Solved

PIX 515 w/DMZ and NAT Config HELP!

Posted on 2004-10-21
1,333 Views
Last Modified: 2010-08-05
I'm new to the firewall world and I'm trying to configure our new PIX.  The layout looks as follows:

internet------router (e0) 66.203.12.138/29-----PIX (outside) 66.203.12.139/29  
                                                                                 (inside) 10.100.0.100           (dmz) 66.203.12.209/29
                                                                                                     |                                       |
                                                                                         [private network]                     [web server]
                                                                                            10.100.0.0                          66.203.12.210/29
 
The web server will need to communicate to the private network as well as from the internet.
I have a pool of addresses for NAT'ing the private addresses:  66.203.12.211 - 214 and 66.203.12.140 - 142
I'd prefer to perform static NAT because i'm running h323 (video conferencing)

With my initial attempt at this, I'm ABLE to ping from the PIX thru all interfaces.  I'm unable to ping the web server from the internet as well as unable to ping from the web server out to a public address on the internet.  I fear I'm blocking ICMP from both directions.   I'm also unable to ping the web server from my private network.  Since this is a web server HTTP fails as well.

Can someone please help in guide me in the right direction by providing a config?  
0
Question by:echunn
    31 Comments
     
    LVL 79

    Expert Comment

    by:lrmoore
    compare this config to yours. I use a private IP space in the DMZ...

    ip address outside 66.203.12.139 255.255.255.240
    ip address inside 10.100.0.100 255.255.255.0
    ip address dmz 192.168.100.1 255.255.255.0

    access-list outside_in permit tcp any host 66.203.12.210 eq 80
    access-list outside_in permit tcp any host 66.203.12.210 eq 443  <== if you need it
    access-list outside_in permit icmp any any echo-reply
    access-list outside_in permit icmp any any unreachable
    access-list outside_in permit icmp any any time-exceeded
    <== you will not be able to ping the web server without this, but it is optional:
    access-list outside_in permit icmp any host 66.203.12.210 echo

    global (outside) 5 interface
    nat (inside) 5 10.100.0.0 255.255.255.0  <== change to appropriate mask
    nat (dmz) 5 192.168.100.0 255.255.255.0

    <== next line will create a static rule that bypasses NAT between the inside and DMZ:
    static (inside,dmz) 10.100.0.0 10.100.0.0 netmask 255.255.255.0  <== again, appropriate mask

    <== static for DMZ Web server
    static (dmz,outside) 66.203.12.210 192.168.100.210 netmask 255.255.255.255

    access-group outside_in in interface outside

    route outside 0.0.0.0 0.0.0.0 66.203.12.138

    <== you won't be able to ping the web server in the dmz until you create an acl specifically permitting it.
            I suggest you start out without this. Even though you can't ping it, you should be able to access the web page
    access-list dmz_out permit icmp host 192.168.100.210 10.100.0.0 255.255.255.0
    access-group dmz_out in interface dmz

    0
     

    Author Comment

    by:echunn
    After your suggestions I'm still unable to get to my webserver.  I'm also unable to get out to the internet.  From the internet I'm also unable to get to the server.  I'd like to share with you a detailed layout of the network, please email me at echunn@sbcglobal.net.

    Here;s my current config:

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security4
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol icmp error
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside_in permit tcp any host 66.234.131.210 eq www
    access-list outside_in permit icmp any any echo-reply
    access-list outside_in permit icmp any any unreachable
    access-list outside_in permit icmp any any time-exceeded
    access-list outside_in permit icmp any host 66.234.131.210 echo
    access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside 66.203.12.139 255.255.255.248
    ip address inside 10.100.0.100 255.255.255.0
    ip address DMZ 66.234.131.209 255.255.255.248
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    global (outside) 5 interface
    nat (inside) 5 10.100.0.0 255.255.0.0 0 0
    nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
    static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.0.0 0 0
    static (DMZ,outside) 66.234.131.210 10.100.10.102 netmask 255.255.255.255 0 0
    access-group outside_in in interface outside
    access-group dmz_out in interface DMZ
    route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    management-access inside
    console timeout 0
    terminal width 80
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Remove this line:
       >access-group dmz_out in interface DMZ

    Change this to match the mask on your inside interface:
       >static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.0.0 0 0
    to
        static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.255.0
                                                                                              ^^
    Remove this line:
       >static (DMZ,outside) 66.234.131.210 10.100.10.102 netmask 255.255.255.255 0 0
    Replace with this:
         static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255


    0
     

    Author Comment

    by:echunn
    Thanks for the quick reply!

