Guest_imported
New member
- Jan 1, 1970
- 0
We have a dmz off of a pix 515. The outside interface and the dmz both have public IP addresses.
The inside does not.
There is 1 webserver on the dmz, with two conduit rules configured to it allowing web and ssh traffic.
The inside, obviously, has full access to it.
Here is my problem:
Every once in a while no traffic gets passed to the webserver on either conduit rule from the outside. (this may correlate to a long period of inactivity, Im trying to verify)
Traffic from inside to the dmz will continue to work normally during this time.
After about 20 to 25 minutes of connection attempts to either port, the connection picks up and works fine indefinitely.
If anyone could give an explanation for this I would REALLY appreciate it. Ive been going nuts trying to solve it.
I havent had an opportunity to view syslogs, we are not configured to do so and by the time I get that far its usually working again.
Below is a sample of my configuration, Ive changed the IP network blocks on our outside and dmz connections by request of our CIO. If anyone would like more of the config please let me know.
Thanks in advance
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 failover security10
nameif ethernet3 e3 security50
nameif ethernet4 dmz security20
nameif ethernet5 pix/intf5 security25
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto shutdown
icmp deny any outside
icmp deny any e3
icmp deny any dmz
mtu outside 1500
mtu inside 1500
mtu failover 1500
mtu e3 1500
mtu dmz 1500
mtu pix/intf5 1500
ip address outside 1.1.1.192 255.255.255.224
ip address inside 192.168.11.3 255.255.255.0
ip address dmz 1.1.2.254 255.255.255.240
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0
static (inside,dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 0 0
conduit permit tcp host 1.1.2.250 eq conduit permit tcp host 1.1.2.250 eq 22 host xxx.xxx.xxx.xxx
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
sysopt security fragguard
The inside does not.
There is 1 webserver on the dmz, with two conduit rules configured to it allowing web and ssh traffic.
The inside, obviously, has full access to it.
Here is my problem:
Every once in a while no traffic gets passed to the webserver on either conduit rule from the outside. (this may correlate to a long period of inactivity, Im trying to verify)
Traffic from inside to the dmz will continue to work normally during this time.
After about 20 to 25 minutes of connection attempts to either port, the connection picks up and works fine indefinitely.
If anyone could give an explanation for this I would REALLY appreciate it. Ive been going nuts trying to solve it.
I havent had an opportunity to view syslogs, we are not configured to do so and by the time I get that far its usually working again.
Below is a sample of my configuration, Ive changed the IP network blocks on our outside and dmz connections by request of our CIO. If anyone would like more of the config please let me know.
Thanks in advance
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 failover security10
nameif ethernet3 e3 security50
nameif ethernet4 dmz security20
nameif ethernet5 pix/intf5 security25
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto shutdown
icmp deny any outside
icmp deny any e3
icmp deny any dmz
mtu outside 1500
mtu inside 1500
mtu failover 1500
mtu e3 1500
mtu dmz 1500
mtu pix/intf5 1500
ip address outside 1.1.1.192 255.255.255.224
ip address inside 192.168.11.3 255.255.255.0
ip address dmz 1.1.2.254 255.255.255.240
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0
static (inside,dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 0 0
conduit permit tcp host 1.1.2.250 eq conduit permit tcp host 1.1.2.250 eq 22 host xxx.xxx.xxx.xxx
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
sysopt security fragguard