NAT and STATIC on dmz1 to outside and dmz2

Discussion in 'Cisco' started by Kemton, Oct 14, 2004.

  1. Kemton

    Kemton Guest

    I have recently added access to my dmzinside (security60) from my
    dmzwww (security40), and now I cannot access anything on the outside
    (security0), except the "icmp any any" I added in. If I add in "tcp
    any any", I can access everything, but I need something more secure
    than that. The nat is all in place. I've never worked with both nat
    and static for the same interface, as normally everything has trickled
    down nicely.

    Here's my config file. Can anybody see what I'm missing?

    Thanks,
    Kemton

    *************************************************************************
    PIX Version 5.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmzinside security60
    nameif ethernet3 dmzwww security40
    enable password xxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxxxxxxx encrypted
    hostname psipix01
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol rtsp 554
    fixup protocol rtsp 8554
    names
    name 10.0.0.1 psirtr02
    name 10.0.0.2 psipix
    name 10.0.0.3 extpsimail
    name 10.0.0.4 extwwwserver
    name 192.168.0.1 psimail
    name 192.168.1.252 psi2000
    name 192.168.3.1 psiwww
    name 192.168.3.2 dmzwww-mail
    access-list acl_out permit tcp any host extpsimail eq smtp
    access-list acl_out permit tcp any host extwwwserver eq www
    access-list acl_out permit icmp any any echo-reply
    access-list acl_out permit tcp any host extwwwserver eq 443
    access-list acl_out permit udp host psirtr02 host extpsimail eq syslog
    access-list acl_out permit tcp any host extpsimail eq pop3
    access-list acl_in permit ip any any
    access-list acl_in permit tcp any host extpsimail eq www
    access-list acl_in permit tcp any host extwwwserver eq www
    access-list acl_in permit tcp any host extpsimail eq 443
    access-list acl_in permit tcp any host extwwwserver eq 443
    access-list acl_in deny tcp any any eq www
    access-list acl_in deny tcp any any eq 443
    access-list acl_dmzwww permit icmp any any
    access-list acl_dmzwww permit tcp any host dmzwww-mail eq smtp
    pager lines 24
    logging on
    no logging timestamp
    no logging standby
    no logging console
    no logging monitor
    logging buffered debugging
    logging trap notifications
    no logging history
    logging facility 20
    logging queue 0
    logging host dmzinside psimail
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    interface ethernet3 auto
    mtu outside 1500
    mtu inside 1500
    mtu dmzinside 1500
    mtu dmzwww 1500
    ip address outside psipix 255.255.255.248
    ip address inside 192.168.1.253 255.255.255.0
    ip address dmzinside 192.168.0.254 255.255.255.0
    ip address dmzwww 192.168.3.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside 0.0.0.0
    failover ip address inside 0.0.0.0
    failover ip address dmzinside 0.0.0.0
    failover ip address dmzwww 0.0.0.0
    arp timeout 14400
    global (outside) 1 10.0.0.5 netmask 255.255.255.248
    global (dmzinside) 1 192.168.0.250
    global (dmzwww) 1 192.168.3.250
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (dmzinside) 1 0.0.0.0 0.0.0.0 0 0
    nat (dmzwww) 1 0.0.0.0 0.0.0.0 0 0
    static (dmzinside,outside) extpsimail psimail netmask 255.255.255.255
    0 0
    static (dmzwww,outside) extwwwserver psiwww netmask 255.255.255.255 0
    0
    static (dmzinside,dmzwww) dmzwww-mail psimail netmask 255.255.255.255
    0 0
    access-group acl_out in interface outside
    access-group acl_in in interface inside
    access-group acl_dmzwww in interface dmzwww
    route outside 0.0.0.0 0.0.0.0 psirtr02 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    isakmp identity hostname
    telnet psi2000 255.255.255.255 inside
    telnet 192.168.1.2 255.255.255.255 inside
    telnet 192.168.1.3 255.255.255.255 inside
    telnet timeout 15
    ssh timeout 5
    terminal width 80
    ****************************************************************************
    Kemton, Oct 14, 2004
    #1
    1. Advertising

  2. Kemton

    mcaissie Guest

    > and now I cannot access anything on the outside
    > (security0), except the "icmp any any" I added in. If I add in "tcp
    > any any", I can access everything, but I need something more secure
    > than that.


