PIX 515 - Access to DMZ

Discussion in 'Cisco' started by The Entitty, Nov 29, 2003.

  1. The Entitty

    The Entitty Guest

    Group:

    Hope you can help me out. I have a PIX 515, with an older version of
    software 5.0
    My problem is that I can't access my dmz from any higher security zones.
    also I can't ping from the DMZ. But from outside it's not a problem.
    I can telnet to my mail server in the DMZ from external, and ping it.

    I would like to be able to use port 25 from higher level and lower level
    security zones.

    Take a look at my config, let me know your thougths

    show config

    : Saved

    :

    PIX Version 5.0(3)

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    nameif ethernet2 ntapps security10

    nameif ethernet3 csslb security15

    nameif ethernet4 dmz security5

    nameif ethernet5 intf5 security25

    hostname wstmprod

    fixup protocol ftp 21

    fixup protocol http 80

    fixup protocol smtp 25

    fixup protocol h323 1720

    fixup protocol rsh 514

    fixup protocol sqlnet 1521

    no names

    no pager

    no logging timestamp

    no logging standby

    logging console alerts

    logging monitor alerts

    logging buffered debugging

    no logging trap

    logging facility 20

    logging queue 512

    interface ethernet0 100full

    interface ethernet1 100full

    interface ethernet2 100full

    interface ethernet3 auto

    interface ethernet4 auto

    interface ethernet5 100full shutdown

    mtu outside 1500

    mtu inside 1500

    mtu ntapps 1500

    mtu csslb 1500

    mtu dmz 1500

    mtu intf5 1500

    ip address outside 1.2.3.2 255.255.255.128

    ip address inside 10.15.254.252 255.255.0.0

    ip address ntapps 10.11.1.1 255.255.255.0

    ip address csslb 10.20.30.5 255.255.0.0

    ip address dmz 10.5.0.1 255.255.0.0

    ip address intf5 127.0.0.1 255.255.255.255

    failover

    failover timeout 0:00:00

    failover ip address outside 1.2.3.10

    failover ip address inside 10.15.254.199

    failover ip address ntapps 10.11.1.199

    failover ip address csslb 10.20.30.199

    failover ip address dmz 10.5.0.2

    failover ip address intf5 127.0.0.2

    arp timeout 14400

    global (outside) 1 1.2.3.5

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    nat (ntapps) 1 0.0.0.0 0.0.0.0 0 0

    nat (csslb) 1 0.0.0.0 0.0.0.0 0 0

    nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

    alias (ntapps) 1.2.3.82 10.5.0.10 255.255.255.255

    static (inside,outside) 1.2.3.22 1.2.3.22 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.24 1.2.3.24 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.25 1.2.3.25 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.26 1.2.3.26 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.27 1.2.3.27 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.28 1.2.3.28 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.29 1.2.3.29 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.30 1.2.3.30 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.31 1.2.3.31 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.32 1.2.3.32 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.33 1.2.3.33 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.34 1.2.3.34 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.35 1.2.3.35 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.37 1.2.3.37 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.38 1.2.3.38 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.39 1.2.3.39 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.40 1.2.3.40 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.41 1.2.3.41 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.42 1.2.3.42 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.43 1.2.3.43 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.44 1.2.3.44 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.45 1.2.3.45 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.46 1.2.3.46 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.47 1.2.3.47 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.48 1.2.3.48 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.49 1.2.3.49 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.50 1.2.3.50 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.51 1.2.3.51 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.12 1.2.3.12 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.13 1.2.3.13 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.14 1.2.3.14 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.21 1.2.3.21 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.11 1.2.3.11 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.36 1.2.3.36 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.18 1.2.3.18 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.16 1.2.3.16 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.17 1.2.3.17 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.15 1.2.3.15 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.23 1.2.3.23 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.20 1.2.3.20 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.19 10.15.100.5 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.76 1.2.3.76 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.77 1.2.3.77 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.78 1.2.3.78 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.52 1.2.3.52 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.97 10.11.1.40 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.85 1.2.3.85 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.86 1.2.3.86 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.60 1.2.3.60 netmask 255.255.255.255 0 0

