PIX DMZ issues

PIX DMZ issues
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
PIX DMZ issues Andrew E 12-03-2004
---> Re: PIX DMZ issues Walter Roberson12-04-2004
Posted by Andrew E on December 3, 2004, 5:02 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I'm trying to set up a PIX with 3 network interfaces: Inside, Outside,
and DMZ. Outside is the internet, inside is my internal network, and
in the DMZ sits a web server. I can:

1. Access the webserver (172.16.1.11) in the DMZ from the internal
network (192.168.1.0/16).
2. Access the webserver (172.16.1.11) in the DMZ from the internet.
3. Access the internet from the internal network (192.168.1.0/16).

I can't:

1. Access services on a host in the internal network (192.168.1.249(
from the webserver in the DMZ (172.16.1.11). I need to be able to do
this to allow the webserver in the DMZ to access a SQL server in the
internal network. I have posted my config below with only the first
three octects of the public IPs changed.

I'm currently testing by accessing a webserver in the internal network
from the server in the DMZ. After I get it working, I will switch it
to SQL.

Thanks for the help,

Drew

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password <removed> encrypted
passwd <REMOVED> encrypted
hostname PIX01
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list web_access permit tcp any host 100.200.200.244 eq www
access-list from-dmz-coming-in permit icmp any any
access-list from-dmz-coming-in permit tcp any host 192.168.1.249 eq
www
pager lines 24
logging on
logging timestamp
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 100.200.200.242 255.255.255.240
ip address inside 192.168.1.250 255.255.0.0
ip address dmz 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
static (dmz,outside) 100.200.200.244 172.16.1.11 netmask
255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
access-group web_access in interface outside
access-group from-dmz-coming-in in interface dmz
route outside 0.0.0.0 0.0.0.0 100.200.200.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80


home networking made easy, greater protection, less stress, introducing nm 5.0, 728x90
Posted by Walter Roberson on December 4, 2004, 2:17 am
If you were  Registered and logged in, you could reply and use other advanced thread options
:I'm trying to set up a PIX with 3 network interfaces: Inside, Outside,
:and DMZ.

:I can't:

:1. Access services on a host in the internal network (192.168.1.249(
:from the webserver in the DMZ (172.16.1.11).

:PIX Version 6.3(3)

:ip address inside 192.168.1.250 255.255.0.0
:ip address dmz 172.16.1.1 255.255.255.0

:global (outside) 1 interface
:nat (inside) 1 192.168.0.0 255.255.0.0 0 0
:static (dmz,outside) 100.200.200.244 172.16.1.11 netmask 255.255.255.255 0 0
:static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

:route outside 0.0.0.0 0.0.0.0 100.200.200.241 1

The Cisco Output interpreter is complaining about the second
static in combination with there being no 'route' statement telling
the dmz how to get to 192.168/16.

I don't immediately see a problem there myself, but I would suggest
that you replace the static (inside,dmz) with

access-list nonat permit 192.168.0.0 255.255.0.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list nonat

and see if that helps.
--
Scintillate, scintillate, globule vivific
Fain would I fathom thy nature specific.
Loftily poised on ether capacious
Strongly resembling a gem carbonaceous. -- Anon


Posted by Andrew E on December 4, 2004, 10:17 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I'll try and implement your suggestions on monday as I don't have
access to the client's network until then. Thanks for your help.

Drew

roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message
> :I'm trying to set up a PIX with 3 network interfaces: Inside, Outside,
> :and DMZ.
>
> :I can't:
>
> :1. Access services on a host in the internal network (192.168.1.249(
> :from the webserver in the DMZ (172.16.1.11).
>
> :PIX Version 6.3(3)
>
> :ip address inside 192.168.1.250 255.255.0.0
> :ip address dmz 172.16.1.1 255.255.255.0
>
> :global (outside) 1 interface
> :nat (inside) 1 192.168.0.0 255.255.0.0 0 0
> :static (dmz,outside) 100.200.200.244 172.16.1.11 netmask 255.255.255.255 0 0
> :static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
>
> :route outside 0.0.0.0 0.0.0.0 100.200.200.241 1
>
> The Cisco Output interpreter is complaining about the second
> static in combination with there being no 'route' statement telling
> the dmz how to get to 192.168/16.
>
> I don't immediately see a problem there myself, but I would suggest
> that you replace the static (inside,dmz) with
>
> access-list nonat permit 192.168.0.0 255.255.0.0 172.16.1.0 255.255.255.0
> nat (inside) 0 access-list nonat
>
> and see if that helps.


Posted by Tosh on December 4, 2004, 7:28 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> I can't:
>
> 1. Access services on a host in the internal network (192.168.1.249(
> from the webserver in the DMZ (172.16.1.11). I need to be able to do
> this to allow the webserver in the DMZ to access a SQL server in the
> internal network.....
>
For my knowledge, at least you should ping the host on the internal lan from
the dmz, for sql access you forgot to add the proper access list statemet, i
see only one for ping and one for www.
Does the internal host ping the server on the dmz?
Also, you can perform a "sh local-hosts" in order to see if you have
licencing problems.
Bye,
Tosh.




Similar ThreadsPosted
PIX 501 Issues February 18, 2005, 9:22 am
NBX 100 Issues March 21, 2005, 12:17 pm
503 dmz+vpn issues December 14, 2005, 11:19 am
503 dmz+vpn issues December 14, 2005, 11:19 am
NAT issues March 12, 2007, 9:29 pm
VPN Issues on 837 March 23, 2007, 9:08 am
ASA OS QA issues?? May 30, 2007, 1:18 pm
BGP issues June 27, 2008, 3:59 pm
argh!!! more acl issues August 16, 2004, 4:46 pm
Serious Cisco issues August 19, 2004, 3:39 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map