    Well , it's to you to determine what you exactly mean by more secure and
    build
    your access-list accordingly.

    > access-list acl_dmzwww permit icmp any any
    > access-list acl_dmzwww permit tcp any host dmzwww-mail eq smtp



    > I've never worked with both nat
    > and static for the same interface, as normally everything has trickled
    > down nicely.


    It doesn't make a big difference

    > nat (dmzwww) 1 0.0.0.0 0.0.0.0 0 0

    Here you tell the PIX to NAT whatever traffic coming from the dmzwww network

    > global (outside) 1 10.0.0.5 netmask 255.255.255.248

    If traffic goes on the outside it will be Nated using an address from this
    pool

    > static (dmzwww,outside) extwwwserver psiwww netmask 255.255.255.255 0
    > 0

    except if the source is psiwww , it will translate with extwwwserver ,
    instead of
    picking an address in the global pool.




    Bye the way , in this list the first line allows all ip so the other lines
    becomes irrelevant.

    > access-list acl_in permit ip any any
    > access-list acl_in permit tcp any host extpsimail eq www
    > access-list acl_in permit tcp any host extwwwserver eq www
    > access-list acl_in permit tcp any host extpsimail eq 443
    > access-list acl_in permit tcp any host extwwwserver eq 443
    > access-list acl_in deny tcp any any eq www
    > access-list acl_in deny tcp any any eq 443







    "Kemton" <> wrote in message
    news:...
    >I have recently added access to my dmzinside (security60) from my
    > dmzwww (security40), and now I cannot access anything on the outside
    > (security0), except the "icmp any any" I added in. If I add in "tcp
    > any any", I can access everything, but I need something more secure
    > than that. The nat is all in place. I've never worked with both nat
    > and static for the same interface, as normally everything has trickled
    > down nicely.
    >
    > Here's my config file. Can anybody see what I'm missing?
    >
    > Thanks,
    > Kemton
    >
    > *************************************************************************
    > PIX Version 5.2(2)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 dmzinside security60
    > nameif ethernet3 dmzwww security40
    > enable password xxxxxxxxxxxxxx encrypted
    > passwd xxxxxxxxxxxxxxxxxxx encrypted
    > hostname psipix01
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 1720
    > fixup protocol rsh 514
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol sip 5060
    > fixup protocol rtsp 554
    > fixup protocol rtsp 8554
    > names
    > name 10.0.0.1 psirtr02
    > name 10.0.0.2 psipix
    > name 10.0.0.3 extpsimail
    > name 10.0.0.4 extwwwserver
    > name 192.168.0.1 psimail
    > name 192.168.1.252 psi2000
    > name 192.168.3.1 psiwww
    > name 192.168.3.2 dmzwww-mail
    > access-list acl_out permit tcp any host extpsimail eq smtp
    > access-list acl_out permit tcp any host extwwwserver eq www
    > access-list acl_out permit icmp any any echo-reply
    > access-list acl_out permit tcp any host extwwwserver eq 443
    > access-list acl_out permit udp host psirtr02 host extpsimail eq syslog
    > access-list acl_out permit tcp any host extpsimail eq pop3
    > access-list acl_in permit ip any any
    > access-list acl_in permit tcp any host extpsimail eq www
    > access-list acl_in permit tcp any host extwwwserver eq www
    > access-list acl_in permit tcp any host extpsimail eq 443
    > access-list acl_in permit tcp any host extwwwserver eq 443
    > access-list acl_in deny tcp any any eq www
    > access-list acl_in deny tcp any any eq 443
    > access-list acl_dmzwww permit icmp any any
    > access-list acl_dmzwww permit tcp any host dmzwww-mail eq smtp
    > pager lines 24
    > logging on
    > no logging timestamp
    > no logging standby
    > no logging console
    > no logging monitor
    > logging buffered debugging
    > logging trap notifications
    > no logging history
    > logging facility 20
    > logging queue 0
    > logging host dmzinside psimail
    > interface ethernet0 auto
    > interface ethernet1 auto
    > interface ethernet2 auto
    > interface ethernet3 auto
    > mtu outside 1500
    > mtu inside 1500
    > mtu dmzinside 1500
    > mtu dmzwww 1500
    > ip address outside psipix 255.255.255.248
    > ip address inside 192.168.1.253 255.255.255.0
    > ip address dmzinside 192.168.0.254 255.255.255.0
    > ip address dmzwww 192.168.3.254 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > no failover
    > failover timeout 0:00:00
    > failover poll 15
    > failover ip address outside 0.0.0.0
    > failover ip address inside 0.0.0.0
    > failover ip address dmzinside 0.0.0.0
    > failover ip address dmzwww 0.0.0.0
    > arp timeout 14400
    > global (outside) 1 10.0.0.5 netmask 255.255.255.248
    > global (dmzinside) 1 192.168.0.250
    > global (dmzwww) 1 192.168.3.250
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > nat (dmzinside) 1 0.0.0.0 0.0.0.0 0 0
    > nat (dmzwww) 1 0.0.0.0 0.0.0.0 0 0
    > static (dmzinside,outside) extpsimail psimail netmask 255.255.255.255
    > 0 0
    > static (dmzwww,outside) extwwwserver psiwww netmask 255.255.255.255 0
    > 0
    > static (dmzinside,dmzwww) dmzwww-mail psimail netmask 255.255.255.255
    > 0 0
    > access-group acl_out in interface outside
    > access-group acl_in in interface inside
    > access-group acl_dmzwww in interface dmzwww
    > route outside 0.0.0.0 0.0.0.0 psirtr02 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > no sysopt route dnat
    > isakmp identity hostname
    > telnet psi2000 255.255.255.255 inside
    > telnet 192.168.1.2 255.255.255.255 inside
    > telnet 192.168.1.3 255.255.255.255 inside
    > telnet timeout 15
    > ssh timeout 5
    > terminal width 80
    > ****************************************************************************
    mcaissie, Oct 14, 2004
    #2
    1. Advertising

