allow traffic from outside interface into DMZ

Discussion in 'Cisco' started by will.i.am, Aug 25, 2006.

  1. will.i.am

    will.i.am

    Joined:
    Aug 24, 2006
    Messages:
    2
    Hi I am trying to get get traffic from the outside interface 192.168.1.2 to pass traffic to the DMZ interface 192.168.100.1 interface. I have a server sitting in the DMZ witht he IP 192.168.100.6 that needs to communicate with clients connecting to it, they are able to get as far as the 192.168.1.2 interface but then are dropped. I have included my config below, any help below would be greatly appreciated.

    Thanks,
    will.i.am


    Building configuration...
    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    interface ethernet3 auto shutdown
    interface ethernet4 auto shutdown
    interface ethernet5 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security4
    nameif ethernet3 intf3 security6
    nameif ethernet4 HamlinGuest security1
    nameif ethernet5 failover security10
    enable password Fla0yul1WWMvgopF encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname firewall
    domain-name magid.int
    clock timezone CST -6
    clock summer-time CDT recurring
    fixup protocol dns
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol http 5001
    fixup protocol http 8080
    fixup protocol http 15868
    fixup protocol http 15871
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol snmp 161-162
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    name 192.168.1.1 PowerLink
    name 169.254.211.0 LAN2
    name 169.254.210.0 LAN1
    name 10.2.0.0 Detroit_Subnet
    name 169.254.202.25 WSUS
    name 192.168.201.0 EmployeeVPNTunnel
    name 192.168.203.0 vpnDMZAdminsTunnel
    name 192.168.204.0 webserver-DevTunnel
    name 192.168.202.0 ContractorVPNTunnel
    object-group service WindowsMediaServerTCPUDP tcp-udp
    description MMS and RTSP
    port-object range 1755 1755
    port-object range 554 554
    object-group service BackupExecPorts tcp-udp
    port-object range 10000 10000
    port-object range 1025 65535
    object-group service ftp tcp
    port-object eq ftp-data
    port-object eq ftp
    access-list inside_outbound_nat0_acl permit ip host 192.168.1.2 host 192.168.100.6
    access-list inside_outbound_nat0_acl remark
    access-list inside_outbound_nat0_acl permit ip 169.254.0.0 255.255.0.0 10.2.0.0 255.255.0.0
    access-list inside_outbound_nat0_acl remark Allows Employee VPN tunnel to connect to 169.254.202.0 devices on the LAN
    access-list inside_outbound_nat0_acl permit ip 169.254.202.0 255.255.255.0 192.168.201.0 255.255.255.0
    access-list inside_outbound_nat0_acl remark Allows Administrator VPN tunnel access to 169.254.0.0 LAN
    access-list inside_outbound_nat0_acl permit ip 169.254.0.0 255.255.0.0 192.168.200.0 255.255.255.0
    access-list inside_outbound_nat0_acl remark Allows Contractor VPN Tunnel access to AS400
    access-list inside_outbound_nat0_acl permit ip host 169.254.202.9 192.168.202.0 255.255.255.0
    access-list inside_outbound_nat0_acl remark Allows access to BOXFTP thru vpnDMZadmins vpn profile
    access-list inside_outbound_nat0_acl permit ip host 169.254.202.142 192.168.203.0 255.255.255.0
    access-list inside_outbound_nat0_acl remark Allows access to MAGIDWEB2 (magidchidbgw1) thru vpnDMZadmins vpn profile
    access-list inside_outbound_nat0_acl permit ip host 169.254.202.147 192.168.203.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip host 192.168.1.3 host 192.168.100.6
    access-list outside_access_in permit tcp host 192.168.1.2 host 192.168.100.6 eq www
    access-list outside_access_in permit tcp any host 192.168.1.72 eq smtp
    access-list outside_access_in permit tcp any host 192.168.1.41 eq smtp
    access-list outside_access_in permit tcp any host 192.168.1.36 eq www
    access-list outside_access_in permit tcp any host 192.168.1.36 eq https
    access-list outside_access_in remark allows syslog info to be sent from mci router to magidsus
    access-list outside_access_in permit udp host 65.201.236.33 host 192.168.1.39 eq syslog
    access-list outside_access_in remark allows syslog info to be sent from xo router to magidsus
    access-list outside_access_in permit udp host 66.236.124.129 host 192.168.1.39 eq syslog
    access-list outside_access_in remark allows snmp info to be sent from mci router to magidsus
    access-list outside_access_in permit udp host 65.201.236.33 host 192.168.1.39 eq snmp
    access-list outside_access_in remark temp fax web client magidsus
    access-list outside_access_in permit tcp any host 192.168.1.39 eq www
    access-list outside_access_in permit tcp host 192.168.1.1 host 192.168.1.60 eq ftp
    access-list outside_access_in permit udp host 65.201.236.33 host 192.168.1.60 eq tftp
    access-list outside_access_in remark Allows Field Sales to access WSUS
