PIX Firewall... Crossing over from INSIDE to DMZ

Discussion in 'Cisco' started by John Doe, Sep 7, 2004.

  1. John Doe

    John Doe Guest

    Hi,
    I have the below setup pix and can go from DMZ--> INSIDE just fine...
    but going from INSIDE --> DMZ is an issue. I can ping but am not able
    to access anything. If I try to, the pix log shows connections going
    from the dmz-->inside but I never see anything going the otherway
    (perhaps this is normal)...

    What do I need to do to allow people on INSIDE to access machines on DMZ?

    Here is the config:

    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security10
    enable password [removed] encrypted
    passwd [removed] encrypted
    hostname Hydrogen
    domain-name [removed]
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    names
    <names removed from here for security purposes>

    access-list acl_dmz permit icmp any any
    access-list acl_dmz permit ip any any
    access-list acl_in permit icmp any any
    access-list acl_in permit ip any any
    access-list acl_out permit udp any host radius1 eq radius-acct
    access-list acl_out permit udp any host pollux eq domain
    access-list acl_out permit udp any host radius1 eq radius
    access-list acl_out permit tcp any host pollux eq domain
    access-list acl_out permit udp any host radius2 eq radius-acct
    access-list acl_out permit udp any host castor eq domain
    access-list acl_out permit udp any host radius2 eq radius
    access-list acl_out permit tcp any host castor eq domain
    access-list acl_out permit tcp any host demeter eq www
    access-list acl_out permit tcp any host demeter eq https
    access-list acl_out permit tcp any host icarus eq smtp
    access-list acl_out permit tcp any host icarus eq pop3
    access-list acl_out permit tcp any host icarus eq 8383
    access-list acl_out permit tcp any host icarus eq imap4
    access-list acl_out permit tcp any host oxygen eq www
    access-list acl_out permit tcp any host oxygen eq ftp
    access-list acl_out permit ip host kiessling-work any
    access-list acl_out permit ip host kiessling-ws any
    access-list acl_out permit ip host andrewsauers-ws any
    access-list acl_out permit ip host nexxtmedia host atlas
    access-list acl_out permit ip host nexxtmedia host nike
    access-list acl_out permit udp any host nike eq tftp
    access-list acl_out deny ip host pwas host nike
    access-list acl_out deny ip host pwas host zeus
    access-list acl_out permit udp host monitor2 any
    access-list acl_out permit ip host monitor2 host nike
    access-list acl_out permit icmp host monitor2 any
    access-list acl_out deny ip any any
    access-list acl_out deny icmp any any
    pager lines 24
    logging on
    logging timestamp
    logging buffered debugging
    logging trap warnings
    logging facility 22
    logging host outside [removed]
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside 63.174.xxx.xx 255.255.255.0
    ip address inside 172.16.1.1 255.255.255.0
    ip address dmz 10.200.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside 0.0.0.0
    failover ip address inside 0.0.0.0
    failover ip address dmz 0.0.0.0
    pdm history enable
    arp timeout 14400
    global (outside) 1 63.174.xxx.yy netmask 255.255.255.0
    global (dmz) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
    alias (inside) oxygen 10.200.1.96 255.255.255.255
    alias (inside) pollux 10.200.1.25 255.255.255.255
    alias (inside) radius1 10.200.1.26 255.255.255.255
    alias (inside) radius2 10.200.1.27 255.255.255.255
    alias (inside) nike 10.200.1.128 255.255.255.255
    alias (inside) atlas 10.200.1.130 255.255.255.255
    alias (inside) zeus 10.200.1.129 255.255.255.255
    alias (inside) demeter 10.200.1.8 255.255.255.255
    alias (inside) icarus 10.200.1.6 255.255.255.255
    alias (inside) castor 10.200.1.2 255.255.255.255
    static (dmz,outside) oxygen 10.200.1.96 netmask 255.255.255.255 0 0
    static (dmz,outside) pollux 10.200.1.25 netmask 255.255.255.255 0 0
    static (dmz,outside) radius1 10.200.1.26 netmask 255.255.255.255 0 0
    static (dmz,outside) castor 10.200.1.2 netmask 255.255.255.255 0 0
    static (dmz,outside) radius2 10.200.1.27 netmask 255.255.255.255 0 0
    static (dmz,outside) nike 10.200.1.128 netmask 255.255.255.255 0 0
    static (dmz,outside) atlas 10.200.1.130 netmask 255.255.255.255 0 0
    static (dmz,outside) zeus 10.200.1.129 netmask 255.255.255.255 0 0
    static (dmz,outside) andrewsauers 10.200.1.5 netmask 255.255.255.255 0 0
    static (dmz,outside) demeter 10.200.1.8 netmask 255.255.255.255 0 0
    static (dmz,outside) icarus 10.200.1.6 netmask 255.255.255.255 0 0
    static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0
    access-group acl_out in interface outside
    access-group acl_in in interface inside
    access-group acl_dmz in interface dmz
    route outside 0.0.0.0 0.0.0.0 63.174.xxx.zz 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication telnet console LOCAL
    snmp-server host dmz 10.200.1.128
    snmp-server host dmz 10.200.1.40
    snmp-server location Williamsport-Server-Room
    snmp-server contact Matt Kiessling
    snmp-server community public
    snmp-server enable traps
    tftp-server outside 63.174.xxx.qqq hydrogen
    floodguard enable
    no sysopt route dnat
    telnet 10.200.1.13 255.255.255.255 dmz
    telnet 10.200.1.130 255.255.255.255 dmz
    telnet 10.200.1.128 255.255.255.255 dmz
    telnet timeout 30
    ssh 63.174.xxx.vvv 255.255.255.255 outside
    ssh nemesis 255.255.255.255 outside
    ssh timeout 30
    John Doe, Sep 7, 2004
    #1
    1. Advertising