    static (csslb,outside) 1.2.3.70 10.20.30.31 netmask 255.255.255.255 0 0

    static (csslb,outside) 1.2.3.61 10.20.30.101 netmask 255.255.255.255 0 0

    static (csslb,outside) 1.2.3.62 10.20.30.140 netmask 255.255.255.255 0 0

    static (csslb,outside) 1.2.3.63 10.20.30.100 netmask 255.255.255.255 0 0

    static (csslb,outside) 1.2.3.65 10.20.30.158 netmask 255.255.255.255 0 0

    static (csslb,outside) 1.2.3.64 10.20.30.157 netmask 255.255.255.255 0 0

    static (csslb,outside) 1.2.3.66 10.20.30.159 netmask 255.255.255.255 0 0

    static (csslb,outside) 1.2.3.71 10.20.30.30 netmask 255.255.255.255 0 0

    static (csslb,outside) 1.2.3.67 10.20.30.50 netmask 255.255.255.255 0 0

    static (csslb,outside) 1.2.3.68 10.20.30.51 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.80 1.2.3.80 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.83 1.2.3.83 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.101 1.2.3.101 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.102 1.2.3.102 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.100 1.2.3.100 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.91 1.2.3.91 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.88 1.2.3.88 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.93 1.2.3.93 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.96 1.2.3.96 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.89 1.2.3.89 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.94 1.2.3.94 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.95 1.2.3.95 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.75 1.2.3.75 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.9 1.2.3.9 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.87 1.2.3.87 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.81 1.2.3.81 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.118 1.2.3.118 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.117 1.2.3.117 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.124 1.2.3.124 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.105 1.2.3.105 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.104 1.2.3.104 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.106 1.2.3.106 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.107 1.2.3.107 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.108 1.2.3.108 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.109 1.2.3.109 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.110 1.2.3.110 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.111 1.2.3.111 netmask 255.255.255.255 0 0

    static (inside,outside) 1.2.3.53 1.2.3.53 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.112 1.2.3.112 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.113 1.2.3.113 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.114 1.2.3.114 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.103 1.2.3.103 netmask 255.255.255.255 0 0