    access-list outside_access_in permit tcp any host 192.168.1.44 eq www
    access-list outside_access_in remark Allows SSL HTTPS traffic from public internet to web server
    access-list outside_access_in permit tcp any host 192.168.1.41 eq https
    access-list outside_access_in remark Allows SSL HTTPS traffic from public internet to web server
    access-list outside_access_in permit tcp any host 192.168.1.42 eq https
    access-list outside_access_in remark Allows SSL HTTPS traffic from public internet to web server
    access-list outside_access_in permit tcp any host 192.168.1.43 eq https
    access-list outside_access_in remark Magid Glove Web Site to DMZ
    access-list outside_access_in remark Magid Glove Web Site to External IP to DMZ Translation
    access-list outside_access_in permit tcp any host 192.168.1.41 eq www
    access-list outside_access_in remark Magid Glove Web Site to DMZ
    access-list outside_access_in remark Magid Glove Web Site to External IP to DMZ Translation
    access-list outside_access_in permit tcp any host 192.168.1.42 eq www
    access-list outside_access_in remark Magid Glove Web Site to DMZ
    access-list outside_access_in remark Magid Glove Web Site to External IP to DMZ Translation
    access-list outside_access_in permit tcp any host 192.168.1.43 eq www
    access-list outside_access_in remark Allows Windows Media TCP protocols to backup www server
    access-list outside_access_in permit tcp any host 192.168.1.41 object-group WindowsMediaServerTCPUDP
    access-list outside_access_in remark Allows Windows Media UDP protocols to backup www server
    access-list outside_access_in permit udp any host 192.168.1.41 object-group WindowsMediaServerTCPUDP
    access-list outside_access_in remark GFI NSM Echo Test of XO Router
    access-list outside_access_in permit icmp host 66.236.124.129 host 192.168.1.60
    access-list outside_access_in remark GFI NSM Echo Test of MCI Router
    access-list outside_access_in permit icmp host 65.201.236.33 host 192.168.1.60
    access-list outside_access_in permit gre any host 192.168.1.60
    access-list outside_access_in permit tcp any host 192.168.1.60 eq pptp
    access-list outside_access_in deny ip any any
    access-list outside_access_in permit tcp host 192.168.1.3 host 192.168.100.6 eq www
    access-list employee_splittunnel permit ip 169.254.202.0 255.255.255.0 any
    access-list Contractors_splittunnel permit ip host 169.254.202.9 any
    access-list Administrator_splitTunnelAcl permit ip 169.254.0.0 255.255.0.0 any
    access-list Administrator_splitTunnelAcl permit ip 192.168.100.0 255.255.255.0 any
    access-list DMZ_access_out permit tcp host 192.168.100.72 host 169.254.202.5 eq smtp
    access-list DMZ_access_out permit tcp host 192.168.100.41 host 169.254.202.5 eq smtp
    access-list DMZ_access_out remark Allows communication from DMZ to symantec av server
    access-list DMZ_access_out permit udp 192.168.100.0 255.255.255.0 host 169.254.202.20 eq 2967
    access-list DMZ_access_out permit tcp 192.168.100.0 255.255.255.0 host 169.254.202.6 object-group BackupExecPorts
    access-list DMZ_access_out remark Allows GFI Network Monitor to ICMP echo request to servers in the DMZ
    access-list DMZ_access_out permit icmp any host 169.254.202.6 echo-reply
    access-list DMZ_access_out permit ip any any
    access-list DMZ_access_out permit tcp host 192.168.100.41 host 169.254.202.6 eq www
    access-list DMZ_access_out permit tcp host 192.168.100.6 host 169.254.202.6 eq www
    access-list DMZ_access_out deny ip any 169.254.0.0 255.255.0.0
    access-list vpntodmz remark
    access-list vpntodmz permit ip 192.168.100.0 255.255.255.0 10.2.0.0 255.255.0.0
    access-list vpntodmz remark Allows vpnDMZAdmins tunnel to access DMZ
    access-list vpntodmz permit ip 192.168.100.0 255.255.255.0 192.168.203.0 255.255.255.0
    access-list vpntodmz remark Allows webServer-Dev Tunnel access to DMZ
    access-list vpntodmz permit ip 192.168.100.0 255.255.255.0 192.168.204.0 255.255.255.0
    access-list vpntodmz remark Allows Administrators Tunnel to connect to DMZ
    access-list vpntodmz permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
    access-list vpnDMZadmins_splittunnel permit ip 192.168.100.0 255.255.255.0 any
    access-list vpnDMZadmins_splittunnel permit ip host 169.254.202.147 any
    access-list vpnDMZadmins_splittunnel permit ip host 169.254.202.142 any
    access-list WebServer-Dev_splitTunnelAcl permit ip host 192.168.100.42 any
    access-list outside_cryptomap_10 permit ip 169.254.0.0 255.255.0.0 10.2.0.0 255.255.0.0
    access-list outside_cryptomap_10 permit ip 192.168.100.0 255.255.255.0 10.2.0.0 255.255.0.0
    access-list inside_access_in permit ip 169.254.0.0 255.255.0.0 any
    access-list inside_access_in permit icmp 169.254.0.0 255.255.0.0 any
    will.i.am, Aug 25, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page