  2. John Doe

    Brett Guest

    You need to NAT from the DMZ to the Inside.

    John Doe <> wrote in message news:<>...
    > Hi,
    > I have the below setup pix and can go from DMZ--> INSIDE just fine...
    > but going from INSIDE --> DMZ is an issue. I can ping but am not able
    > to access anything. If I try to, the pix log shows connections going
    > from the dmz-->inside but I never see anything going the otherway
    > (perhaps this is normal)...
    >
    > What do I need to do to allow people on INSIDE to access machines on DMZ?
    >
    > Here is the config:
    >
    > PIX Version 6.2(2)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 dmz security10
    > enable password [removed] encrypted
    > passwd [removed] encrypted
    > hostname Hydrogen
    > domain-name [removed]
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sqlnet 1521
    > fixup protocol sip 5060
    > fixup protocol skinny 2000
    > no fixup protocol smtp 25
    > names
    > <names removed from here for security purposes>
    >
    > access-list acl_dmz permit icmp any any
    > access-list acl_dmz permit ip any any
    > access-list acl_in permit icmp any any
    > access-list acl_in permit ip any any
    > access-list acl_out permit udp any host radius1 eq radius-acct
    > access-list acl_out permit udp any host pollux eq domain
    > access-list acl_out permit udp any host radius1 eq radius
    > access-list acl_out permit tcp any host pollux eq domain
    > access-list acl_out permit udp any host radius2 eq radius-acct
    > access-list acl_out permit udp any host castor eq domain
    > access-list acl_out permit udp any host radius2 eq radius
    > access-list acl_out permit tcp any host castor eq domain
    > access-list acl_out permit tcp any host demeter eq www
    > access-list acl_out permit tcp any host demeter eq https
    > access-list acl_out permit tcp any host icarus eq smtp
    > access-list acl_out permit tcp any host icarus eq pop3
    > access-list acl_out permit tcp any host icarus eq 8383
    > access-list acl_out permit tcp any host icarus eq imap4
    > access-list acl_out permit tcp any host oxygen eq www
    > access-list acl_out permit tcp any host oxygen eq ftp
    > access-list acl_out permit ip host kiessling-work any
    > access-list acl_out permit ip host kiessling-ws any
    > access-list acl_out permit ip host andrewsauers-ws any
    > access-list acl_out permit ip host nexxtmedia host atlas
    > access-list acl_out permit ip host nexxtmedia host nike
    > access-list acl_out permit udp any host nike eq tftp
    > access-list acl_out deny ip host pwas host nike
    > access-list acl_out deny ip host pwas host zeus
    > access-list acl_out permit udp host monitor2 any
    > access-list acl_out permit ip host monitor2 host nike
    > access-list acl_out permit icmp host monitor2 any
    > access-list acl_out deny ip any any
    > access-list acl_out deny icmp any any
    > pager lines 24
    > logging on
    > logging timestamp
    > logging buffered debugging
    > logging trap warnings
    > logging facility 22
    > logging host outside [removed]
    > interface ethernet0 auto
    > interface ethernet1 auto
    > interface ethernet2 auto
    > mtu outside 1500
    > mtu inside 1500
    > mtu dmz 1500
    > ip address outside 63.174.xxx.xx 255.255.255.0
    > ip address inside 172.16.1.1 255.255.255.0