  3. Kemton

    Kemton Guest

    From your response it appears that traffic originating from dmzwww
    should work going to the outside, but it still doesn't. With the NAT
    in place, I didn't think I needed any access-list rules to allow the
    dmzwww to access anything outside. Any recommendations on why this
    component isn't working?

    Kemton

    "mcaissie" <> wrote in message news:<n7wbd.2420$cr4.94@edtnps84>...
    > > and now I cannot access anything on the outside
    > > (security0), except the "icmp any any" I added in. If I add in "tcp
    > > any any", I can access everything, but I need something more secure
    > > than that.

    >
    > Well , it's to you to determine what you exactly mean by more secure and
    > build
    > your access-list accordingly.
    >
    > > access-list acl_dmzwww permit icmp any any
    > > access-list acl_dmzwww permit tcp any host dmzwww-mail eq smtp

    >
    >
    > > I've never worked with both nat
    > > and static for the same interface, as normally everything has trickled
    > > down nicely.

    >
    > It doesn't make a big difference
    >
    > > nat (dmzwww) 1 0.0.0.0 0.0.0.0 0 0

    > Here you tell the PIX to NAT whatever traffic coming from the dmzwww network
    >
    > > global (outside) 1 10.0.0.5 netmask 255.255.255.248

    > If traffic goes on the outside it will be Nated using an address from this
    > pool
    >
    > > static (dmzwww,outside) extwwwserver psiwww netmask 255.255.255.255 0
    > > 0

    > except if the source is psiwww , it will translate with extwwwserver ,
    > instead of
    > picking an address in the global pool.
    >
    >
    >
    >
    > Bye the way , in this list the first line allows all ip so the other lines
    > becomes irrelevant.
    >
    > > access-list acl_in permit ip any any
    > > access-list acl_in permit tcp any host extpsimail eq www
    > > access-list acl_in permit tcp any host extwwwserver eq www
    > > access-list acl_in permit tcp any host extpsimail eq 443
    > > access-list acl_in permit tcp any host extwwwserver eq 443
    > > access-list acl_in deny tcp any any eq www
    > > access-list acl_in deny tcp any any eq 443

