Hello,
I'm having a problem connecting to my DMZ from the inside network. Connection from the Internet into the DMZ is working fine.
My internal network is 10.10.0.0/16
The DMZ is 10.0.0.0/16
I need to do two things. One is to connect to the DMZ from the Inside network and secondly for the Web server to talk to the AS/400. I can't seem to do either of these.
The web server's address on the DMZ is 10.0.1.100, the AS/400 on the inside is 10.10.1.1.
I have turned on debugging on the PIX and can see a PC on the inside network trying to communicate with the Web server on the DMZ, so I know my routing is OK.
I've been looking at this for ages, I have even tried a completely different subnet for my DMZ (192.168.1.0/24) but this had the same problem.
I can telnet to the Ethernet-T/R router and ping the Web serve from there and I can also ping the Web server from the PIX. I can't ping the internal network from the Web server.
The company also has a T/R network hence the mention of 136.44.1.0 in this config.The ethernet to T/R is bridged via a Cisco 2601 router.
I'd really appreciate it if someong could look at my config and tell me where I'm going wrong. Many thanks.
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname xxxxxxxxxx
domain-name secure.xxxxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list v3vpn permit ip 10.10.0.0 255.255.0.0 172.16.50.0 255.255.255.0
access-list v3vpn permit ip 136.44.1.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list no-nat permit ip 10.10.0.0 255.255.0.0 172.16.50.0 255.255.255.0
access-list no-nat permit ip 136.44.1.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list fromout permit tcp any host 194.x.x.245 eq www
access-list fromdmz permit tcp host 10.0.1.100 host 10.0.1.20
pager lines 24
logging on
logging monitor debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1514
mtu inside 1514
mtu dmz 1500
ip address outside 194.x.x.249 255.255.255.240
ip address inside 10.10.2.1 255.255.0.0
ip address dmz 10.0.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclients 172.16.50.1-172.16.50.100
ip local pool pptp-pool 172.16.50.101-172.16.50.200
pdm location 10.10.2.1 255.255.255.255 inside
pdm location 10.10.3.1 255.255.255.255 inside
pdm logging emergencies 100
pdm history enable
arp timeout 14400
global (outside) 1 194.x.x.248
global (dmz) 1 10.0.1.200
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 194.x.x.245 10.0.1.100 netmask 255.255.255.255 0 0
static (inside,dmz) 10.0.1.20 10.10.1.1 netmask 255.255.255.255 0 0
access-group fromout in interface outside
access-group fromdmz in interface dmz
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 194.x.x.254 1
route inside 136.44.1.0 255.255.255.0 10.10.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.10.0.0 255.255.0.0 inside
http 10.10.3.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set vpndes esp-des esp-sha-hmac
crypto dynamic-map vpn3 4 set transform-set vpndes
crypto map dyn-map 30 ipsec-isakmp dynamic vpn3
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local vpnclients outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup barrett address-pool vpnclients
vpngroup barrett default-domain secure.xxxxxxxx.com
vpngroup barrett split-tunnel v3vpn
vpngroup barrett idle-time 1800
telnet 10.10.0.0 255.255.0.0 inside
telnet 136.44.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 10
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn enable outside
terminal width 80
Cryptochecksum:694e8b4107825860f8bbc57527ad8c40
I'm having a problem connecting to my DMZ from the inside network. Connection from the Internet into the DMZ is working fine.
My internal network is 10.10.0.0/16
The DMZ is 10.0.0.0/16
I need to do two things. One is to connect to the DMZ from the Inside network and secondly for the Web server to talk to the AS/400. I can't seem to do either of these.
The web server's address on the DMZ is 10.0.1.100, the AS/400 on the inside is 10.10.1.1.
I have turned on debugging on the PIX and can see a PC on the inside network trying to communicate with the Web server on the DMZ, so I know my routing is OK.
I've been looking at this for ages, I have even tried a completely different subnet for my DMZ (192.168.1.0/24) but this had the same problem.
I can telnet to the Ethernet-T/R router and ping the Web serve from there and I can also ping the Web server from the PIX. I can't ping the internal network from the Web server.
The company also has a T/R network hence the mention of 136.44.1.0 in this config.The ethernet to T/R is bridged via a Cisco 2601 router.
I'd really appreciate it if someong could look at my config and tell me where I'm going wrong. Many thanks.
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname xxxxxxxxxx
domain-name secure.xxxxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list v3vpn permit ip 10.10.0.0 255.255.0.0 172.16.50.0 255.255.255.0
access-list v3vpn permit ip 136.44.1.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list no-nat permit ip 10.10.0.0 255.255.0.0 172.16.50.0 255.255.255.0
access-list no-nat permit ip 136.44.1.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list fromout permit tcp any host 194.x.x.245 eq www
access-list fromdmz permit tcp host 10.0.1.100 host 10.0.1.20
pager lines 24
logging on
logging monitor debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1514
mtu inside 1514
mtu dmz 1500
ip address outside 194.x.x.249 255.255.255.240
ip address inside 10.10.2.1 255.255.0.0
ip address dmz 10.0.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclients 172.16.50.1-172.16.50.100
ip local pool pptp-pool 172.16.50.101-172.16.50.200
pdm location 10.10.2.1 255.255.255.255 inside
pdm location 10.10.3.1 255.255.255.255 inside
pdm logging emergencies 100
pdm history enable
arp timeout 14400
global (outside) 1 194.x.x.248
global (dmz) 1 10.0.1.200
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 194.x.x.245 10.0.1.100 netmask 255.255.255.255 0 0
static (inside,dmz) 10.0.1.20 10.10.1.1 netmask 255.255.255.255 0 0
access-group fromout in interface outside
access-group fromdmz in interface dmz
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 194.x.x.254 1
route inside 136.44.1.0 255.255.255.0 10.10.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.10.0.0 255.255.0.0 inside
http 10.10.3.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set vpndes esp-des esp-sha-hmac
crypto dynamic-map vpn3 4 set transform-set vpndes
crypto map dyn-map 30 ipsec-isakmp dynamic vpn3
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local vpnclients outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup barrett address-pool vpnclients
vpngroup barrett default-domain secure.xxxxxxxx.com
vpngroup barrett split-tunnel v3vpn
vpngroup barrett idle-time 1800
telnet 10.10.0.0 255.255.0.0 inside
telnet 136.44.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 10
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn enable outside
terminal width 80
Cryptochecksum:694e8b4107825860f8bbc57527ad8c40