    > ip address dmz 10.200.1.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > no failover
    > failover timeout 0:00:00
    > failover poll 15
    > failover ip address outside 0.0.0.0
    > failover ip address inside 0.0.0.0
    > failover ip address dmz 0.0.0.0
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 63.174.xxx.yy netmask 255.255.255.0
    > global (dmz) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
    > alias (inside) oxygen 10.200.1.96 255.255.255.255
    > alias (inside) pollux 10.200.1.25 255.255.255.255
    > alias (inside) radius1 10.200.1.26 255.255.255.255
    > alias (inside) radius2 10.200.1.27 255.255.255.255
    > alias (inside) nike 10.200.1.128 255.255.255.255
    > alias (inside) atlas 10.200.1.130 255.255.255.255
    > alias (inside) zeus 10.200.1.129 255.255.255.255
    > alias (inside) demeter 10.200.1.8 255.255.255.255
    > alias (inside) icarus 10.200.1.6 255.255.255.255
    > alias (inside) castor 10.200.1.2 255.255.255.255
    > static (dmz,outside) oxygen 10.200.1.96 netmask 255.255.255.255 0 0
    > static (dmz,outside) pollux 10.200.1.25 netmask 255.255.255.255 0 0
    > static (dmz,outside) radius1 10.200.1.26 netmask 255.255.255.255 0 0
    > static (dmz,outside) castor 10.200.1.2 netmask 255.255.255.255 0 0
    > static (dmz,outside) radius2 10.200.1.27 netmask 255.255.255.255 0 0
    > static (dmz,outside) nike 10.200.1.128 netmask 255.255.255.255 0 0
    > static (dmz,outside) atlas 10.200.1.130 netmask 255.255.255.255 0 0
    > static (dmz,outside) zeus 10.200.1.129 netmask 255.255.255.255 0 0
    > static (dmz,outside) andrewsauers 10.200.1.5 netmask 255.255.255.255 0 0
    > static (dmz,outside) demeter 10.200.1.8 netmask 255.255.255.255 0 0
    > static (dmz,outside) icarus 10.200.1.6 netmask 255.255.255.255 0 0
    > static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0
    > access-group acl_out in interface outside
    > access-group acl_in in interface inside
    > access-group acl_dmz in interface dmz
    > route outside 0.0.0.0 0.0.0.0 63.174.xxx.zz 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > aaa authentication telnet console LOCAL
    > snmp-server host dmz 10.200.1.128
    > snmp-server host dmz 10.200.1.40
    > snmp-server location Williamsport-Server-Room
    > snmp-server contact Matt Kiessling
    > snmp-server community public
    > snmp-server enable traps
    > tftp-server outside 63.174.xxx.qqq hydrogen
    > floodguard enable
    > no sysopt route dnat
    > telnet 10.200.1.13 255.255.255.255 dmz
    > telnet 10.200.1.130 255.255.255.255 dmz
    > telnet 10.200.1.128 255.255.255.255 dmz
    > telnet timeout 30
    > ssh 63.174.xxx.vvv 255.255.255.255 outside
    > ssh nemesis 255.255.255.255 outside
    > ssh timeout 30
    Brett, Sep 8, 2004
    #2
    1. Advertising

  3. John Doe

    John Doe Guest

    Brett,
    Yes I figured that out.. but how do I do that? And if I'm natting is
    the domain controller still going to work correctly as it is going
    through the NAT (or is there some way to do a 1-to-1 translation to
    allow all ports/etc to be opened). Also I currently have:

    global (outside) 1 63.174.xxx.xx netmask 255.255.255.0
    static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

    If I try to ad a global for the (dmz) and then add another nat it
    doesn't work... what am I doing wrong?