    >
    >
    >
    >
    >
    >
    > "Kemton" <> wrote in message
    > news:...
    > >I have recently added access to my dmzinside (security60) from my
    > > dmzwww (security40), and now I cannot access anything on the outside
    > > (security0), except the "icmp any any" I added in. If I add in "tcp
    > > any any", I can access everything, but I need something more secure
    > > than that. The nat is all in place. I've never worked with both nat
    > > and static for the same interface, as normally everything has trickled
    > > down nicely.
    > >
    > > Here's my config file. Can anybody see what I'm missing?
    > >
    > > Thanks,
    > > Kemton
    > >
    > > *************************************************************************
    > > PIX Version 5.2(2)
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > nameif ethernet2 dmzinside security60
    > > nameif ethernet3 dmzwww security40
    > > enable password xxxxxxxxxxxxxx encrypted
    > > passwd xxxxxxxxxxxxxxxxxxx encrypted
    > > hostname psipix01
    > > fixup protocol ftp 21
    > > fixup protocol http 80
    > > fixup protocol h323 1720
    > > fixup protocol rsh 514
    > > fixup protocol smtp 25
    > > fixup protocol sqlnet 1521
    > > fixup protocol sip 5060
    > > fixup protocol rtsp 554
    > > fixup protocol rtsp 8554
    > > names
    > > name 10.0.0.1 psirtr02
    > > name 10.0.0.2 psipix
    > > name 10.0.0.3 extpsimail
    > > name 10.0.0.4 extwwwserver
    > > name 192.168.0.1 psimail
    > > name 192.168.1.252 psi2000
    > > name 192.168.3.1 psiwww
    > > name 192.168.3.2 dmzwww-mail
    > > access-list acl_out permit tcp any host extpsimail eq smtp
    > > access-list acl_out permit tcp any host extwwwserver eq www
    > > access-list acl_out permit icmp any any echo-reply
    > > access-list acl_out permit tcp any host extwwwserver eq 443
    > > access-list acl_out permit udp host psirtr02 host extpsimail eq syslog
    > > access-list acl_out permit tcp any host extpsimail eq pop3
    > > access-list acl_in permit ip any any
    > > access-list acl_in permit tcp any host extpsimail eq www
    > > access-list acl_in permit tcp any host extwwwserver eq www
    > > access-list acl_in permit tcp any host extpsimail eq 443
    > > access-list acl_in permit tcp any host extwwwserver eq 443
    > > access-list acl_in deny tcp any any eq www
    > > access-list acl_in deny tcp any any eq 443
    > > access-list acl_dmzwww permit icmp any any
    > > access-list acl_dmzwww permit tcp any host dmzwww-mail eq smtp
    > > pager lines 24
    > > logging on
    > > no logging timestamp
    > > no logging standby
    > > no logging console
    > > no logging monitor
    > > logging buffered debugging
    > > logging trap notifications
    > > no logging history
    > > logging facility 20
    > > logging queue 0
    > > logging host dmzinside psimail
    > > interface ethernet0 auto
    > > interface ethernet1 auto
    > > interface ethernet2 auto
    > > interface ethernet3 auto
    > > mtu outside 1500
    > > mtu inside 1500
    > > mtu dmzinside 1500
    > > mtu dmzwww 1500
    > > ip address outside psipix 255.255.255.248
    > > ip address inside 192.168.1.253 255.255.255.0
    > > ip address dmzinside 192.168.0.254 255.255.255.0
    > > ip address dmzwww 192.168.3.254 255.255.255.0
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > no failover
    > > failover timeout 0:00:00
    > > failover poll 15
    > > failover ip address outside 0.0.0.0
    > > failover ip address inside 0.0.0.0
    > > failover ip address dmzinside 0.0.0.0
    > > failover ip address dmzwww 0.0.0.0
    > > arp timeout 14400
    > > global (outside) 1 10.0.0.5 netmask 255.255.255.248
    > > global (dmzinside) 1 192.168.0.250
    > > global (dmzwww) 1 192.168.3.250
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > nat (dmzinside) 1 0.0.0.0 0.0.0.0 0 0
    > > nat (dmzwww) 1 0.0.0.0 0.0.0.0 0 0
    > > static (dmzinside,outside) extpsimail psimail netmask 255.255.255.255
    > > 0 0
    > > static (dmzwww,outside) extwwwserver psiwww netmask 255.255.255.255 0
    > > 0
    > > static (dmzinside,dmzwww) dmzwww-mail psimail netmask 255.255.255.255
    > > 0 0
    > > access-group acl_out in interface outside
    > > access-group acl_in in interface inside
    > > access-group acl_dmzwww in interface dmzwww
    > > route outside 0.0.0.0 0.0.0.0 psirtr02 1
    > > timeout xlate 3:00:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > > 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server RADIUS protocol radius
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > floodguard enable
    > > no sysopt route dnat
    > > isakmp identity hostname
    > > telnet psi2000 255.255.255.255 inside
    > > telnet 192.168.1.2 255.255.255.255 inside
    > > telnet 192.168.1.3 255.255.255.255 inside
    > > telnet timeout 15
    > > ssh timeout 5
    > > terminal width 80
    > > ****************************************************************************
    Kemton, Oct 15, 2004
    #3
  4. Kemton

