ansour
asked on
DMZ cannot Browse internet or Ping Inside !!!
Hi, I have A pix 515UR with Version 6.20 and working on a simple setup.
Router
to
Pix to DMZ
to
Inside
Inside Netowrk can Ping the DMZ on ip 192.168.4.2
Inside Network can Browse Internet.
DMZ cannot Ping Inside Servers/Network
DMZ cannot browse Internet UNTILL allow TCP any, and UDP domain Protocol. !!!
How do I enable Ping from DMZ to Inside Full Network.
Is it as such normal to allow tcp ports for allowing browsing of DMZ or something amiss. PLEASE ADVISE.
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname KA-PIX
domain-name ka-cec.ae
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.4.2 KAWAN
access-list outside_access_dmz permit icmp any any
access-list outside_access_dmz permit tcp host KAWAN any
access-list outside_access_dmz permit udp host KAWAN any eq domain
access-list outside_access_dmz deny ip any any
access-list outside_access_in permit tcp any host X.Y.Z.54 eq smtp
access-list outside_access_in permit tcp any host X.Y.Z.54 eq www
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host X.Y.Z.54 eq ftp
access-list outside_access_in permit tcp any host X.Y.Z.54 eq domain
access-list outside_access_in deny ip any any
pager lines 24
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside X.Y.Z.50 255.255.255.240
ip address inside 192.168.3.14 255.255.255.0
ip address intf2 192.168.4.1 255.255.255.0
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm location 192.168.3.17 255.255.255.255 inside
pdm location 192.168.3.123 255.255.255.255 inside
pdm location KAWAN 255.255.255.255 intf2
pdm history enable
arp timeout 14400
global (outside) 1 X.Y.Z.51-X.Y.Z.53 netmask 255.255.255.240
global (intf2) 1 192.168.4.20-192.168.4.200
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (intf2) 1 192.168.4.0 255.255.255.0 0 0
static (intf2,outside) X.Y.Z.54 KAWAN netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group outside_access_dmz in interface intf2
route outside 0.0.0.0 0.0.0.0 X.Y.Z.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.123 255.255.255.255 inside
http 192.168.3.17 255.255.255.255 inside
http KAWAN 255.255.255.255 intf2
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 5
Router
to
Pix to DMZ
to
Inside
Inside Netowrk can Ping the DMZ on ip 192.168.4.2
Inside Network can Browse Internet.
DMZ cannot Ping Inside Servers/Network
DMZ cannot browse Internet UNTILL allow TCP any, and UDP domain Protocol. !!!
How do I enable Ping from DMZ to Inside Full Network.
Is it as such normal to allow tcp ports for allowing browsing of DMZ or something amiss. PLEASE ADVISE.
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname KA-PIX
domain-name ka-cec.ae
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.4.2 KAWAN
access-list outside_access_dmz permit icmp any any
access-list outside_access_dmz permit tcp host KAWAN any
access-list outside_access_dmz permit udp host KAWAN any eq domain
access-list outside_access_dmz deny ip any any
access-list outside_access_in permit tcp any host X.Y.Z.54 eq smtp
access-list outside_access_in permit tcp any host X.Y.Z.54 eq www
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host X.Y.Z.54 eq ftp
access-list outside_access_in permit tcp any host X.Y.Z.54 eq domain
access-list outside_access_in deny ip any any
pager lines 24
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside X.Y.Z.50 255.255.255.240
ip address inside 192.168.3.14 255.255.255.0
ip address intf2 192.168.4.1 255.255.255.0
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm location 192.168.3.17 255.255.255.255 inside
pdm location 192.168.3.123 255.255.255.255 inside
pdm location KAWAN 255.255.255.255 intf2
pdm history enable
arp timeout 14400
global (outside) 1 X.Y.Z.51-X.Y.Z.53 netmask 255.255.255.240
global (intf2) 1 192.168.4.20-192.168.4.200
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (intf2) 1 192.168.4.0 255.255.255.0 0 0
static (intf2,outside) X.Y.Z.54 KAWAN netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group outside_access_dmz in interface intf2
route outside 0.0.0.0 0.0.0.0 X.Y.Z.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.123 255.255.255.255 inside
http 192.168.3.17 255.255.255.255 inside
http KAWAN 255.255.255.255 intf2
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 5
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Guys,
A study revealed once you apply an access-list to a dmz interface the implicit
outbound rule is void so in order for inside clients to go out the following two lines
are require as a minimum.
access-list outside_access_dmz permit tcp host KAWAN any eq 80
access-list outside_access_dmz permit udp host KAWAN any eq domain
* Though in mycase it does not work untill I enable " tcp host KAWAN any any"
But If you remove the access-group statement from the DMZ the implicit outbound
rule will be in effect again from dmz to outside ( where in I get internet access without any problem :D ) but you will not be able to access the internal network.
Well thats for now , any way thank you for all your Inputs.
Let me accept the above answer of chicagoan.
Cheers.
Tauseef
A study revealed once you apply an access-list to a dmz interface the implicit
outbound rule is void so in order for inside clients to go out the following two lines
are require as a minimum.
access-list outside_access_dmz permit tcp host KAWAN any eq 80
access-list outside_access_dmz permit udp host KAWAN any eq domain
* Though in mycase it does not work untill I enable " tcp host KAWAN any any"
But If you remove the access-group statement from the DMZ the implicit outbound
rule will be in effect again from dmz to outside ( where in I get internet access without any problem :D ) but you will not be able to access the internal network.
Well thats for now , any way thank you for all your Inputs.
Let me accept the above answer of chicagoan.
Cheers.
Tauseef
(for the ping - obviously I don't know the syntax for the rule)
allow icmp to lan from dmz
It would be better if you could just specify an IP range to and from, or a range of ports.
** Note, you cannot PING a private network from an outside subnet without using NAT/PAT. If the network you are pinging from is 192.168.1.0-255, you can't ping 192.168.0.1-255, unless you use nat or port forwarding. For NAT, if you had a public interface with 222.222.222.222, and you wanted to hit an internal web server at 192.168.1.23, then you could tell the firewall/router to forward packets on port 80 to 192.168.1.23.
For the OUTBOUND TCP/UDP from the DMZ, it is usually OK to allow outbound traffic. It's best not to do this, because if your network was compromised, a system could be used in DDoS or other zombie-based attacks.
This might not be the exact info you were looking for- but maybe it will help.
regards,