Double firewall problem

Discussion in 'Cisco' started by CKS, May 4, 2009.

  1. CKS

    CKS

    Joined:
    May 1, 2009
    Messages:
    1
    Hello everyone,

    I have a problem with a dual firewall setup that has been nagging for almost a week now. We have a Sonicwall TZ 170 facing the internet and a Cisco Pix 506 behind it. In essence we have a dmz between the routers. Don't ask why we did not just go with a single router setup as I inherited this network. :dontknow: :banghead: Basically we have pc's behind the pix that can access the internet and we have pc's in the dmz that an also access the internet. My goal is to allow vnc/rdp access from pc's on the inside network to some pc's on the dmz network. I cannot get stuff like ping or even port forwarding to work from the inside network to the dmz network. I have tried every possible thing but still to no avail. The present config is posted below with all access being allowed from an inside pc to a dmz pc in bold. Any help will be greatly appreciated. Thanks.

    Graphic layout of present config


    Inside ---------> PIX 506 (DMZ) ----------> Sonicwall TZ170 ---> (Internet)

    Inside Network = 200.200.10.x (not valid class C)
    Gateway = 200.200.10.6

    PIX (DMZ) Network = 192.168.254.x
    Gateway = 192.168.254.11

    Running config below:

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname CENT-PIX
    clock timezone PST -8
    clock summer-time PDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 200.200.10.13 Deinodon
    name 200.200.10.120 SLACTBO08-Angel
    name 200.200.10.12 Astrodon
    name 200.200.98.25 Allosaur
    name 200.200.10.15 CENT_SAV
    name 192.168.254.25 Cent-DB01
    name 200.200.10.117 SLACTBO05-CarolynH
    name 200.200.10.119 SLACTBO07-KathyH
    object-group network Internet-Access
    network-object SLACTBO07-KathyH 255.255.255.255
    network-object SLACTBO05-CarolynH 255.255.255.255
    network-object SLACTBO08-Angel 255.255.255.255
    object-group network DNS-Access
    network-object Deinodon 255.255.255.255
    network-object Astrodon 255.255.255.255
    network-object Allosaur 255.255.255.255
    object-group service RDPUDP udp
    port-object range 3389 3389
    object-group service WWW tcp-udp
    port-object eq www
    object-group service Microsoft_File_Sharing_UDP udp
    description Microsoft_File_Sharing UDP
    port-object range netbios-ns netbios-dgm
    object-group service Microsoft_File_Sharing_TCP tcp
    port-object range 445 445
    port-object range netbios-ssn netbios-ssn
    object-group service VNC_RDP tcp
    port-object range 5699 5700
    object-group service FTP_ACCESS tcp
    port-object eq ftp-data
    port-object eq ftp
    access-list inside_access_in permit ip object-group Internet-Access any
    access-list inside_access_in permit tcp object-group DNS-Access any eq domain
    access-list inside_access_in permit udp object-group DNS-Access any eq domain
    access-list inside_access_in permit ip host CENT_SAV any
    access-list inside_access_in permit tcp host Deinodon host CENTDB01
    access-list inside_access_in deny tcp any any
    pager lines 24
    logging on
    logging timestamp
    logging monitor informational
    logging trap warnings
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.254.100 255.255.255.0
    ip address inside 200.200.10.6 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 200.200.0.0 255.255.0.0 inside
    pdm location 200.200.10.0 255.255.255.0 inside
    pdm location 200.200.98.0 255.255.255.0 inside
    pdm location Deinodon 255.255.255.255 inside
    pdm location SLACTBO08-Angel 255.255.255.255 inside
    pdm location Astrodon 255.255.255.255 inside
    pdm location CENT_SAV 255.255.255.255 inside
    pdm location Allosaur 255.255.255.255 inside
    pdm location Cent-DB01 255.255.255.255 outside
    pdm location SLACTBO05-CarolynH 255.255.255.255 inside
    pdm location SLACTBO07-KathyH 255.255.255.255 inside
    pdm location CENTDB01_Inside 255.255.255.255 inside
    pdm group Internet-Access inside
    pdm group DNS-Access inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
    static (inside,outside) 192.168.254.102 SLACTBO08-Angel netmask 255.255.255.255
    0 0
    static (inside,outside) 192.168.254.107 SLACTBO05-CarolynH netmask 255.255.255.2
    55 0 0
    static (inside,outside) 192.168.254.109 SLACTBO07-KathyH netmask 255.255.255.255
    0 0
    static (outside,inside) CENTDB01_Inside Cent-DB01 netmask 255.255.255.255 0 0
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 192.168.254.11 1
    route inside 200.200.98.0 255.255.255.0 200.200.10.1 1
    timeout xlate 0:05:00
    timeout conn 5:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authorization command LOCAL
    ntp authenticate
    ntp server 200.200.98.10 source inside prefer
    http server enable
    http 200.200.10.0 255.255.255.0 inside
    http 200.200.98.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 200.200.98.169 /Cisco-Pix
    floodguard enable
    telnet 200.200.10.0 255.255.255.0 inside
    telnet 200.200.98.0 255.255.255.0 inside
    telnet timeout 15
    ssh timeout 5
    console timeout 15
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:71c85837d442748940155acfbce04e04
    : end
    CENT-PIX#

    I would think that the statement in bold would allow any access from the inside pc to the dmz pc but it does not work. Maybe I am missing something here but then again I am new to the PIX IOS. Please advise. Thanks.
     
    CKS, May 4, 2009
    #1
    1. Advertising

  2. CKS

    Exarch

    Joined:
    May 11, 2009
    Messages:
    1
    Can the PIX resolve the host CENTDB01?

    I may have missed something but i can't see in your config where that host is defined.

    You've got "name 192.168.254.25 Cent-DB01" defined but not CENTDB01
     
    Exarch, May 12, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tom Accuosti
    Replies:
    3
    Views:
    547
    Travis Evans
    Sep 27, 2004
  2. miss calm

    double dialler problem

    miss calm, Sep 11, 2003, in forum: Computer Support
    Replies:
    18
    Views:
    682
    °Mike°
    Sep 12, 2003
  3. Jimmy Dean

    Any point to a double firewall?? (WinXP's + NIS)

    Jimmy Dean, Jun 21, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    2,454
    Duane Arnold
    Jun 22, 2004
  4. The Man With No Name
    Replies:
    3
    Views:
    881
  5. MSB

    PHP double quotes inside double quotes

    MSB, Oct 20, 2006, in forum: Computer Support
    Replies:
    11
    Views:
    1,064
    Beauregard T. Shagnasty
    Oct 21, 2006
Loading...

Share This Page