    mcaissie Guest

    "Kemton" <> wrote in message
    news:...
    > From your response it appears that traffic originating from dmzwww
    > should work going to the outside, but it still doesn't. With the NAT
    > in place, I didn't think I needed any access-list rules to allow the
    > dmzwww to access anything outside. Any recommendations on why this
    > component isn't working?





    Actually , you have an access-list filtering the traffic going from dmzwww
    to the outside.

    > > access-group acl_dmzwww in interface dmzwww


    and the rules only permit

    >> > access-list acl_dmzwww permit icmp any any
    >> > access-list acl_dmzwww permit tcp any host dmzwww-mail eq smtp


    all other traffic is denied.

    I think that you misunderstand where to apply the filtering . If you want
    to limit
    thr traffic going to dmzwww , you have to filter it on the outside
    interface.
    Access-group applies the rule only on traffic entering the interface not
    traffic
    leaving the interface

    >
    > Kemton
    >
    > "mcaissie" <> wrote in message
    > news:<n7wbd.2420$cr4.94@edtnps84>...
    >> > and now I cannot access anything on the outside
    >> > (security0), except the "icmp any any" I added in. If I add in "tcp
    >> > any any", I can access everything, but I need something more secure
    >> > than that.

    >>
    >> Well , it's to you to determine what you exactly mean by more secure and
    >> build
    >> your access-list accordingly.
    >>
    >> > access-list acl_dmzwww permit icmp any any
    >> > access-list acl_dmzwww permit tcp any host dmzwww-mail eq smtp

    >>
    >>
    >> > I've never worked with both nat
    >> > and static for the same interface, as normally everything has trickled
    >> > down nicely.

    >>
    >> It doesn't make a big difference
    >>
    >> > nat (dmzwww) 1 0.0.0.0 0.0.0.0 0 0

    >> Here you tell the PIX to NAT whatever traffic coming from the dmzwww
    >> network
    >>
    >> > global (outside) 1 10.0.0.5 netmask 255.255.255.248

    >> If traffic goes on the outside it will be Nated using an address from
    >> this
    >> pool
    >>
    >> > static (dmzwww,outside) extwwwserver psiwww netmask 255.255.255.255 0
    >> > 0

    >> except if the source is psiwww , it will translate with extwwwserver ,
    >> instead of
    >> picking an address in the global pool.
    >>
    >>
    >>
    >>
    >> Bye the way , in this list the first line allows all ip so the other
    >> lines
    >> becomes irrelevant.
    >>
    >> > access-list acl_in permit ip any any
    >> > access-list acl_in permit tcp any host extpsimail eq www
    >> > access-list acl_in permit tcp any host extwwwserver eq www
    >> > access-list acl_in permit tcp any host extpsimail eq 443
    >> > access-list acl_in permit tcp any host extwwwserver eq 443
    >> > access-list acl_in deny tcp any any eq www
    >> > access-list acl_in deny tcp any any eq 443

