Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX inside to DMZ unable to communicate - Stumped!

Status
Not open for further replies.
fatboy69

fatboy69

Technical User
May 15, 2002
56
0
0
AU
Hi I have a pix 515 that has 6 interfaces. 2 are shut down except dmz1, inside, outside and dmz3. I have migrated away from conduits and added ACL's and this is when the problem started. I am absolutley stumped as to why this is happening. I have been debugging connections and see nothing, they are both directly connected networks.

I have attached the config, IP's are modified of course so I hope someone can see what I am missing. I am trying to get to.

----------------------------------------------

pixfirewall(config)# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 10baset
interface ethernet3 10baset
interface ethernet4 10baset
interface ethernet5 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security80
nameif ethernet3 dmz2 security5
nameif ethernet4 dmz3 security10
nameif ethernet5 dmz4 security15
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
hostname pixfirewall
domain-name site.org.au
clock timezone est 10
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 130.155.101.122 ntp.syd.nml.csiro.au
name 150.229.131.117 ntp.bris.nml.csiro.au
name 128.250.37.2 ntp.cs.mu.oz.au
name 192.5.41.40 tick.usno.navy.mil
name 133.100.9.2 clock.nc.fukuoka-u.ac.jp
access-list reg-cryptoacl permit ip host 10.10.10.254 host 10.1.1.128
access-list reg-cryptoacl permit ip host 10.10.10.254 host 10.1.1.5
access-list outside_nat0 permit ip host 10.10.10.254 host 10.1.1.5
access-list outside_nat0 permit ip host 10.10.10.254 host 10.1.1.128
access-list outside_nat0 permit ip 10.10.10.0 255.255.255.0 host 10.1.1.20
access-list outside_nat0 permit ip 10.10.10.0 255.255.255.0 host 10.1.1.23
access-list placeouthere-cryptoacl permit ip host 10.10.10.254 host 10.1.1.20
access-list placeouthere-cryptoacl permit ip 10.10.10.0 255.255.255.0 host 10.1.1.20
access-list placeouthere-cryptoacl permit ip host 10.10.10.254 host 10.1.1.23
access-list placeouthere-cryptoacl permit ip 10.10.10.0 255.255.255.0 host 10.1.1.23
access-list outside_in permit tcp any host 63.88.88.35 eq smtp
access-list outside_in permit tcp any host 63.88.88.37 eq pptp
access-list outside_in permit gre any host 63.88.88.37
access-list outside_in permit tcp any host 63.88.88.45 eq https
access-list outside_in permit tcp any host 63.88.88.45 eq www
access-list outside_in permit tcp any host 63.88.88.43 eq https
access-list outside_in permit tcp host 202.58.44.59 host 63.88.88.41 eq 1433
access-list outside_in permit tcp host 202.58.44.51 host 63.88.88.39 eq 1433
access-list outside_in permit tcp host 10.1.1.20 host 63.88.88.41 eq 1433
access-list outside_in permit udp any host 10.10.10.254 eq snmp
access-list outside_in permit tcp host 10.1.1.128 host 10.10.10.254 eq telnet
access-list outside_in permit icmp host 10.1.1.20 10.10.10.0 255.255.255.0
access-list outside_in permit tcp host 10.1.1.20 host 10.10.10.143 eq 1433
access-list outside_in permit icmp any host 63.88.88.43
access-list outside_in permit tcp host 10.1.1.23 host 63.88.88.39 eq 1433
access-list outside_in permit tcp host 10.1.1.23 host 63.88.88.41 eq 1433
access-list outside_in permit tcp host 10.1.1.23 host 10.10.10.143 eq 1433
access-list outside_in permit tcp host 194.129.170.196 host 63.88.88.33 eq ftp
access-list outside_in permit tcp host 203.40.132.248 host 63.88.88.36 eq ftp
access-list outside_in permit tcp host 195.47.24.83 host 63.88.88.34 eq https
access-list outside_in permit tcp host 195.47.24.84 host 63.88.88.34 eq https
access-list outside_in permit tcp host 195.47.24.85 host 63.88.88.34 eq https
access-list outside_in permit tcp host 195.47.24.86 host 63.88.88.34 eq https
access-list outside_in permit tcp host 195.47.24.87 host 63.88.88.34 eq https
access-list outside_in permit tcp host 195.47.24.83 host 63.88.88.34 eq www
access-list outside_in permit tcp host 190.1.1.67 host 63.88.88.34 eq https
access-list outside_in permit tcp host 190.1.1.68 host 63.88.88.34 eq https
access-list outside_in permit tcp host 190.1.1.69 host 63.88.88.34 eq https
access-list outside_in permit tcp host 190.1.1.70 host 63.88.88.34 eq https
access-list outside_in permit tcp host 190.1.1.71 host 63.88.88.34 eq https
