PIX DMZ issues

Discussion in 'Cisco' started by Andrew E, Dec 4, 2004.

  1. Andrew E

    Andrew E Guest

    I'm trying to set up a PIX with 3 network interfaces: Inside, Outside,
    and DMZ. Outside is the internet, inside is my internal network, and
    in the DMZ sits a web server. I can:

    1. Access the webserver (172.16.1.11) in the DMZ from the internal
    network (192.168.1.0/16).
    2. Access the webserver (172.16.1.11) in the DMZ from the internet.
    3. Access the internet from the internal network (192.168.1.0/16).

    I can't:

    1. Access services on a host in the internal network (192.168.1.249(
    from the webserver in the DMZ (172.16.1.11). I need to be able to do
    this to allow the webserver in the DMZ to access a SQL server in the
    internal network. I have posted my config below with only the first
    three octects of the public IPs changed.

    I'm currently testing by accessing a webserver in the internal network
    from the server in the DMZ. After I get it working, I will switch it
    to SQL.

    Thanks for the help,

    Drew

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password <removed> encrypted
    passwd <REMOVED> encrypted
    hostname PIX01
    domain-name domain.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    access-list web_access permit tcp any host 100.200.200.244 eq www
    access-list from-dmz-coming-in permit icmp any any
    access-list from-dmz-coming-in permit tcp any host 192.168.1.249 eq
    www
    pager lines 24
    logging on
    logging timestamp
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside 100.200.200.242 255.255.255.240
    ip address inside 192.168.1.250 255.255.0.0
    ip address dmz 172.16.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address dmz
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.0.0 255.255.0.0 0 0
    static (dmz,outside) 100.200.200.244 172.16.1.11 netmask
    255.255.255.255 0 0
    static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
    access-group web_access in interface outside
    access-group from-dmz-coming-in in interface dmz
    route outside 0.0.0.0 0.0.0.0 100.200.200.241 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Andrew E, Dec 4, 2004
    #1
    1. Advertising

  2. In article <>,
    Andrew E <> wrote:
    :I'm trying to set up a PIX with 3 network interfaces: Inside, Outside,
    :and DMZ.

    :I can't:

    :1. Access services on a host in the internal network (192.168.1.249(
    :from the webserver in the DMZ (172.16.1.11).

    :pIX Version 6.3(3)

    :ip address inside 192.168.1.250 255.255.0.0
    :ip address dmz 172.16.1.1 255.255.255.0

    :global (outside) 1 interface
    :nat (inside) 1 192.168.0.0 255.255.0.0 0 0
    :static (dmz,outside) 100.200.200.244 172.16.1.11 netmask 255.255.255.255 0 0
    :static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

    :route outside 0.0.0.0 0.0.0.0 100.200.200.241 1

    The Cisco Output interpreter is complaining about the second
    static in combination with there being no 'route' statement telling
    the dmz how to get to 192.168/16.

    I don't immediately see a problem there myself, but I would suggest
    that you replace the static (inside,dmz) with

    access-list nonat permit 192.168.0.0 255.255.0.0 172.16.1.0 255.255.255.0
    nat (inside) 0 access-list nonat

    and see if that helps.
    --
    Scintillate, scintillate, globule vivific
    Fain would I fathom thy nature specific.
    Loftily poised on ether capacious
    Strongly resembling a gem carbonaceous. -- Anon
    Walter Roberson, Dec 4, 2004
    #2
    1. Advertising

  3. Andrew E

    Tosh Guest

    > I can't:
    >
    > 1. Access services on a host in the internal network (192.168.1.249(
    > from the webserver in the DMZ (172.16.1.11). I need to be able to do
    > this to allow the webserver in the DMZ to access a SQL server in the
    > internal network.....
    >

    For my knowledge, at least you should ping the host on the internal lan from
    the dmz, for sql access you forgot to add the proper access list statemet, i
    see only one for ping and one for www.
    Does the internal host ping the server on the dmz?
    Also, you can perform a "sh local-hosts" in order to see if you have
    licencing problems.
    Bye,
    Tosh.
    Tosh, Dec 4, 2004
    #3
  4. Andrew E

    Andrew E Guest

    I'll try and implement your suggestions on monday as I don't have
    access to the client's network until then. Thanks for your help.

    Drew

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<cor6ms$p8a$>...
    > In article <>,
    > Andrew E <> wrote:
    > :I'm trying to set up a PIX with 3 network interfaces: Inside, Outside,
    > :and DMZ.
    >
    > :I can't:
    >
    > :1. Access services on a host in the internal network (192.168.1.249(
    > :from the webserver in the DMZ (172.16.1.11).
    >
    > :pIX Version 6.3(3)
    >
    > :ip address inside 192.168.1.250 255.255.0.0
    > :ip address dmz 172.16.1.1 255.255.255.0
    >
    > :global (outside) 1 interface
    > :nat (inside) 1 192.168.0.0 255.255.0.0 0 0
    > :static (dmz,outside) 100.200.200.244 172.16.1.11 netmask 255.255.255.255 0 0
    > :static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
    >
    > :route outside 0.0.0.0 0.0.0.0 100.200.200.241 1
    >
    > The Cisco Output interpreter is complaining about the second
    > static in combination with there being no 'route' statement telling
    > the dmz how to get to 192.168/16.
    >
    > I don't immediately see a problem there myself, but I would suggest
    > that you replace the static (inside,dmz) with
    >
    > access-list nonat permit 192.168.0.0 255.255.0.0 172.16.1.0 255.255.255.0
    > nat (inside) 0 access-list nonat
    >
    > and see if that helps.
    Andrew E, Dec 4, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnC
    Replies:
    9
    Views:
    827
    Walter Roberson
    Dec 7, 2004
  2. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,863
    Walter Roberson
    Sep 25, 2005
  3. Replies:
    9
    Views:
    5,569
  4. morten
    Replies:
    4
    Views:
    1,169
    Tilman Schmidt
    Sep 4, 2007
  5. Jack
    Replies:
    0
    Views:
    650
Loading...

Share This Page