    static (ntapps,outside) 1.2.3.115 1.2.3.115 netmask 255.255.255.255 0 0

    static (dmz,outside) 1.2.3.82 10.5.0.10 netmask 255.255.255.255 0 0

    static (inside,dmz) 1.2.3.0 1.2.3.0 netmask 255.255.255.0 0 0

    static (ntapps,dmz) 10.11.1.0 10.11.1.0 netmask 255.255.255.0 0 0

    access-list acl_out permit icmp any any





    access-list acl_out permit tcp any host 1.2.3.22 eq www

    access-list acl_out permit tcp any host 1.2.3.22 eq 22

    access-list acl_out permit tcp any host 1.2.3.23 eq 22

    access-list acl_out permit tcp any host 1.2.3.23 eq www

    access-list acl_out permit tcp any host 1.2.3.22 eq 443

    access-list acl_out permit tcp any host 1.2.3.23 eq 443

    access-list acl_out permit tcp any host 1.2.3.24 eq 443

    access-list acl_out permit tcp any host 1.2.3.24 eq www

    access-list acl_out permit tcp any host 1.2.3.24 eq 22

    access-list acl_out permit tcp any host 1.2.3.25 eq 22

    access-list acl_out permit tcp any host 1.2.3.25 eq www

    access-list acl_out permit tcp any host 1.2.3.25 eq 443

    access-list acl_out permit tcp any host 1.2.3.26 eq 443

    access-list acl_out permit tcp any host 1.2.3.26 eq www

    access-list acl_out permit tcp any host 1.2.3.26 eq 22

    access-list acl_out permit tcp any host 1.2.3.27 eq www

    access-list acl_out permit tcp any host 1.2.3.27 eq 443

    access-list acl_out permit tcp any host 1.2.3.22 eq domain

    access-list acl_out permit udp any host 1.2.3.22 eq domain

    access-list acl_out permit tcp any host 1.2.3.28 eq www

    access-list acl_out permit tcp any host 1.2.3.28 eq 443

    access-list acl_out permit tcp any host 1.2.3.29 eq www

    access-list acl_out permit tcp any host 1.2.3.29 eq 443

    access-list acl_out permit tcp any host 1.2.3.30 eq www

    access-list acl_out permit tcp any host 1.2.3.30 eq 443

    access-list acl_out permit tcp any host 1.2.3.31 eq www

    access-list acl_out permit tcp any host 1.2.3.31 eq 443

    access-list acl_out permit tcp any host 1.2.3.32 eq www

    access-list acl_out permit tcp any host 1.2.3.32 eq 443

    access-list acl_out permit tcp any host 1.2.3.33 eq www

    access-list acl_out permit tcp any host 1.2.3.33 eq 443

    access-list acl_out permit tcp any host 1.2.3.34 eq www

    access-list acl_out permit tcp any host 1.2.3.34 eq 443

    access-list acl_out permit tcp any host 1.2.3.35 eq www

    access-list acl_out permit tcp any host 1.2.3.35 eq 443

    access-list acl_out permit tcp any host 1.2.3.36 eq www

    access-list acl_out permit tcp any host 1.2.3.36 eq 443

    access-list acl_out permit tcp any host 1.2.3.37 eq www

    access-list acl_out permit tcp any host 1.2.3.37 eq 443

    access-list acl_out permit tcp any host 1.2.3.38 eq www

    access-list acl_out permit tcp any host 1.2.3.38 eq 443

    access-list acl_out permit tcp any host 1.2.3.39 eq www

    access-list acl_out permit tcp any host 1.2.3.39 eq 443

    access-list acl_out permit tcp any host 1.2.3.40 eq www

    access-list acl_out permit tcp any host 1.2.3.40 eq 443

    access-list acl_out permit tcp any host 1.2.3.41 eq www

    access-list acl_out permit tcp any host 1.2.3.41 eq 443

    access-list acl_out permit tcp any host 1.2.3.42 eq www

    access-list acl_out permit tcp any host 1.2.3.42 eq 443

    access-list acl_out permit tcp any host 1.2.3.43 eq www

    access-list acl_out permit tcp any host 1.2.3.43 eq 443

    access-list acl_out permit tcp any host 1.2.3.44 eq www

    access-list acl_out permit tcp any host 1.2.3.44 eq 443

    access-list acl_out permit tcp any host 1.2.3.45 eq www

    access-list acl_out permit tcp any host 1.2.3.45 eq 443

    access-list acl_out permit tcp any host 1.2.3.46 eq www

    access-list acl_out permit tcp any host 1.2.3.46 eq 443

    access-list acl_out permit tcp any host 1.2.3.47 eq www

    access-list acl_out permit tcp any host 1.2.3.47 eq 443

    access-list acl_out permit tcp any host 1.2.3.48 eq www

    access-list acl_out permit tcp any host 1.2.3.48 eq 443

    access-list acl_out permit tcp any host 1.2.3.49 eq www

    access-list acl_out permit tcp any host 1.2.3.49 eq 443

    access-list acl_out permit tcp any host 1.2.3.50 eq www

    access-list acl_out permit tcp any host 1.2.3.50 eq 443

    access-list acl_out permit tcp any host 1.2.3.51 eq www

    access-list acl_out permit tcp any host 1.2.3.51 eq 443

    access-list acl_out permit tcp any host 1.2.3.12 eq www

    access-list acl_out permit tcp any host 1.2.3.12 eq 443

    access-list acl_out permit tcp any host 1.2.3.13 eq www

