq 1433
pager lines 24
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 100basetx
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
ip address outside 207.x.x.x 255.255.255.248
ip address inside 10.0.20.1 255.255.255.0
ip address dmz1 10.1.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 207.x.x.x
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (dmz1,outside) 207.x.x.x10.1.10.5 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.0.20.7 10.0.20.7 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 201 in interface dmz1
route outside 0.0.0.0 0.0.0.0 207.x.x.x 1
 
Sort by date Sort by votes
Yizhar,
thanks for the response. 1 question though, by putting the access-list 210 permit ip any any
wouldn't you consider that to be a security risk. I only want the outside in to dmz. and from inside i have a static from dmz to host on inside. let me know what you think about the security risk involved.
thanks again
jdl
 
Upvote 0 Downvote
By the way Yizhar that fix worked
:)

thanks
jdl
 
Upvote 0 Downvote
HI.

As long as you control and know that only the traffic that you allow can go through, it's ok.

I also don't like the &quot;permit ip any any&quot;, but that the way to do what you asked for. Instead you can permit only specific protocols from the DMZ to the Internet (DNS/HTTP/etc...)

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
737
Shmid
Shmid
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
234
hairlessupportmonkey
hairlessupportmonkey
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
157
kythri
kythri
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
122
gbayi_omo
gbayi_omo
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
142
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top