    >>
    >>
    >>
    >>
    >>
    >>
    >> "Kemton" <> wrote in message
    >> news:...
    >> >I have recently added access to my dmzinside (security60) from my
    >> > dmzwww (security40), and now I cannot access anything on the outside
    >> > (security0), except the "icmp any any" I added in. If I add in "tcp
    >> > any any", I can access everything, but I need something more secure
    >> > than that. The nat is all in place. I've never worked with both nat
    >> > and static for the same interface, as normally everything has trickled
    >> > down nicely.
    >> >
    >> > Here's my config file. Can anybody see what I'm missing?
    >> >
    >> > Thanks,
    >> > Kemton
    >> >
    >> > *************************************************************************
    >> > PIX Version 5.2(2)
    >> > nameif ethernet0 outside security0
    >> > nameif ethernet1 inside security100
    >> > nameif ethernet2 dmzinside security60
    >> > nameif ethernet3 dmzwww security40
    >> > enable password xxxxxxxxxxxxxx encrypted
    >> > passwd xxxxxxxxxxxxxxxxxxx encrypted
    >> > hostname psipix01
    >> > fixup protocol ftp 21
    >> > fixup protocol http 80
    >> > fixup protocol h323 1720
    >> > fixup protocol rsh 514
    >> > fixup protocol smtp 25
    >> > fixup protocol sqlnet 1521
    >> > fixup protocol sip 5060
    >> > fixup protocol rtsp 554
    >> > fixup protocol rtsp 8554
    >> > names
    >> > name 10.0.0.1 psirtr02
    >> > name 10.0.0.2 psipix
    >> > name 10.0.0.3 extpsimail
    >> > name 10.0.0.4 extwwwserver
    >> > name 192.168.0.1 psimail
    >> > name 192.168.1.252 psi2000
    >> > name 192.168.3.1 psiwww
    >> > name 192.168.3.2 dmzwww-mail
    >> > access-list acl_out permit tcp any host extpsimail eq smtp
    >> > access-list acl_out permit tcp any host extwwwserver eq www
    >> > access-list acl_out permit icmp any any echo-reply
    >> > access-list acl_out permit tcp any host extwwwserver eq 443
    >> > access-list acl_out permit udp host psirtr02 host extpsimail eq syslog
    >> > access-list acl_out permit tcp any host extpsimail eq pop3
    >> > access-list acl_in permit ip any any
    >> > access-list acl_in permit tcp any host extpsimail eq www
    >> > access-list acl_in permit tcp any host extwwwserver eq www
    >> > access-list acl_in permit tcp any host extpsimail eq 443
    >> > access-list acl_in permit tcp any host extwwwserver eq 443
    >> > access-list acl_in deny tcp any any eq www
    >> > access-list acl_in deny tcp any any eq 443
    >> > access-list acl_dmzwww permit icmp any any
    >> > access-list acl_dmzwww permit tcp any host dmzwww-mail eq smtp
    >> > pager lines 24
    >> > logging on
    >> > no logging timestamp
    >> > no logging standby
    >> > no logging console
    >> > no logging monitor
    >> > logging buffered debugging
    >> > logging trap notifications
    >> > no logging history
    >> > logging facility 20
    >> > logging queue 0
    >> > logging host dmzinside psimail
    >> > interface ethernet0 auto
    >> > interface ethernet1 auto
    >> > interface ethernet2 auto
    >> > interface ethernet3 auto
    >> > mtu outside 1500
    >> > mtu inside 1500
    >> > mtu dmzinside 1500
    >> > mtu dmzwww 1500
    >> > ip address outside psipix 255.255.255.248
    >> > ip address inside 192.168.1.253 255.255.255.0
    >> > ip address dmzinside 192.168.0.254 255.255.255.0
    >> > ip address dmzwww 192.168.3.254 255.255.255.0
    >> > ip audit info action alarm
    >> > ip audit attack action alarm
    >> > no failover
    >> > failover timeout 0:00:00
    >> > failover poll 15
    >> > failover ip address outside 0.0.0.0
    >> > failover ip address inside 0.0.0.0
    >> > failover ip address dmzinside 0.0.0.0
    >> > failover ip address dmzwww 0.0.0.0
    >> > arp timeout 14400
    >> > global (outside) 1 10.0.0.5 netmask 255.255.255.248
    >> > global (dmzinside) 1 192.168.0.250
    >> > global (dmzwww) 1 192.168.3.250
    >> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >> > nat (dmzinside) 1 0.0.0.0 0.0.0.0 0 0
    >> > nat (dmzwww) 1 0.0.0.0 0.0.0.0 0 0
    >> > static (dmzinside,outside) extpsimail psimail netmask 255.255.255.255
    >> > 0 0
    >> > static (dmzwww,outside) extwwwserver psiwww netmask 255.255.255.255 0
    >> > 0
    >> > static (dmzinside,dmzwww) dmzwww-mail psimail netmask 255.255.255.255
    >> > 0 0
    >> > access-group acl_out in interface outside
    >> > access-group acl_in in interface inside
    >> > access-group acl_dmzwww in interface dmzwww
    >> > route outside 0.0.0.0 0.0.0.0 psirtr02 1
    >> > timeout xlate 3:00:00
    >> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    >> > 0:05:00 sip 0:30:00 sip_media 0:02:00
    >> > timeout uauth 0:05:00 absolute
    >> > aaa-server TACACS+ protocol tacacs+
    >> > aaa-server RADIUS protocol radius
    >> > no snmp-server location
    >> > no snmp-server contact
    >> > snmp-server community public
    >> > no snmp-server enable traps
    >> > floodguard enable
    >> > no sysopt route dnat
    >> > isakmp identity hostname
    >> > telnet psi2000 255.255.255.255 inside
    >> > telnet 192.168.1.2 255.255.255.255 inside
    >> > telnet 192.168.1.3 255.255.255.255 inside
    >> > telnet timeout 15
    >> > ssh timeout 5
    >> > terminal width 80
    >> > ****************************************************************************
    mcaissie, Oct 15, 2004
    #4
  5. Kemton

