Help! DMZ on Pix515

Discussion in 'Cisco' started by bg, Oct 6, 2006.

  1. bg

    bg Guest

    I have set up a Pix 515 and internet works fine, but I have a problem
    with the DMZ. I have a range of addresses, like webserver
    (193.248.161.26) and ftp (193.248.161.28) and some other stuff.

    I can't reach anything on the DMZ from the outside. I desperately
    altered some of the access lists late last night, so there may be some
    weird things there now. Note that I changed
    usernames/passwords/addresses before publishing this config.

    If someone could take a look at my config and point me in the right
    direction (not to mention tell me exactly what's wrong) I would be very
    grateful.


    PIX Version 7.2(1)19
    !
    hostname hhfw01
    domain-name noname
    enable password K4EjjEJEwpFjlPTE encrypted
    names
    dns-guard
    !
    interface Ethernet0
    nameif outside
    security-level 0
    pppoe client vpdn group nonamevpn
    ip address pppoe setroute
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 192.168.41.1 255.255.255.0
    !
    interface Ethernet2
    speed 100
    duplex full
    nameif dmz
    security-level 97
    ip address 193.248.161.17 255.255.255.240
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name hatlehols
    same-security-traffic permit intra-interface
    access-list inside_access_out extended permit ip any any
    access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0
    interface outside
    access-list inside_access_in extended permit ip any any inactive
    access-list outside_access_in extended permit ip any any inactive
    access-list outside_access_in extended permit tcp any interface dmz
    access-list outside_access_in extended permit ip any interface dmz
    access-list outside_access_in extended permit icmp any interface dmz
    echo-reply
    access-list hh_splitTunnelAcl standard permit 192.168.41.0
    255.255.255.0
    access-list outside_cryptomap extended permit ip any 192.168.41.160
    255.255.255.224
    access-list dmz_access_in extended permit ip any any
    access-list dmz_access_in extended permit tcp any any
    access-list dmz_access_out extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip local pool clients 192.168.41.170-192.168.41.180 mask 255.255.255.0
    asdm image flash:/asdm
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 101 interface
    nat (inside) 101 0.0.0.0 0.0.0.0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group inside_access_out out interface inside
    access-group dmz_access_in in interface dmz
    access-group dmz_access_out out interface dmz
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    group-policy hh internal
    group-policy hh attributes
    dns-server value 192.168.41.3
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value hh_splitTunnelAcl
    default-domain value HATLEHOLS
    username admin password FOGca/gfTrozRbXj encrypted privilege 0
    username admin attributes
    vpn-group-policy hh
    http server enable
    http 192.168.41.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no sysopt connection permit-vpn
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp identity hostname
    crypto isakmp enable outside
    crypto isakmp nat-traversal 20
    tunnel-group hh type ipsec-ra
    tunnel-group hh general-attributes
    address-pool clients
    default-group-policy hh
    tunnel-group hh ipsec-attributes
    pre-shared-key *
    telnet timeout 5
    ssh timeout 5
    ssh version 1
    console timeout 0
    vpdn group hatlehols request dialout pppoe
    vpdn group hatlehols localname
    vpdn group hatlehols ppp authentication pap
    vpdn username password *********
    dhcpd dns 192.168.41.3
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd update dns
    !
    dhcpd address 192.168.41.100-192.168.41.149 inside
    dhcpd enable inside
    !
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect http
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !


    Thanks.
    bg, Oct 6, 2006
    #1
    1. Advertising

  2. bg

    mak Guest

    bg wrote:
    > I have set up a Pix 515 and internet works fine, but I have a problem
    > with the DMZ. I have a range of addresses, like webserver
    > (193.248.161.26) and ftp (193.248.161.28) and some other stuff.
    >
    > I can't reach anything on the DMZ from the outside. I desperately
    > altered some of the access lists late last night, so there may be some
    > weird things there now. Note that I changed
    > usernames/passwords/addresses before publishing this config.
    >
    > If someone could take a look at my config and point me in the right
    > direction (not to mention tell me exactly what's wrong) I would be very
    > grateful.


    i believe you are missing a static entry,
    something like:

    static (dmz,outside) 193.248.161.26 193.248.161.26 netmask 255.255.255.255 0 0


    >
    > PIX Version 7.2(1)19
    > !
    > hostname hhfw01
    > domain-name noname
    > enable password K4EjjEJEwpFjlPTE encrypted
    > names
    > dns-guard
    > !
    > interface Ethernet0
    > nameif outside
    > security-level 0
    > pppoe client vpdn group nonamevpn
    > ip address pppoe setroute
    > !
    > interface Ethernet1
    > nameif inside
    > security-level 100
    > ip address 192.168.41.1 255.255.255.0
    > !
    > interface Ethernet2
    > speed 100
    > duplex full
    > nameif dmz
    > security-level 97
    > ip address 193.248.161.17 255.255.255.240
    > !
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > ftp mode passive
    > dns server-group DefaultDNS
    > domain-name hatlehols
    > same-security-traffic permit intra-interface
    > access-list inside_access_out extended permit ip any any
    > access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0
    > interface outside
    > access-list inside_access_in extended permit ip any any inactive
    > access-list outside_access_in extended permit ip any any inactive
    > access-list outside_access_in extended permit tcp any interface dmz
    > access-list outside_access_in extended permit ip any interface dmz
    > access-list outside_access_in extended permit icmp any interface dmz
    > echo-reply
    > access-list hh_splitTunnelAcl standard permit 192.168.41.0
    > 255.255.255.0
    > access-list outside_cryptomap extended permit ip any 192.168.41.160
    > 255.255.255.224
    > access-list dmz_access_in extended permit ip any any
    > access-list dmz_access_in extended permit tcp any any
    > access-list dmz_access_out extended permit ip any any
    > pager lines 24
    > logging enable
    > logging asdm informational
    > mtu outside 1500
    > mtu inside 1500
    > mtu dmz 1500
    > ip local pool clients 192.168.41.170-192.168.41.180 mask 255.255.255.0
    > asdm image flash:/asdm
    > no asdm history enable
    > arp timeout 14400
    > nat-control
    > global (outside) 101 interface
    > nat (inside) 101 0.0.0.0 0.0.0.0
    > access-group outside_access_in in interface outside
    > access-group inside_access_in in interface inside
    > access-group inside_access_out out interface inside
    > access-group dmz_access_in in interface dmz
    > access-group dmz_access_out out interface dmz
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > 0:05:00
    > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    > 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > group-policy hh internal
    > group-policy hh attributes
    > dns-server value 192.168.41.3
    > vpn-tunnel-protocol IPSec
    > split-tunnel-policy tunnelspecified
    > split-tunnel-network-list value hh_splitTunnelAcl
    > default-domain value HATLEHOLS
    > username admin password FOGca/gfTrozRbXj encrypted privilege 0
    > username admin attributes
    > vpn-group-policy hh
    > http server enable
    > http 192.168.41.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > snmp-server enable traps snmp authentication linkup linkdown coldstart
    > no sysopt connection permit-vpn
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    > crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
    > crypto map outside_map interface outside
    > crypto isakmp identity hostname
    > crypto isakmp enable outside
    > crypto isakmp nat-traversal 20
    > tunnel-group hh type ipsec-ra
    > tunnel-group hh general-attributes
    > address-pool clients
    > default-group-policy hh
    > tunnel-group hh ipsec-attributes
    > pre-shared-key *
    > telnet timeout 5
    > ssh timeout 5
    > ssh version 1
    > console timeout 0
    > vpdn group hatlehols request dialout pppoe
    > vpdn group hatlehols localname
    > vpdn group hatlehols ppp authentication pap
    > vpdn username password *********
    > dhcpd dns 192.168.41.3
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > dhcpd update dns
    > !
    > dhcpd address 192.168.41.100-192.168.41.149 inside
    > dhcpd enable inside
    > !
    > !
    > class-map inspection_default
    > match default-inspection-traffic
    > !
    > !
    > policy-map type inspect dns migrated_dns_map_1
    > parameters
    > message-length maximum 512
    > policy-map global_policy
    > class inspection_default
    > inspect dns migrated_dns_map_1
    > inspect ftp
    > inspect h323 h225
    > inspect h323 ras
    > inspect http
    > inspect netbios
    > inspect rsh
    > inspect rtsp
    > inspect skinny
    > inspect esmtp
    > inspect sqlnet
    > inspect sunrpc
    > inspect tftp
    > inspect sip
    > inspect xdmcp
    > !
    >
    >
    > Thanks.
    >
    mak, Oct 6, 2006
    #2
    1. Advertising

  3. bg

    bg Guest

    Thanks a lot, I was of course missing static routes to the DMZ.


    BG


    mak skrev:
    > bg wrote:
    > > I have set up a Pix 515 and internet works fine, but I have a problem
    > > with the DMZ. I have a range of addresses, like webserver
    > > (193.248.161.26) and ftp (193.248.161.28) and some other stuff.
    > >
    > > I can't reach anything on the DMZ from the outside. I desperately
    > > altered some of the access lists late last night, so there may be some
    > > weird things there now. Note that I changed
    > > usernames/passwords/addresses before publishing this config.
    > >
    > > If someone could take a look at my config and point me in the right
    > > direction (not to mention tell me exactly what's wrong) I would be very
    > > grateful.