    access-list acl_out permit tcp any host 1.2.3.13 eq 443

    access-list acl_out permit tcp any host 1.2.3.14 eq www

    access-list acl_out permit tcp any host 1.2.3.14 eq 443

    access-list acl_out permit tcp any host 1.2.3.21 eq www

    access-list acl_out permit tcp any host 1.2.3.21 eq 443

    access-list acl_out permit tcp any host 1.2.3.11 eq www

    access-list acl_out permit tcp any host 1.2.3.11 eq 43

    access-list acl_out permit tcp any host 1.2.3.20 eq www

    access-list acl_out permit tcp any host 1.2.3.20 eq 443

    access-list acl_out permit tcp any host 1.2.3.22 eq 1443

    access-list acl_out permit tcp any host 1.2.3.22 eq 2443

    access-list acl_out permit tcp any host 1.2.3.22 eq 3443

    access-list acl_out permit tcp any host 1.2.3.30 eq 1443

    access-list acl_out permit tcp any host 1.2.3.30 eq 2443

    access-list acl_out permit tcp any host 1.2.3.30 eq 3443

    access-list acl_out permit tcp any host 1.2.3.30 eq 4443

    access-list acl_out permit tcp any host 1.2.3.22 eq 1442

    access-list acl_out permit tcp any host 1.2.3.30 eq 5443

    access-list acl_out permit tcp any host 1.2.3.18 eq www

    access-list acl_out permit tcp any host 1.2.3.18 eq 443

    access-list acl_out permit tcp any host 1.2.3.16 eq www

    access-list acl_out permit tcp any host 1.2.3.16 eq 443

    access-list acl_out permit tcp any host 1.2.3.17 eq 443

    access-list acl_out permit tcp any host 1.2.3.17 eq www

    access-list acl_out permit tcp any host 1.2.3.19 eq www

    access-list acl_out permit tcp any host 1.2.3.19 eq 22

    access-list acl_out permit tcp any host 1.2.3.15 eq 22

    access-list acl_out permit tcp any host 1.2.3.15 eq www

    access-list acl_out permit tcp any host 1.2.3.15 eq 443

    access-list acl_out permit tcp any host 1.2.3.20 eq pop3

    access-list acl_out permit tcp any host 1.2.3.20 eq smtp

    access-list acl_out permit tcp any host 1.2.3.76 eq www

    access-list acl_out permit tcp any host 1.2.3.77 eq www

    access-list acl_out permit tcp any host 1.2.3.78 eq www

    access-list acl_out permit tcp any host 1.2.3.76 eq 443

    access-list acl_out permit tcp any host 1.2.3.80 eq ftp

    access-list acl_out permit tcp any host 1.2.3.79 eq www

    access-list acl_out permit tcp any host 1.2.3.80 eq www

    access-list acl_out permit tcp any host 1.2.3.83 eq www

    access-list acl_out permit tcp any host 1.2.3.79 eq 443

    access-list acl_out permit tcp any host 1.2.3.83 eq 443

    access-list acl_out permit tcp any host 1.2.3.80 eq 3389

    access-list acl_out permit tcp any host 1.2.3.52 eq www

    access-list acl_out permit tcp any host 1.2.3.52 eq 443

    access-list acl_out permit tcp any host 1.2.3.97 eq 443

    access-list acl_out permit tcp any host 1.2.3.97 eq www

    access-list acl_out permit tcp any host 1.2.3.85 eq www

    access-list acl_out permit tcp any host 1.2.3.86 eq ftp-data

    access-list acl_out permit tcp any host 1.2.3.86 eq ftp

    access-list acl_out permit tcp any host 1.2.3.86 eq smtp

    access-list acl_out permit tcp any host 1.2.3.86 eq www

    access-list acl_out permit tcp any host 1.2.3.63 eq www

    access-list acl_out permit tcp any host 1.2.3.63 eq 443

    access-list acl_out permit tcp any host 1.2.3.64 eq www

    access-list acl_out permit tcp any host 1.2.3.65 eq www

    access-list acl_out permit tcp any host 1.2.3.65 eq smtp

    access-list acl_out permit tcp any host 1.2.3.65 eq 443

    access-list acl_out permit tcp any host 1.2.3.70 eq 22

    access-list acl_out permit tcp any host 1.2.3.60 eq 443

    access-list acl_out permit tcp any host 1.2.3.61 eq 443

    access-list acl_out permit tcp any host 1.2.3.61 eq www

    access-list acl_out permit tcp any host 1.2.3.62 eq www

    access-list acl_out permit tcp any host 1.2.3.62 eq 443

    access-list acl_out permit tcp any host 1.2.3.67 eq 3389

    access-list acl_out permit tcp any host 1.2.3.101 eq www

    access-list acl_out permit tcp any host 1.2.3.101 eq 443

    access-list acl_out permit tcp any host 1.2.3.101 eq smtp

    access-list acl_out permit tcp any host 1.2.3.102 eq www

    access-list acl_out permit tcp any host 1.2.3.102 eq smtp

    access-list acl_out permit tcp any host 1.2.3.102 eq 443

    access-list acl_out permit tcp any host 1.2.3.100 eq www

    access-list acl_out permit tcp any host 1.2.3.91 eq www

    access-list acl_out permit tcp any host 1.2.3.91 eq 443

    access-list acl_out permit tcp any host 1.2.3.101 eq ftp

    access-list acl_out permit tcp any host 1.2.3.101 eq ftp-data