    Kemton Guest

    I put the dmzwww access-group rule in to allow the lower security
    dmzwww to access the higher security dmzinside, but in doing this, the
    access from dmzwww to outside stopped working. By default, cisco
    makes it so that zones of higher security can access those of lower
    security, but I realize I may have negated this with my implementation
    of the dmzwww access-group rule (can you confirm this?). I still need
    to get my dmzwww to have access to everything in the outside domain,
    even if this requires dropping in a new acl_dmzwww rule.

    Your help is appreciated.

    Kemton

    "mcaissie" <> wrote in message news:<EgSbd.4236$cr4.1602@edtnps84>...
    > "Kemton" <> wrote in message
    > news:...
    > > From your response it appears that traffic originating from dmzwww
    > > should work going to the outside, but it still doesn't. With the NAT
    > > in place, I didn't think I needed any access-list rules to allow the
    > > dmzwww to access anything outside. Any recommendations on why this
    > > component isn't working?

    >
    >
    >
    >
    > Actually , you have an access-list filtering the traffic going from dmzwww
    > to the outside.
    >
    > > > access-group acl_dmzwww in interface dmzwww

    >
    > and the rules only permit
    >
    > >> > access-list acl_dmzwww permit icmp any any
    > >> > access-list acl_dmzwww permit tcp any host dmzwww-mail eq smtp

    >
    > all other traffic is denied.
    >
    > I think that you misunderstand where to apply the filtering . If you want
    > to limit
    > thr traffic going to dmzwww , you have to filter it on the outside
    > interface.
    > Access-group applies the rule only on traffic entering the interface not
    > traffic
    > leaving the interface
    >
    Kemton, Oct 18, 2004
    #5
  6. Kemton

    Kemton Guest

    I put the dmzwww access-group rule in to allow the lower security
    dmzwww to access the higher security dmzinside, but in doing this, the
    access from dmzwww to outside stopped working. By default, cisco
    makes it so that zones of higher security can access those of lower
    security, but I realize I may have negated this with my implementation
    of the dmzwww access-group rule (can you confirm this?). I still need
    to get my dmzwww to have access to everything in the outside domain,
    even if this requires dropping in a new acl_dmzwww rule.

