The DMZ and the PIX515e saga

Discussion in 'Cisco' started by Mick, Jul 3, 2004.

  1. Mick

    Mick Guest

    I need my firewall to let traffic for mail (tcp port 25) from the
    OUTSIDE int to the INSIDE int. I also need to allow traffic for SSH
    (tcp port 22) from the OUTSIDE int to the DMZ. Right now only mail
    gets thru to its target server on the INSIDE int. below is my config.
    what could be wrong?

    here is my config. What could be wrong?

    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password BObnFRYhrLLX7XML encrypted
    passwd a0Zhrf6icaFKoQsr encrypted
    name 192.168.11.35 mx1

    access-list acl_out permit tcp any host 207.97.140.22 eq smtp
    access-list acl_out permit tcp any host 207.97.140.22 eq https
    access-list acl_out permit tcp any host 207.97.140.130 eq ssh
    access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.15.0
    255.255.255.0
    access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.15.0
    255.255.255.0
    access-list 101 permit ip 192.168.22.0 255.255.255.0 192.168.15.0
    255.255.255.0

    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside 207.97.140.3 255.255.255.0
    ip address inside 192.168.11.50 255.255.255.0
    ip address dmz 192.168.100.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 192.168.15.1-192.168.15.254
    arp timeout 14400
    global (outside) 1 207.97.140.200-207.97.140.225
    global (outside) 1 207.97.140.226
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    static (inside,outside) 207.97.140.22 mx1 netmask 255.255.255.255 0 0

    static (dmz,outside) 209.97.140.130 192.168.100.41 netmask
    255.255.255.255 0 0
    static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
    access-group acl_out in interface outside
    route outside 0.0.0.0 0.0.0.0 207.97.140.1 1
    route inside 192.168.0.0 255.255.255.0 192.168.11.1 1
    route inside 192.168.22.0 255.255.255.0 192.168.11.1 1
     
    Mick, Jul 3, 2004
    #1
    1. Advertising

  2. Mick

    Rik Bain Guest

    On Sat, 03 Jul 2004 10:11:32 -0500, Mick wrote:

    > I need my firewall to let traffic for mail (tcp port 25) from the
    > OUTSIDE int to the INSIDE int. I also need to allow traffic for SSH (tcp
    > port 22) from the OUTSIDE int to the DMZ. Right now only mail gets thru
    > to its target server on the INSIDE int. below is my config. what could
    > be wrong?
    >
    > here is my config. What could be wrong?
    >
    > PIX Version 6.3(1)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > interface ethernet2 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 dmz security50
    > enable password BObnFRYhrLLX7XML encrypted passwd a0Zhrf6icaFKoQsr
    > encrypted
    > name 192.168.11.35 mx1
    >
    > access-list acl_out permit tcp any host 207.97.140.22 eq smtp
    > access-list acl_out permit tcp any host 207.97.140.22 eq https
    > access-list acl_out permit tcp any host 207.97.140.130 eq ssh
    > access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.15.0
    > 255.255.255.0
    > access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.15.0
    > 255.255.255.0
    > access-list 101 permit ip 192.168.22.0 255.255.255.0 192.168.15.0
    > 255.255.255.0
    >
    > mtu outside 1500
    > mtu inside 1500
    > mtu dmz 1500
    > ip address outside 207.97.140.3 255.255.255.0 ip address inside
    > 192.168.11.50 255.255.255.0 ip address dmz 192.168.100.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool ippool 192.168.15.1-192.168.15.254 arp timeout 14400
    > global (outside) 1 207.97.140.200-207.97.140.225 global (outside) 1
    > 207.97.140.226
    > nat (inside) 0 access-list 101
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >
    > static (inside,outside) 207.97.140.22 mx1 netmask 255.255.255.255 0 0
    >
    > static (dmz,outside) 209.97.140.130 192.168.100.41 netmask
    > 255.255.255.255 0 0
    > static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
    > access-group acl_out in interface outside route outside 0.0.0.0 0.0.0.0
    > 207.97.140.1 1 route inside 192.168.0.0 255.255.255.0 192.168.11.1 1
    > route inside 192.168.22.0 255.255.255.0 192.168.11.1 1



    >> static (dmz,outside) 209.97.140.130 192.168.100.41 netmask 255.255.255.255


    Should that read "209.97...." or "207.97...."?


    Rik
     
    Rik Bain, Jul 3, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mick

    PIX515e and the DMZ

    Mick, Jul 1, 2004, in forum: Cisco
    Replies:
    4
    Views:
    1,411
  2. JohnC
    Replies:
    9
    Views:
    865
    Walter Roberson
    Dec 7, 2004
  3. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,901
    Walter Roberson
    Sep 25, 2005
  4. morten
    Replies:
    4
    Views:
    1,232
    Tilman Schmidt
    Sep 4, 2007
  5. David Henzler

    Pix515e 3-Ethernet DMZ

    David Henzler, Mar 5, 2009, in forum: Cisco
    Replies:
    5
    Views:
    463
    David Henzler
    Mar 10, 2009
Loading...

Share This Page