Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > allow traffic from outside interface into DMZ

Reply
Thread Tools

allow traffic from outside interface into DMZ

 
 
will.i.am will.i.am is offline
Junior Member
Join Date: Aug 2006
Posts: 2
 
      08-25-2006
Hi I am trying to get get traffic from the outside interface 192.168.1.2 to pass traffic to the DMZ interface 192.168.100.1 interface. I have a server sitting in the DMZ witht he IP 192.168.100.6 that needs to communicate with clients connecting to it, they are able to get as far as the 192.168.1.2 interface but then are dropped. I have included my config below, any help below would be greatly appreciated.

Thanks,
will.i.am


Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
nameif ethernet3 intf3 security6
nameif ethernet4 HamlinGuest security1
nameif ethernet5 failover security10
enable password Fla0yul1WWMvgopF encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname firewall
domain-name magid.int
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 5001
fixup protocol http 8080
fixup protocol http 15868
fixup protocol http 15871
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol snmp 161-162
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 192.168.1.1 PowerLink
name 169.254.211.0 LAN2
name 169.254.210.0 LAN1
name 10.2.0.0 Detroit_Subnet
name 169.254.202.25 WSUS
name 192.168.201.0 EmployeeVPNTunnel
name 192.168.203.0 vpnDMZAdminsTunnel
name 192.168.204.0 webserver-DevTunnel
name 192.168.202.0 ContractorVPNTunnel
object-group service WindowsMediaServerTCPUDP tcp-udp
description MMS and RTSP
port-object range 1755 1755
port-object range 554 554
object-group service BackupExecPorts tcp-udp
port-object range 10000 10000
port-object range 1025 65535
object-group service ftp tcp
port-object eq ftp-data
port-object eq ftp
access-list inside_outbound_nat0_acl permit ip host 192.168.1.2 host 192.168.100.6
access-list inside_outbound_nat0_acl remark
access-list inside_outbound_nat0_acl permit ip 169.254.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list inside_outbound_nat0_acl remark Allows Employee VPN tunnel to connect to 169.254.202.0 devices on the LAN
access-list inside_outbound_nat0_acl permit ip 169.254.202.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list inside_outbound_nat0_acl remark Allows Administrator VPN tunnel access to 169.254.0.0 LAN
access-list inside_outbound_nat0_acl permit ip 169.254.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list inside_outbound_nat0_acl remark Allows Contractor VPN Tunnel access to AS400
access-list inside_outbound_nat0_acl permit ip host 169.254.202.9 192.168.202.0 255.255.255.0
access-list inside_outbound_nat0_acl remark Allows access to BOXFTP thru vpnDMZadmins vpn profile
access-list inside_outbound_nat0_acl permit ip host 169.254.202.142 192.168.203.0 255.255.255.0
access-list inside_outbound_nat0_acl remark Allows access to MAGIDWEB2 (magidchidbgw1) thru vpnDMZadmins vpn profile
access-list inside_outbound_nat0_acl permit ip host 169.254.202.147 192.168.203.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.3 host 192.168.100.6
access-list outside_access_in permit tcp host 192.168.1.2 host 192.168.100.6 eq www
access-list outside_access_in permit tcp any host 192.168.1.72 eq smtp
access-list outside_access_in permit tcp any host 192.168.1.41 eq smtp
access-list outside_access_in permit tcp any host 192.168.1.36 eq www
access-list outside_access_in permit tcp any host 192.168.1.36 eq https
access-list outside_access_in remark allows syslog info to be sent from mci router to magidsus
access-list outside_access_in permit udp host 65.201.236.33 host 192.168.1.39 eq syslog
access-list outside_access_in remark allows syslog info to be sent from xo router to magidsus
access-list outside_access_in permit udp host 66.236.124.129 host 192.168.1.39 eq syslog
access-list outside_access_in remark allows snmp info to be sent from mci router to magidsus
access-list outside_access_in permit udp host 65.201.236.33 host 192.168.1.39 eq snmp
access-list outside_access_in remark temp fax web client magidsus
access-list outside_access_in permit tcp any host 192.168.1.39 eq www
access-list outside_access_in permit tcp host 192.168.1.1 host 192.168.1.60 eq ftp
access-list outside_access_in permit udp host 65.201.236.33 host 192.168.1.60 eq tftp
access-list outside_access_in remark Allows Field Sales to access WSUS
access-list outside_access_in permit tcp any host 192.168.1.44 eq www
access-list outside_access_in remark Allows SSL HTTPS traffic from public internet to web server
access-list outside_access_in permit tcp any host 192.168.1.41 eq https
access-list outside_access_in remark Allows SSL HTTPS traffic from public internet to web server