    access-list acl_out permit tcp any host 1.2.3.88 eq www

    access-list acl_out permit tcp any host 1.2.3.88 eq 443

    access-list acl_out permit tcp any host 1.2.3.93 eq www

    access-list acl_out permit tcp any host 1.2.3.93 eq 443

    access-list acl_out permit tcp any host 1.2.3.94 eq smtp

    access-list acl_out permit tcp any host 1.2.3.95 eq smtp

    access-list acl_out permit tcp any host 1.2.3.96 eq www

    access-list acl_out permit tcp any host 1.2.3.96 eq 443

    access-list acl_out permit tcp any host 1.2.3.89 eq www

    access-list acl_out permit tcp any host 1.2.3.89 eq smtp

    access-list acl_out permit tcp any host 1.2.3.101 eq 3389

    access-list acl_out permit tcp any host 1.2.3.75 eq www

    access-list acl_out permit tcp any host 1.2.3.75 eq 443

    access-list acl_out permit tcp any host 1.2.3.87 eq www

    access-list acl_out permit tcp any host 1.2.3.53 eq www

    access-list acl_out permit tcp any host 1.2.3.53 eq 443

    access-list acl_out permit tcp any host 1.2.3.53 eq 22

    access-list acl_out permit tcp any host 1.2.3.124 eq smtp

    access-list acl_out permit tcp any host 1.2.3.124 eq www

    access-list acl_out permit tcp any host 1.2.3.124 eq 443

    access-list acl_out permit tcp host 1.2.3.180 host 1.2.3.67 eq 1433

    access-list acl_out permit tcp any host 1.2.3.105 eq www

    access-list acl_out permit tcp any host 1.2.3.105 eq 443

    access-list acl_out permit tcp any host 1.2.3.105 eq smtp

    access-list acl_out permit tcp any host 1.2.3.104 eq 3389

    access-list acl_out permit tcp any host 1.2.3.104 eq ftp

    access-list acl_out permit tcp any host 1.2.3.106 eq www

    access-list acl_out permit tcp any host 1.2.3.107 eq www

    access-list acl_out permit tcp any host 1.2.3.108 eq www

    access-list acl_out permit tcp any host 1.2.3.109 eq www

    access-list acl_out permit tcp any host 1.2.3.110 eq www

    access-list acl_out permit tcp any host 1.2.3.110 eq 443

    access-list acl_out permit tcp any host 1.2.3.109 eq 443

    access-list acl_out permit tcp any host 1.2.3.108 eq 443

    access-list acl_out permit tcp any host 1.2.3.107 eq 443

    access-list acl_out permit tcp any host 1.2.3.106 eq 443

    access-list acl_out permit tcp any host 1.2.3.106 eq smtp

    access-list acl_out permit tcp any host 1.2.3.107 eq smtp

    access-list acl_out permit tcp any host 1.2.3.108 eq smtp

    access-list acl_out permit tcp any host 1.2.3.109 eq smtp

    access-list acl_out permit tcp any host 1.2.3.110 eq smtp

    access-list acl_out permit tcp any host 1.2.3.111 eq 443

    access-list acl_out permit tcp any host 1.2.3.111 eq www

    access-list acl_out permit tcp any host 1.2.3.111 eq smtp

    access-list acl_out permit tcp host 1.2.3.180 host 1.2.3.66 eq 9011

    access-list acl_out permit tcp any host 1.2.3.112 eq www

    access-list acl_out permit tcp any host 1.2.3.112 eq 443

    access-list acl_out permit tcp any host 1.2.3.109 eq 636

    access-list acl_out permit udp any host 1.2.3.109 eq 636

    access-list acl_out permit tcp host 1.2.3.180 host 1.2.3.71 eq sqlnet

    access-list acl_out permit tcp any host 1.2.3.82 eq smtp

    access-list acl_out permit tcp any host 1.2.3.82 eq 22

    access-list acl_dmz permit icmp any any

    access-list acl_dmz permit tcp any any eq www

    access-list acl_dmz permit tcp any any eq smtp

    access-list acl_dmz permit tcp any any eq ftp

    access-list acl_dmz permit tcp any any eq 22

    access-list acl_dmz permit tcp any any eq domain

    access-list acl_dmz permit udp any any eq domain

    access-group acl_out in interface outside

    access-group acl_dmz in interface dmz





    no rip outside passive

    no rip outside default

    no rip inside passive

    no rip inside default

    no rip ntapps passive

    no rip ntapps default

    no rip csslb passive

    no rip csslb default

    no rip dmz passive

    no rip dmz default

    no rip intf5 passive

    no rip intf5 default

    route outside 0.0.0.0 0.0.0.0 1.2.3.1 1

