Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   PIX DMZ issues (http://www.velocityreviews.com/forums/t36531-pix-dmz-issues.html)

Andrew E 12-04-2004 01:02 AM

PIX DMZ issues
 
I'm trying to set up a PIX with 3 network interfaces: Inside, Outside,
and DMZ. Outside is the internet, inside is my internal network, and
in the DMZ sits a web server. I can:

1. Access the webserver (172.16.1.11) in the DMZ from the internal
network (192.168.1.0/16).
2. Access the webserver (172.16.1.11) in the DMZ from the internet.
3. Access the internet from the internal network (192.168.1.0/16).

I can't:

1. Access services on a host in the internal network (192.168.1.249(
from the webserver in the DMZ (172.16.1.11). I need to be able to do
this to allow the webserver in the DMZ to access a SQL server in the
internal network. I have posted my config below with only the first
three octects of the public IPs changed.

I'm currently testing by accessing a webserver in the internal network
from the server in the DMZ. After I get it working, I will switch it
to SQL.

Thanks for the help,

Drew

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password <removed> encrypted
passwd <REMOVED> encrypted
hostname PIX01
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list web_access permit tcp any host 100.200.200.244 eq www
access-list from-dmz-coming-in permit icmp any any
access-list from-dmz-coming-in permit tcp any host 192.168.1.249 eq
www
pager lines 24
logging on
logging timestamp
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 100.200.200.242 255.255.255.240
ip address inside 192.168.1.250 255.255.0.0
ip address dmz 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
static (dmz,outside) 100.200.200.244 172.16.1.11 netmask
255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
access-group web_access in interface outside
access-group from-dmz-coming-in in interface dmz
route outside 0.0.0.0 0.0.0.0 100.200.200.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Walter Roberson 12-04-2004 02:17 AM

Re: PIX DMZ issues
 
In article <1e3ecbbd.0412031702.703062e@posting.google.com> ,
Andrew E <drazak@materiamagica.com> wrote:
:I'm trying to set up a PIX with 3 network interfaces: Inside, Outside,
:and DMZ.

:I can't:

:1. Access services on a host in the internal network (192.168.1.249(
:from the webserver in the DMZ (172.16.1.11).

:PIX Version 6.3(3)

:ip address inside 192.168.1.250 255.255.0.0
:ip address dmz 172.16.1.1 255.255.255.0

:global (outside) 1 interface
:nat (inside) 1 192.168.0.0 255.255.0.0 0 0
:static (dmz,outside) 100.200.200.244 172.16.1.11 netmask 255.255.255.255 0 0
:static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

:route outside 0.0.0.0 0.0.0.0 100.200.200.241 1

The Cisco Output interpreter is complaining about the second
static in combination with there being no 'route' statement telling
the dmz how to get to 192.168/16.

I don't immediately see a problem there myself, but I would suggest
that you replace the static (inside,dmz) with

access-list nonat permit 192.168.0.0 255.255.0.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list nonat

and see if that helps.
--
Scintillate, scintillate, globule vivific
Fain would I fathom thy nature specific.
Loftily poised on ether capacious
Strongly resembling a gem carbonaceous. -- Anon

Tosh 12-04-2004 06:28 AM

Re: PIX DMZ issues
 
> I can't:
>
> 1. Access services on a host in the internal network (192.168.1.249(
> from the webserver in the DMZ (172.16.1.11). I need to be able to do
> this to allow the webserver in the DMZ to access a SQL server in the
> internal network.....
>

For my knowledge, at least you should ping the host on the internal lan from
the dmz, for sql access you forgot to add the proper access list statemet, i
see only one for ping and one for www.
Does the internal host ping the server on the dmz?
Also, you can perform a "sh local-hosts" in order to see if you have
licencing problems.
Bye,
Tosh.



Andrew E 12-04-2004 06:17 PM

Re: PIX DMZ issues
 
I'll try and implement your suggestions on monday as I don't have
access to the client's network until then. Thanks for your help.

Drew

roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message news:<cor6ms$p8a$1@canopus.cc.umanitoba.ca>...
> In article <1e3ecbbd.0412031702.703062e@posting.google.com> ,
> Andrew E <drazak@materiamagica.com> wrote:
> :I'm trying to set up a PIX with 3 network interfaces: Inside, Outside,
> :and DMZ.
>
> :I can't:
>
> :1. Access services on a host in the internal network (192.168.1.249(
> :from the webserver in the DMZ (172.16.1.11).
>
> :PIX Version 6.3(3)
>
> :ip address inside 192.168.1.250 255.255.0.0
> :ip address dmz 172.16.1.1 255.255.255.0
>
> :global (outside) 1 interface
> :nat (inside) 1 192.168.0.0 255.255.0.0 0 0
> :static (dmz,outside) 100.200.200.244 172.16.1.11 netmask 255.255.255.255 0 0
> :static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
>
> :route outside 0.0.0.0 0.0.0.0 100.200.200.241 1
>
> The Cisco Output interpreter is complaining about the second
> static in combination with there being no 'route' statement telling
> the dmz how to get to 192.168/16.
>
> I don't immediately see a problem there myself, but I would suggest
> that you replace the static (inside,dmz) with
>
> access-list nonat permit 192.168.0.0 255.255.0.0 172.16.1.0 255.255.255.0
> nat (inside) 0 access-list nonat
>
> and see if that helps.



All times are GMT. The time now is 03:55 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.