Double firewall problem

Discussion in 'Cisco' started by CKS, May 4, 2009.

  1. CKS


    May 1, 2009
    Hello everyone,

    I have a problem with a dual firewall setup that has been nagging for almost a week now. We have a Sonicwall TZ 170 facing the internet and a Cisco Pix 506 behind it. In essence we have a dmz between the routers. Don't ask why we did not just go with a single router setup as I inherited this network. :dontknow: :banghead: Basically we have pc's behind the pix that can access the internet and we have pc's in the dmz that an also access the internet. My goal is to allow vnc/rdp access from pc's on the inside network to some pc's on the dmz network. I cannot get stuff like ping or even port forwarding to work from the inside network to the dmz network. I have tried every possible thing but still to no avail. The present config is posted below with all access being allowed from an inside pc to a dmz pc in bold. Any help will be greatly appreciated. Thanks.

    Graphic layout of present config

    Inside ---------> PIX 506 (DMZ) ----------> Sonicwall TZ170 ---> (Internet)

    Inside Network = 200.200.10.x (not valid class C)
    Gateway =

    PIX (DMZ) Network = 192.168.254.x
    Gateway =

    Running config below:

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname CENT-PIX
    clock timezone PST -8
    clock summer-time PDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    name Deinodon
    name SLACTBO08-Angel
    name Astrodon
    name Allosaur
    name CENT_SAV
    name Cent-DB01
    name SLACTBO05-CarolynH
    name SLACTBO07-KathyH
    object-group network Internet-Access
    network-object SLACTBO07-KathyH
    network-object SLACTBO05-CarolynH
    network-object SLACTBO08-Angel
    object-group network DNS-Access
    network-object Deinodon
    network-object Astrodon
    network-object Allosaur
    object-group service RDPUDP udp
    port-object range 3389 3389
    object-group service WWW tcp-udp
    port-object eq www
    object-group service Microsoft_File_Sharing_UDP udp
    description Microsoft_File_Sharing UDP
    port-object range netbios-ns netbios-dgm
    object-group service Microsoft_File_Sharing_TCP tcp
    port-object range 445 445
    port-object range netbios-ssn netbios-ssn
    object-group service VNC_RDP tcp
    port-object range 5699 5700
    object-group service FTP_ACCESS tcp
    port-object eq ftp-data
    port-object eq ftp
    access-list inside_access_in permit ip object-group Internet-Access any
    access-list inside_access_in permit tcp object-group DNS-Access any eq domain
    access-list inside_access_in permit udp object-group DNS-Access any eq domain
    access-list inside_access_in permit ip host CENT_SAV any
    access-list inside_access_in permit tcp host Deinodon host CENTDB01
    access-list inside_access_in deny tcp any any
    pager lines 24
    logging on
    logging timestamp
    logging monitor informational
    logging trap warnings
    mtu outside 1500
    mtu inside 1500
    ip address outside
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location inside
    pdm location inside
    pdm location inside
    pdm location Deinodon inside
    pdm location SLACTBO08-Angel inside
    pdm location Astrodon inside
    pdm location CENT_SAV inside
    pdm location Allosaur inside
    pdm location Cent-DB01 outside
    pdm location SLACTBO05-CarolynH inside
    pdm location SLACTBO07-KathyH inside
    pdm location CENTDB01_Inside inside
    pdm group Internet-Access inside
    pdm group DNS-Access inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 dns 0 0
    static (inside,outside) SLACTBO08-Angel netmask
    0 0
    static (inside,outside) SLACTBO05-CarolynH netmask
    55 0 0
    static (inside,outside) SLACTBO07-KathyH netmask
    0 0
    static (outside,inside) CENTDB01_Inside Cent-DB01 netmask 0 0
    access-group inside_access_in in interface inside
    route outside 1
    route inside 1
    timeout xlate 0:05:00
    timeout conn 5:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authorization command LOCAL
    ntp authenticate
    ntp server source inside prefer
    http server enable
    http inside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside /Cisco-Pix
    floodguard enable
    telnet inside
    telnet inside
    telnet timeout 15
    ssh timeout 5
    console timeout 15
    dhcpd auto_config outside
    terminal width 80
    : end

    I would think that the statement in bold would allow any access from the inside pc to the dmz pc but it does not work. Maybe I am missing something here but then again I am new to the PIX IOS. Please advise. Thanks.
    CKS, May 4, 2009
    1. Advertisements

  2. Exarch


    May 11, 2009
    Can the PIX resolve the host CENTDB01?

    I may have missed something but i can't see in your config where that host is defined.

    You've got "name Cent-DB01" defined but not CENTDB01
    Exarch, May 12, 2009
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tom Accuosti
    Travis Evans
    Sep 27, 2004
  2. miss calm

    double dialler problem

    miss calm, Sep 11, 2003, in forum: Computer Support
    Sep 12, 2003
  3. Jimmy Dean

    Any point to a double firewall?? (WinXP's + NIS)

    Jimmy Dean, Jun 21, 2004, in forum: Computer Support
    Duane Arnold
    Jun 22, 2004
  4. The Man With No Name
  5. MSB

    PHP double quotes inside double quotes

    MSB, Oct 20, 2006, in forum: Computer Support
    Beauregard T. Shagnasty
    Oct 21, 2006

Share This Page