    Brett wrote:
    > You need to NAT from the DMZ to the Inside.
    >
    > John Doe <> wrote in message news:<>...
    >
    >>Hi,
    >>I have the below setup pix and can go from DMZ--> INSIDE just fine...
    >>but going from INSIDE --> DMZ is an issue. I can ping but am not able
    >>to access anything. If I try to, the pix log shows connections going
    >>from the dmz-->inside but I never see anything going the otherway
    >>(perhaps this is normal)...
    >>
    >>What do I need to do to allow people on INSIDE to access machines on DMZ?
    >>
    >>Here is the config:
    >>
    >>PIX Version 6.2(2)
    >>nameif ethernet0 outside security0
    >>nameif ethernet1 inside security100
    >>nameif ethernet2 dmz security10
    >>enable password [removed] encrypted
    >>passwd [removed] encrypted
    >>hostname Hydrogen
    >>domain-name [removed]
    >>fixup protocol ftp 21
    >>fixup protocol http 80
    >>fixup protocol h323 h225 1720
    >>fixup protocol h323 ras 1718-1719
    >>fixup protocol ils 389
    >>fixup protocol rsh 514
    >>fixup protocol rtsp 554
    >>fixup protocol sqlnet 1521
    >>fixup protocol sip 5060
    >>fixup protocol skinny 2000
    >>no fixup protocol smtp 25
    >>names
    >><names removed from here for security purposes>
    >>
    >>access-list acl_dmz permit icmp any any
    >>access-list acl_dmz permit ip any any
    >>access-list acl_in permit icmp any any
    >>access-list acl_in permit ip any any
    >>access-list acl_out permit udp any host radius1 eq radius-acct
    >>access-list acl_out permit udp any host pollux eq domain
    >>access-list acl_out permit udp any host radius1 eq radius
    >>access-list acl_out permit tcp any host pollux eq domain
    >>access-list acl_out permit udp any host radius2 eq radius-acct
    >>access-list acl_out permit udp any host castor eq domain
    >>access-list acl_out permit udp any host radius2 eq radius
    >>access-list acl_out permit tcp any host castor eq domain
    >>access-list acl_out permit tcp any host demeter eq www
    >>access-list acl_out permit tcp any host demeter eq https
    >>access-list acl_out permit tcp any host icarus eq smtp
    >>access-list acl_out permit tcp any host icarus eq pop3
    >>access-list acl_out permit tcp any host icarus eq 8383
    >>access-list acl_out permit tcp any host icarus eq imap4
    >>access-list acl_out permit tcp any host oxygen eq www
    >>access-list acl_out permit tcp any host oxygen eq ftp
    >>access-list acl_out permit ip host kiessling-work any
    >>access-list acl_out permit ip host kiessling-ws any
    >>access-list acl_out permit ip host andrewsauers-ws any
    >>access-list acl_out permit ip host nexxtmedia host atlas
    >>access-list acl_out permit ip host nexxtmedia host nike
    >>access-list acl_out permit udp any host nike eq tftp
    >>access-list acl_out deny ip host pwas host nike
    >>access-list acl_out deny ip host pwas host zeus
    >>access-list acl_out permit udp host monitor2 any
    >>access-list acl_out permit ip host monitor2 host nike
    >>access-list acl_out permit icmp host monitor2 any
    >>access-list acl_out deny ip any any
    >>access-list acl_out deny icmp any any
    >>pager lines 24
    >>logging on
    >>logging timestamp
    >>logging buffered debugging
    >>logging trap warnings
    >>logging facility 22
    >>logging host outside [removed]
    >>interface ethernet0 auto
    >>interface ethernet1 auto
    >>interface ethernet2 auto
    >>mtu outside 1500
    >>mtu inside 1500
    >>mtu dmz 1500
    >>ip address outside 63.174.xxx.xx 255.255.255.0
    >>ip address inside 172.16.1.1 255.255.255.0
    >>ip address dmz 10.200.1.1 255.255.255.0
    >>ip audit info action alarm
    >>ip audit attack action alarm
    >>no failover
    >>failover timeout 0:00:00
    >>failover poll 15