access-list outside_in permit tcp host 190.1.1.72 host 63.88.88.34 eq https
access-list outside_in permit tcp host 190.1.1.73 host 63.88.88.34 eq https
access-list outside_in permit tcp host 190.1.1.74 host 63.88.88.34 eq https
access-list outside_in permit tcp host 190.1.1.75 host 63.88.88.34 eq https
access-list outside_in permit tcp host 190.1.1.76 host 63.88.88.34 eq https
access-list outside_in permit tcp host 190.1.1.77 host 63.88.88.34 eq https
access-list outside_in permit tcp host 190.1.1.78 host 63.88.88.34 eq https
access-list outside_in permit tcp host 190.1.1.67 host 63.88.88.34 eq www
access-list outside_in permit tcp host 190.1.1.68 host 63.88.88.34 eq www
access-list outside_in permit tcp host 190.1.1.69 host 63.88.88.34 eq www
access-list outside_in permit tcp host 190.1.1.70 host 63.88.88.34 eq www
access-list outside_in permit tcp host 190.1.1.71 host 63.88.88.34 eq www
access-list outside_in permit tcp host 190.1.1.72 host 63.88.88.34 eq www
access-list outside_in permit tcp host 190.1.1.73 host 63.88.88.34 eq www
access-list outside_in permit tcp host 190.1.1.74 host 63.88.88.34 eq www
access-list outside_in permit tcp host 190.1.1.75 host 63.88.88.34 eq www
access-list outside_in permit tcp host 190.1.1.76 host 63.88.88.34 eq www
access-list outside_in permit tcp host 190.1.1.77 host 63.88.88.34 eq www
access-list outside_in permit tcp host 190.1.1.78 host 63.88.88.34 eq www
access-list outside_in permit tcp host 63.88.88.62 host 63.88.88.34 eq www
access-list outside_in permit tcp host 165.69.169.2 host 63.88.88.36 eq ftp
access-list outside_in permit tcp any host 63.88.88.33 eq https
access-list outside_in permit tcp any host 63.88.88.33 eq www
access-list outside_in permit tcp host 61.95.16.198 host 63.88.88.46 eq www
access-list outside_in permit tcp host 144.148.139.43 host 63.88.88.38 eq 3389
access-list outside_in permit tcp host 63.144.139.10 host 63.88.88.33 eq ftp
access-list outside_in permit tcp host 202.202.50.3 host 63.88.88.40 eq pop3
access-list outside_in permit tcp host 190.1.1.134 host 63.88.88.33 eq ftp
access-list dmz1_out permit tcp any host 10.10.11.224 eq citrix-ica
access-list dmz1_out permit tcp any host 10.10.11.223 eq citrix-ica
access-list dmz1_out permit tcp any host 10.10.11.224 eq 8080
access-list dmz1_out permit tcp any host 10.10.11.223 eq 8080
access-list dmz1_out permit tcp any host 10.10.11.222 eq citrix-ica
access-list dmz1_out permit tcp any host 10.10.11.222 eq 8080
access-list dmz1_out permit tcp host 10.10.11.214 host 10.10.11.228 eq 1433
access-list dmz1_out permit tcp any host 10.10.11.243 eq smtp
access-list dmz1_out permit tcp any host 10.10.11.243 eq pop3
access-list dmz1_out permit tcp host 10.10.11.200 host 10.10.11.199 eq ldap
access-list dmz1_out permit tcp host 10.10.11.200 host 10.10.11.199 eq 3268
access-list dmz1_out permit tcp any host 10.10.11.231 eq citrix-ica
access-list dmz1_out permit tcp any host 10.10.11.231 eq 8080
access-list dmz1_out permit tcp host 10.10.11.220 host 10.10.11.222 eq 5580
access-list dmz1_out permit tcp host 10.10.11.220 host 10.10.11.223 eq 5580
access-list dmz1_out permit tcp host 10.10.11.220 host 10.10.11.224 eq 5580
access-list dmz1_out permit tcp host 10.10.11.220 host 10.10.11.231 eq 5580
access-list dmz1_out permit tcp host 10.10.11.190 host 10.10.11.180 eq 1433
access-list dmz1_out permit tcp any host 10.10.11.221 eq citrix-ica
access-list dmz1_out permit tcp any host 10.10.11.221 eq 8080
access-list dmz1_out permit tcp host 10.10.11.220 host 10.10.11.221 eq 5580
access-list dmz1_out permit tcp host 10.10.11.190 host 10.10.11.228 eq 1433
access-list dmz1_out permit udp host 10.10.11.190 host 10.10.11.228 eq ntp
access-list dmz1_out permit tcp host 10.10.11.200 any eq smtp
access-list dmz1_out permit udp host 10.10.11.200 any eq domain
access-list dmz3_out permit tcp host 10.10.12.250 any eq pptp
access-list dmz3_out permit gre host 10.10.12.250 any
access-list inside_out permit ip 10.10.10.0 255.0.0.0 10.10.11.0 255.255.255.0
access-list inside_out permit ip any any
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap errors
logging history errors
logging queue 0
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu dmz4 1500
ip address outside 203.63.142.221 255.255.255.252
ip address inside 10.10.10.252 255.255.0.0