    >
    > i believe you are missing a static entry,
    > something like:
    >
    > static (dmz,outside) 193.248.161.26 193.248.161.26 netmask 255.255.255.255 0 0
    >
    >
    > >
    > > PIX Version 7.2(1)19
    > > !
    > > hostname hhfw01
    > > domain-name noname
    > > enable password K4EjjEJEwpFjlPTE encrypted
    > > names
    > > dns-guard
    > > !
    > > interface Ethernet0
    > > nameif outside
    > > security-level 0
    > > pppoe client vpdn group nonamevpn
    > > ip address pppoe setroute
    > > !
    > > interface Ethernet1
    > > nameif inside
    > > security-level 100
    > > ip address 192.168.41.1 255.255.255.0
    > > !
    > > interface Ethernet2
    > > speed 100
    > > duplex full
    > > nameif dmz
    > > security-level 97
    > > ip address 193.248.161.17 255.255.255.240
    > > !
    > > passwd 2KFQnbNIdI.2KYOU encrypted
    > > ftp mode passive
    > > dns server-group DefaultDNS
    > > domain-name hatlehols
    > > same-security-traffic permit intra-interface
    > > access-list inside_access_out extended permit ip any any
    > > access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0
    > > interface outside
    > > access-list inside_access_in extended permit ip any any inactive
    > > access-list outside_access_in extended permit ip any any inactive
    > > access-list outside_access_in extended permit tcp any interface dmz
    > > access-list outside_access_in extended permit ip any interface dmz
    > > access-list outside_access_in extended permit icmp any interface dmz
    > > echo-reply
    > > access-list hh_splitTunnelAcl standard permit 192.168.41.0
    > > 255.255.255.0
    > > access-list outside_cryptomap extended permit ip any 192.168.41.160
    > > 255.255.255.224
    > > access-list dmz_access_in extended permit ip any any
    > > access-list dmz_access_in extended permit tcp any any
    > > access-list dmz_access_out extended permit ip any any
    > > pager lines 24
    > > logging enable
    > > logging asdm informational
    > > mtu outside 1500
    > > mtu inside 1500
    > > mtu dmz 1500
    > > ip local pool clients 192.168.41.170-192.168.41.180 mask 255.255.255.0
    > > asdm image flash:/asdm
    > > no asdm history enable
    > > arp timeout 14400
    > > nat-control
    > > global (outside) 101 interface
    > > nat (inside) 101 0.0.0.0 0.0.0.0
    > > access-group outside_access_in in interface outside
    > > access-group inside_access_in in interface inside
    > > access-group inside_access_out out interface inside
    > > access-group dmz_access_in in interface dmz
    > > access-group dmz_access_out out interface dmz
    > > timeout xlate 3:00:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > > 0:05:00
    > > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    > > 0:02:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server RADIUS protocol radius
    > > group-policy hh internal
    > > group-policy hh attributes
    > > dns-server value 192.168.41.3
    > > vpn-tunnel-protocol IPSec
    > > split-tunnel-policy tunnelspecified
    > > split-tunnel-network-list value hh_splitTunnelAcl
    > > default-domain value HATLEHOLS
    > > username admin password FOGca/gfTrozRbXj encrypted privilege 0
    > > username admin attributes
    > > vpn-group-policy hh
    > > http server enable
    > > http 192.168.41.0 255.255.255.0 inside
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > snmp-server enable traps snmp authentication linkup linkdown coldstart
    > > no sysopt connection permit-vpn
    > > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    > > crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
    > > crypto map outside_map interface outside
    > > crypto isakmp identity hostname
    > > crypto isakmp enable outside
    > > crypto isakmp nat-traversal 20
    > > tunnel-group hh type ipsec-ra
    > > tunnel-group hh general-attributes
    > > address-pool clients
    > > default-group-policy hh
    > > tunnel-group hh ipsec-attributes
    > > pre-shared-key *
    > > telnet timeout 5
    > > ssh timeout 5
    > > ssh version 1
    > > console timeout 0
    > > vpdn group hatlehols request dialout pppoe
    > > vpdn group hatlehols localname
    > > vpdn group hatlehols ppp authentication pap
    > > vpdn username password *********
    > > dhcpd dns 192.168.41.3
    > > dhcpd ping_timeout 750
    > > dhcpd auto_config outside
    > > dhcpd update dns
    > > !
    > > dhcpd address 192.168.41.100-192.168.41.149 inside
    > > dhcpd enable inside
    > > !
    > > !
    > > class-map inspection_default
    > > match default-inspection-traffic
    > > !
    > > !
    > > policy-map type inspect dns migrated_dns_map_1
    > > parameters
    > > message-length maximum 512
    > > policy-map global_policy
    > > class inspection_default
    > > inspect dns migrated_dns_map_1
    > > inspect ftp
    > > inspect h323 h225
    > > inspect h323 ras
    > > inspect http
    > > inspect netbios
    > > inspect rsh
    > > inspect rtsp
    > > inspect skinny
    > > inspect esmtp
    > > inspect sqlnet
    > > inspect sunrpc
    > > inspect tftp
    > > inspect sip
    > > inspect xdmcp
    > > !
    > >
    > >
    > > Thanks.
    > >
    bg, Oct 17, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnC
    Replies:
    9
    Views:
    821
    Walter Roberson
    Dec 7, 2004
  2. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,859
    Walter Roberson
    Sep 25, 2005
  3. Replies:
    1
    Views:
    469
    Walter Roberson
    Aug 28, 2006
  4. morten
    Replies:
    4
    Views:
    1,164
    Tilman Schmidt
    Sep 4, 2007
  5. Jack
    Replies:
    0
    Views:
    647
Loading...

Share This Page