    >>failover ip address outside 0.0.0.0
    >>failover ip address inside 0.0.0.0
    >>failover ip address dmz 0.0.0.0
    >>pdm history enable
    >>arp timeout 14400
    >>global (outside) 1 63.174.xxx.yy netmask 255.255.255.0
    >>global (dmz) 1 interface
    >>nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >>nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
    >>alias (inside) oxygen 10.200.1.96 255.255.255.255
    >>alias (inside) pollux 10.200.1.25 255.255.255.255
    >>alias (inside) radius1 10.200.1.26 255.255.255.255
    >>alias (inside) radius2 10.200.1.27 255.255.255.255
    >>alias (inside) nike 10.200.1.128 255.255.255.255
    >>alias (inside) atlas 10.200.1.130 255.255.255.255
    >>alias (inside) zeus 10.200.1.129 255.255.255.255
    >>alias (inside) demeter 10.200.1.8 255.255.255.255
    >>alias (inside) icarus 10.200.1.6 255.255.255.255
    >>alias (inside) castor 10.200.1.2 255.255.255.255
    >>static (dmz,outside) oxygen 10.200.1.96 netmask 255.255.255.255 0 0
    >>static (dmz,outside) pollux 10.200.1.25 netmask 255.255.255.255 0 0
    >>static (dmz,outside) radius1 10.200.1.26 netmask 255.255.255.255 0 0
    >>static (dmz,outside) castor 10.200.1.2 netmask 255.255.255.255 0 0
    >>static (dmz,outside) radius2 10.200.1.27 netmask 255.255.255.255 0 0
    >>static (dmz,outside) nike 10.200.1.128 netmask 255.255.255.255 0 0
    >>static (dmz,outside) atlas 10.200.1.130 netmask 255.255.255.255 0 0
    >>static (dmz,outside) zeus 10.200.1.129 netmask 255.255.255.255 0 0
    >>static (dmz,outside) andrewsauers 10.200.1.5 netmask 255.255.255.255 0 0
    >>static (dmz,outside) demeter 10.200.1.8 netmask 255.255.255.255 0 0
    >>static (dmz,outside) icarus 10.200.1.6 netmask 255.255.255.255 0 0
    >>static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0
    >>access-group acl_out in interface outside
    >>access-group acl_in in interface inside
    >>access-group acl_dmz in interface dmz
    >>route outside 0.0.0.0 0.0.0.0 63.174.xxx.zz 1
    >>timeout xlate 0:05:00
    >>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    >>0:05:00 sip 0:30:00 sip_media 0:02:00
    >>timeout uauth 0:05:00 absolute
    >>aaa-server TACACS+ protocol tacacs+
    >>aaa-server RADIUS protocol radius
    >>aaa-server LOCAL protocol local
    >>aaa authentication telnet console LOCAL
    >>snmp-server host dmz 10.200.1.128
    >>snmp-server host dmz 10.200.1.40
    >>snmp-server location Williamsport-Server-Room
    >>snmp-server contact Matt Kiessling
    >>snmp-server community public
    >>snmp-server enable traps
    >>tftp-server outside 63.174.xxx.qqq hydrogen
    >>floodguard enable
    >>no sysopt route dnat
    >>telnet 10.200.1.13 255.255.255.255 dmz
    >>telnet 10.200.1.130 255.255.255.255 dmz
    >>telnet 10.200.1.128 255.255.255.255 dmz
    >>telnet timeout 30
    >>ssh 63.174.xxx.vvv 255.255.255.255 outside
    >>ssh nemesis 255.255.255.255 outside
    >>ssh timeout 30
    John Doe, Sep 8, 2004
    #3
  4. John Doe

    keshav

    Joined:
    Jun 6, 2006
    Messages:
    15
    try changing the natting

    nat (inside) 2 0.0.0.0 0.0.0.0 0 0 0 0
    global (DMZ) 2 interface

    or a static natting

    static (DMZ,inside) 10.200.1.0 10.200.1.0 netmask 255.255.255.0 0 0
    keshav, Jun 25, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JammyKat

    VPN from Inside to DMZ of 525 PIX

    JammyKat, Oct 20, 2003, in forum: Cisco
    Replies:
    1
    Views:
    404
    Walter Roberson
    Oct 20, 2003
  2. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,891
    Walter Roberson
    Sep 25, 2005
  3. morten
    Replies:
    4
    Views:
    1,212
    Tilman Schmidt
    Sep 4, 2007
  4. Jack
    Replies:
    0
    Views:
    672
  5. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    876
    Theo Markettos
    Feb 14, 2008
Loading...

Share This Page