ip address dmz1 10.10.11.254 255.255.255.0
ip address dmz2 10.10.12.254 255.255.255.0
ip address dmz3 192.168.252.254 255.255.255.0
ip address dmz4 192.168.251.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz1
no failover ip address dmz2
no failover ip address dmz3
no failover ip address dmz4
no pdm history enable
arp timeout 14400
global (outside) 1 63.88.88.62 netmask 255.255.255.255
global (dmz1) 1 10.10.11.1-10.10.11.30 netmask 255.255.255.255
nat (inside) 0 access-list outside_nat0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0
static (dmz3,outside) 63.88.88.37 192.168.252.250 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.10.11.228 10.10.10.143 netmask 255.255.255.255 0 0
static (inside,outside) 63.88.88.41 10.10.10.143 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.10.11.224 10.10.10.132 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.10.11.223 10.10.10.130 netmask 255.255.255.255 0 0
static (dmz1,outside) 63.88.88.45 10.10.11.220 netmask 255.255.255.255 0 0
static (dmz1,outside) 63.88.88.43 10.10.11.219 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.10.11.222 10.10.10.129 netmask 255.255.255.255 0 0
static (dmz1,outside) 63.88.88.35 10.10.11.200 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.10.11.243 10.10.10.50 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.10.11.199 10.10.10.52 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.10.11.231 10.10.10.199 netmask 255.255.255.255 0 0
static (inside,outside) 63.88.88.34 10.10.10.60 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.10.11.180 10.10.10.103 netmask 255.255.255.255 0 0
static (inside,outside) 63.88.88.46 10.10.10.31 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.10.11.221 10.10.10.97 netmask 255.255.255.255 0 0
static (inside,outside) 63.88.88.36 10.10.10.40 netmask 255.255.255.255 0 0
static (dmz1,outside) 63.88.88.33 10.10.11.190 netmask 255.255.255.255 0 0
static (inside,outside) 63.88.88.38 10.10.10.118 netmask 255.255.255.255 0 0
static (inside,outside) 63.88.88.40 10.10.10.50 netmask 255.255.255.255 0 0
static (inside,outside) 63.88.88.39 10.10.10.52 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group inside_out in interface inside
access-group dmz1_out in interface dmz1
route outside 0.0.0.0 0.0.0.0 203.63.142.222 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:05:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.5.41.40 key 1 source outside
ntp server 128.250.37.2 key 1 source outside
ntp server 133.100.9.2 key 1 source outside
ntp server 150.229.131.117 key 1 source outside
ntp server 130.155.101.122 key 1 source outside prefer
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
service resetinbound
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map site-outside 80 ipsec-isakmp
crypto map site-outside 80 match address placeouthere-cryptoacl
crypto map site-outside 80 set peer 22.222.63.129
crypto map site-outside 80 set transform-set ESP-3DES-MD5
crypto map site-outside 100 ipsec-isakmp
crypto map site-outside 100 match address reg-cryptoacl
crypto map site-outside 100 set peer 22.22.22.146
crypto map site-outside 100 set transform-set ESP-DES-MD5
crypto map site-outside interface outside
isakmp enable outside
isakmp key ******** address 22.22.22.146 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 22.222.63.129 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 60 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 10.10.10.52 255.255.255.255 inside
telnet 10.10.100.86 255.255.255.255 inside
telnet 10.10.100.171 255.255.255.255 inside
telnet timeout 5
ssh 1.25 255.255.255.255 outside
ssh 14.14.16.0 255.255.255.0 outside
ssh 10.10.10.52 255.255.255.255 inside
ssh 10.10.100.86 255.255.255.255 inside
ssh 10.10.100.171 255.255.255.255 inside
ssh timeout 5
console timeout 5
terminal width 80
banner motd THIS DEVICE IS PART OF A PRIVATE NETWORK
banner motd *****************************************
banner motd * *
banner motd * Unauthorised access or use of this *
banner motd * equipment is prohitbited. If you are *
banner motd * not authorised to use this system, *
banner motd * then terminate this session now. *
banner motd * *
banner motd *****************************************
Cryptochecksum:d6db5b1c38a776c3f8453014fc959dcc
: end
pixfirewall(config)#