access-list outside_access_in permit tcp any host 192.168.1.42 eq https
access-list outside_access_in remark Allows SSL HTTPS traffic from public internet to web server
access-list outside_access_in permit tcp any host 192.168.1.43 eq https
access-list outside_access_in remark Magid Glove Web Site to DMZ
access-list outside_access_in remark Magid Glove Web Site to External IP to DMZ Translation
access-list outside_access_in permit tcp any host 192.168.1.41 eq www
access-list outside_access_in remark Magid Glove Web Site to DMZ
access-list outside_access_in remark Magid Glove Web Site to External IP to DMZ Translation
access-list outside_access_in permit tcp any host 192.168.1.42 eq www
access-list outside_access_in remark Magid Glove Web Site to DMZ
access-list outside_access_in remark Magid Glove Web Site to External IP to DMZ Translation
access-list outside_access_in permit tcp any host 192.168.1.43 eq www
access-list outside_access_in remark Allows Windows Media TCP protocols to backup www server
access-list outside_access_in permit tcp any host 192.168.1.41 object-group WindowsMediaServerTCPUDP
access-list outside_access_in remark Allows Windows Media UDP protocols to backup www server
access-list outside_access_in permit udp any host 192.168.1.41 object-group WindowsMediaServerTCPUDP
access-list outside_access_in remark GFI NSM Echo Test of XO Router
access-list outside_access_in permit icmp host 66.236.124.129 host 192.168.1.60
access-list outside_access_in remark GFI NSM Echo Test of MCI Router
access-list outside_access_in permit icmp host 65.201.236.33 host 192.168.1.60
access-list outside_access_in permit gre any host 192.168.1.60
access-list outside_access_in permit tcp any host 192.168.1.60 eq pptp
access-list outside_access_in deny ip any any
access-list outside_access_in permit tcp host 192.168.1.3 host 192.168.100.6 eq www
access-list employee_splittunnel permit ip 169.254.202.0 255.255.255.0 any
access-list Contractors_splittunnel permit ip host 169.254.202.9 any
access-list Administrator_splitTunnelAcl permit ip 169.254.0.0 255.255.0.0 any
access-list Administrator_splitTunnelAcl permit ip 192.168.100.0 255.255.255.0 any
access-list DMZ_access_out permit tcp host 192.168.100.72 host 169.254.202.5 eq smtp
access-list DMZ_access_out permit tcp host 192.168.100.41 host 169.254.202.5 eq smtp
access-list DMZ_access_out remark Allows communication from DMZ to symantec av server
access-list DMZ_access_out permit udp 192.168.100.0 255.255.255.0 host 169.254.202.20 eq 2967
access-list DMZ_access_out permit tcp 192.168.100.0 255.255.255.0 host 169.254.202.6 object-group BackupExecPorts
access-list DMZ_access_out remark Allows GFI Network Monitor to ICMP echo request to servers in the DMZ
access-list DMZ_access_out permit icmp any host 169.254.202.6 echo-reply
access-list DMZ_access_out permit ip any any
access-list DMZ_access_out permit tcp host 192.168.100.41 host 169.254.202.6 eq www
access-list DMZ_access_out permit tcp host 192.168.100.6 host 169.254.202.6 eq www
access-list DMZ_access_out deny ip any 169.254.0.0 255.255.0.0
access-list vpntodmz remark
access-list vpntodmz permit ip 192.168.100.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list vpntodmz remark Allows vpnDMZAdmins tunnel to access DMZ
access-list vpntodmz permit ip 192.168.100.0 255.255.255.0 192.168.203.0 255.255.255.0
access-list vpntodmz remark Allows webServer-Dev Tunnel access to DMZ
access-list vpntodmz permit ip 192.168.100.0 255.255.255.0 192.168.204.0 255.255.255.0
access-list vpntodmz remark Allows Administrators Tunnel to connect to DMZ
access-list vpntodmz permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list vpnDMZadmins_splittunnel permit ip 192.168.100.0 255.255.255.0 any
access-list vpnDMZadmins_splittunnel permit ip host 169.254.202.147 any
access-list vpnDMZadmins_splittunnel permit ip host 169.254.202.142 any
access-list WebServer-Dev_splitTunnelAcl permit ip host 192.168.100.42 any
access-list outside_cryptomap_10 permit ip 169.254.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list outside_cryptomap_10 permit ip 192.168.100.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_access_in permit ip 169.254.0.0 255.255.0.0 any
access-list inside_access_in permit icmp 169.254.0.0 255.255.0.0 any
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet) kyoo Cisco 22 04-12-2008 03:37 PM
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
Allow smtp traffic from DMZ to Inside, without DMZ loosing Internet connection? morten Cisco 4 09-04-2007 01:48 PM
Allow printing traffic from DMZ(Lower Security interface) to inside network on PIX 515E jywu1@hotmail.com Cisco 4 12-15-2005 11:27 AM
PIX: how to allow 1 host from outside interface to access another host on the inside interface? jonnah Cisco 1 04-21-2004 02:26 PM



Advertisments