    route inside 1.2.3.53 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.11 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.20 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.15 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.17 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.18 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.16 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.22 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.23 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.24 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.25 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.26 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.27 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.51 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.50 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.49 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.48 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.47 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.46 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.45 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.44 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.43 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.42 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.41 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.40 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.39 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.38 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.37 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.36 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.35 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.34 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.33 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.32 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.31 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.30 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.29 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.28 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.21 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.12 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.13 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.14 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.52 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.60 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.118 255.255.255.255 10.15.254.253 1

    route inside 1.2.3.117 255.255.255.255 10.15.254.253 1

    route ntapps 1.2.3.115 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.103 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.114 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.113 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.112 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.111 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.110 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.109 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.108 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.107 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.105 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.104 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.106 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.78 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.77 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.76 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.86 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.85 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.80 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.83 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.100 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.91 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.102 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.101 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.88 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.93 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.96 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.89 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.94 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.95 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.75 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.9 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.87 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.81 255.255.255.255 10.11.1.3 1

    route ntapps 1.2.3.124 255.255.255.255 10.11.1.3 1

    timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

    timeout rpc 0:10:00 h323 0:05:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server RADIUS protocol radius

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    snmp-server enable traps

    no floodguard enable

    telnet 10.15.254.253 255.255.255.255 inside

    telnet 10.11.1.3 255.255.255.255 ntapps

    telnet timeout 5

    terminal width 80

    Cryptochecksum:7f5b5021173a97c9ac43d77487b781c5



    wstmprod(config)# show ver



    Cisco Secure PIX Firewall Version 5.0(3)