 
Sort by date Sort by votes
access-list inside_out permit ip 10.10.10.0 255.0.0.0 10.10.11.0 255.255.255.0

^^You are permitting 10.x.x.x to 10.10.x.x with the above statement on the inside access-list.

___________________________________________________________

access-list dmz1_out permit tcp any host 10.10.11.224 eq citrix-ica
access-group dmz1_out in interface dmz1

^^You are allowing traffic from anyone to 10.10.11.224(DMZ server). However, you rules are applied in the wrong direction. This should be applied going out the dmz interface, not coming into the interface.
 
Upvote 0 Downvote
Good eye rudeboy.

fatboy69,
You could clean this up a lot with group objects. It makes the acl's easier to look at and easier to update if you add new hosts or services

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Thanks for your replies guys.

Quick question. if I have a rule from inside going out to the ip subnet of my Dmz1 then wouldnt that mean that I can connect to anything on that dmz network from inside and it would maintain the state of the connection therefore I do not require a return rule?

cheers, FB.
 
Upvote 0 Downvote
You have a rule permitting IP any any on your inside. There is no need to have an access-list at all since your inside interface has a higher security than any other interface. This gives it access to all other interfaces by default. The problem is more than likely your access-list that is applied to your DMZ1 interface. IT is applied in the wrong direction. When you apply an access-group command, the direction is in respect to the interface on the pix. In means into the pix through the interface, and out means out of the pix through the interface.
 
Upvote 0 Downvote
Sorry, I should have stated from the start. This is PIX OS 6.3(4) not 7x, so there is no out statement I beleive.

So let me clarify. I have removed my ACL for the inside interface. therefore I should be able to connect to hosts on the DMZ1 network. this does not work. I always understood access-group direction configs as you said, traffic coming into the pix on that interface. It is then controlled by the ACL's and route tables as to where the traffic goes. If I am establishing a connection from inside to DMZ1 then doesnt the pix open a stateful session to allow the host on DMZ1 to respond? If that is correct then this is why I cant understand why this doesnt work. If not then I am very confused. All my traffic is being generated from internal with only the SMTP mail appliance communicating back to the Exchange server via a NAT that is configured on this line here.

static (inside,dmz1) 10.10.11.243 10.10.10.50 netmask 255.255.255.255 0 0

Thanks once again for your replies. I appreciate the input greatly.

FB.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
138
Johnkite
Johnkite
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
54
kythri
kythri
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
116
nnaarrnn
nnaarrnn
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
42
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top