    Your help is appreciated.

    Kemton

    "mcaissie" <> wrote in message news:<EgSbd.4236$cr4.1602@edtnps84>...
    > "Kemton" <> wrote in message
    > news:...
    > > From your response it appears that traffic originating from dmzwww
    > > should work going to the outside, but it still doesn't. With the NAT
    > > in place, I didn't think I needed any access-list rules to allow the
    > > dmzwww to access anything outside. Any recommendations on why this
    > > component isn't working?

    >
    >
    >
    >
    > Actually , you have an access-list filtering the traffic going from dmzwww
    > to the outside.
    >
    > > > access-group acl_dmzwww in interface dmzwww

    >
    > and the rules only permit
    >
    > >> > access-list acl_dmzwww permit icmp any any
    > >> > access-list acl_dmzwww permit tcp any host dmzwww-mail eq smtp

    >
    > all other traffic is denied.
    >
    > I think that you misunderstand where to apply the filtering . If you want
    > to limit
    > thr traffic going to dmzwww , you have to filter it on the outside
    > interface.
    > Access-group applies the rule only on traffic entering the interface not
    > traffic
    > leaving the interface
    >
    Kemton, Oct 18, 2004
    #6
  7. Kemton

    mcaissie Guest

    "Kemton" <> wrote in message
    news:...
    >I put the dmzwww access-group rule in to allow the lower security
    > dmzwww to access the higher security dmzinside, but in doing this, the
    > access from dmzwww to outside stopped working.


    First allow what you want in dmzinside , then deny everything else in
    dmzinside,
    then allow everything

    access-list acl_dmzwww permit icmp any any
    access-list acl_dmzwww permit tcp any host dmzwww-mail eq smtp
    access-list acl_dmzwww deny ip any host dmzwww-mail
    access-list acl_dmzwww permit ip any any









    By default, cisco
    > makes it so that zones of higher security can access those of lower
    > security, but I realize I may have negated this with my implementation
    > of the dmzwww access-group rule (can you confirm this?). I still need
    > to get my dmzwww to have access to everything in the outside domain,
    > even if this requires dropping in a new acl_dmzwww rule.
    >
    > Your help is appreciated.
    >
    > Kemton
    >
    > "mcaissie" <> wrote in message
    > news:<EgSbd.4236$cr4.1602@edtnps84>...
    >> "Kemton" <> wrote in message
    >> news:...
    >> > From your response it appears that traffic originating from dmzwww
    >> > should work going to the outside, but it still doesn't. With the NAT
    >> > in place, I didn't think I needed any access-list rules to allow the
    >> > dmzwww to access anything outside. Any recommendations on why this
    >> > component isn't working?

    >>
    >>
    >>
    >>
    >> Actually , you have an access-list filtering the traffic going from
    >> dmzwww
    >> to the outside.
    >>
    >> > > access-group acl_dmzwww in interface dmzwww

    >>
    >> and the rules only permit
    >>
    >> >> > access-list acl_dmzwww permit icmp any any
    >> >> > access-list acl_dmzwww permit tcp any host dmzwww-mail eq smtp

    >>
    >> all other traffic is denied.
    >>
    >> I think that you misunderstand where to apply the filtering . If you
    >> want
    >> to limit
    >> thr traffic going to dmzwww , you have to filter it on the outside
    >> interface.
    >> Access-group applies the rule only on traffic entering the interface not
    >> traffic
    >> leaving the interface
    >>
    mcaissie, Oct 18, 2004
    #7
  8. Kemton

    Kemton Guest

    Your last response worked well. Thanks for your help.
    Kemton, Oct 22, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. erik erasmus
    Replies:
    0
    Views:
    344
    erik erasmus
    Jul 8, 2005
  2. Replies:
    1
    Views:
    592
  3. Scooty
    Replies:
    1
    Views:
    6,362
    Walter Roberson
    Mar 2, 2007
  4. Jack
    Replies:
    0
    Views:
    647
  5. kyoo
    Replies:
    22
    Views:
    2,009
    Aceman
    Apr 12, 2008
Loading...

Share This Page