    Compiled on Sun 23-Jan-00 21:59 by pixbuild

    Finesse Bios V3.3



    wstmprod up 227 days 5 hours



    Hardware: SE440BX2, 128 MB RAM, CPU Pentium II 349 MHz

    Flash AT29C040A @ 0x300

    BIOS Flash AM28F256 @ 0xfffd8000



    0: ethernet0: address is 0090.27a4.7d89, irq 11

    1: ethernet1: address is 00e0.b600.6cb7, irq 15

    2: ethernet2: address is 00e0.b600.6cb6, irq 10

    3: ethernet3: address is 00e0.b600.6cb5, irq 9

    4: ethernet4: address is 00e0.b600.6cb4, irq 11

    5: ethernet5: address is 0090.27a4.7d39, irq 10



    Licensed connections: 65536



    Serial Number: 18020429 (0x112f84d)

    Activation Key: 0x4e35350d 0x434515e3 0xd83b1f42 0x3c896b2



    wstmprod(config)# show mem

    134217728 bytes total, 121765888 bytes free



    wstmprod(config)#
     
    The Entitty, Nov 29, 2003
    #1
    1. Advertising

  2. In article <oZWxb.89768$>,
    The Entitty <> wrote:
    :Hope you can help me out. I have a PIX 515, with an older version of
    :software 5.0
    :My problem is that I can't access my dmz from any higher security zones.
    :also I can't ping from the DMZ. But from outside it's not a problem.
    :I can telnet to my mail server in the DMZ from external, and ping it.

    :I would like to be able to use port 25 from higher level and lower level
    :security zones.

    :ip address outside 1.2.3.2 255.255.255.128
    :ip address inside 10.15.254.252 255.255.0.0
    :ip address dmz 10.5.0.1 255.255.0.0

    :global (outside) 1 1.2.3.5
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    :nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

    :static (inside,dmz) 1.2.3.0 1.2.3.0 netmask 255.255.255.0 0 0

    Perhaps you made an error when you were obscuring the addresses
    for us? If not, then:

    The static you define between inside and dmz is for the 1.2.3/4
    address range, which is the address range you have defined for the
    -outside- interface. So no traffic addressed to 10.15/16 or
    10.5/16 is going to be affected by that static, no matter whether
    that traffic originates in dmz or inside.

    Thus, with the configuration you show, we should ignore that 'static'.
    When we do so, we look at the 'nat (inside)' and see that it covers
    all possible traffic from inside, which is fine in itself. But then
    we look for the matching 'global (dmz)' and don't find it. There is
    therefore no possible address translation for any packets traveling
    between inside and dmz, so the PIX is going to drop the packets.


    What would probably work for you would be:

    static (inside, dmz) 10.15.0.0 10.15.0.0 netmask 255.255.0.0 0 0

    if you must be able to start new connections from the dmz to anywhere
    on the inside. Which is probably not what you want. I would suggest
    instead something akin to

    global (dmz) 1 interface

    and then using individual 'static (inside, dmz)' to punch through
    the inside hosts that have to be contactable from the dmz.
    --
    Usenet is one of those "Good News/Bad News" comedy routines.
     
    Walter Roberson, Nov 29, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Roland
    Replies:
    3
    Views:
    705
    Roland
    Jan 21, 2004
  2. SuperIce
    Replies:
    2
    Views:
    1,902
    James
    Oct 1, 2004
  3. JohnC
    Replies:
    9
    Views:
    885
    Walter Roberson
    Dec 7, 2004
  4. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,918
    Walter Roberson
    Sep 25, 2005
  5. gdelrio

    VPN users DMZ access pix 515

    gdelrio, Sep 25, 2006, in forum: Cisco
    Replies:
    1
    Views:
    2,248
    swapnendu
    Sep 26, 2006
Loading...

Share This Page