    Below is the config with your suggested modifications.  However I'm still not getting out from:

    Ping from server 66.234.131.210 failed
    Ping from PIX to server 66.234.131.210 success
    Ping from PIX to next hop toward internet success
    Ping from PIX to internet address failed
    HTTP from the internet to 66.234.131.210 failed
    Ping or HTTP from internal net 10.100.10.x fails
    Ping from internet net to DMZ fails

    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security4

    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol icmp error
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside_in permit tcp any host 66.234.131.210 eq www
    access-list outside_in permit icmp any any echo-reply
    access-list outside_in permit icmp any any unreachable
    access-list outside_in permit icmp any any time-exceeded
    access-list outside_in permit icmp any host 66.234.131.210 echo
    access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
    access-list dmz_in permit icmp any any echo-reply
    access-list dmz_in permit icmp any any unreachable
    access-list dmz_in permit icmp any any time-exceeded
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside 66.203.12.139 255.255.255.248
    ip address inside 10.100.10.100 255.255.255.0
    ip address DMZ 66.234.131.209 255.255.255.248
    ip audit info action alarm
    ip audit attack action alarm
    ip audit attack action alarm
    no pdm history enable
    arp timeout 14400
    global (outside) 5 interface
    nat (inside) 5 10.100.0.0 255.255.0.0 0 0
    nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
    static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.0.0 0 0
    static (DMZ,outside) 66.234.131.210 10.100.10.102 netmask 255.255.255.255 0 0
    static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.255.0 0 0
    access-group outside_in in interface outside
    access-group dmz_out in interface DMZ
    route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    management-access inside
    console timeout 0
    terminal width 80

    Thoughts?

    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    What is the subnet mask on your internet router Ethernet port?
    What is the default gateway/mask settings on your server?
    0
     

    Author Comment

    by:echunn
    internet router
    mask = 255.255.255.248

    server
    gw=66.234.131.209
    mask= 255.255.255.248

    0
     

    Author Comment

    by:echunn
    Here's an update:  
    From 10.100.10.2 i can get to the server 66.234.131.210
    From this same system I'm unable to browse the internet
    From the internet I cant get to the server.

    From other systems on 10.100.10.x I can't get out to the internet nor the server.  DO i need static NAT for every system that needs access to the internet.  If so what is an example of that statement?
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Some progress, right?
    Does the Internet router have a route statement pointing to the PIX for that subnet;

       ip route 66.234.131.208 255.255.255.248 66.234.131.139

    These two entries are all you need to browse the internet from inside:
       global (outside) 5 interface
       nat (inside) 5 10.100.0.0 255.255.0.0 0 0

    Verify that the inside users' default gateway points to the pix 10.100.10.100

    Doh! I think I see a problem:

    given this:
       ip address inside 10.100.10.100 255.255.255.0

    You can remove this:
        no static (inside,DMZ) 10.100.0.0 10.100.0.0 netmask 255.255.255.0 0 0



    0
     

    Author Comment

    by:echunn
    Well the route wasnt in place....now that it is I can at least ping it (server) from my router.  Anything beyond my router on the public side doesnt work.

    Getting out to the internet from 10.100.10.0 (specifically 10.100.10.2 and 60) still doesnt work.

    Here's the latest:

    .........
    access-list outside_access_in permit tcp any any eq www
    access-list outside_access_in permit icmp any host 66.234.131.210
    access-list outside_access_in permit ip any any
    access-list outside_access_in permit tcp any any
    access-list outside_access_in permit udp any any
    access-list outside_access_in permit icmp any any
    access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
    access-list dmz_out permit icmp host 10.100.10.60 10.100.0.0 255.255.255.0
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit tcp any any
    access-list inside_access_in permit udp any any
    access-list inside_access_in permit icmp any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside 66.234.131.139 255.255.255.248
    ip address inside 10.100.10.100 255.255.255.0
    ip address DMZ 66.234.131.209 255.255.255.248
    ip audit info action alarm
    ip audit attack action alarm
    ip audit attack action alarm
    no pdm history enable
    arp timeout 14400
    global (outside) 5 interface
    nat (inside) 5 10.100.0.0 255.255.0.0 0 0
    nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
    static (inside,outside) 66.234.131.212 10.100.10.2 netmask 255.255.255.255 0 0
    static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
    static (inside,outside) 10.100.10.60 66.234.131.213 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    management-access inside
    console timeout 0
    terminal width 80
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    can you ping your router from the inside?
    yes? Sounds like the ISP isn't routing properly to your 66.234.131.x subnet.

    0
     

    Author Comment

    by:echunn
    in your opionion do you think this config is valid?
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Not now.

    You can remove this completely:
       access-group inside_access_in in interface inside

    The default is to permit all outbound traffic anyway..

    You've changed some other things around, too:
    >static (inside,outside) 66.234.131.212 10.100.10.2 netmask 255.255.255.255 0 0  <=== ?? DMZ IP to inside host?
    >static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0 <== OK
    >static (inside,outside) 10.100.10.60 66.234.131.213 netmask 255.255.255.255 0 0  <== ?? backward syntax

    Now you're trying to nat a DMZ IP address to an inside host?
    0
     

    Author Comment

    by:echunn
    To summarize what needs to communicate to what.......The server needs to connect to internal IPs on 10.100.0.0 as well as systems on the internet.   As it stands right now I'm back to where I started.  The server is unable to communicate to the internal net as well as the internet.  I'll refrain from changing anything more until I get more suggestions from you.

    access-list outside_access_in permit tcp any any eq www
    access-list outside_access_in permit icmp any host 66.234.131.210
    access-list outside_access_in permit ip any any
    access-list outside_access_in permit tcp any any
    access-list outside_access_in permit udp any any
    access-list outside_access_in permit icmp any any
    access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
    access-list dmz_out permit icmp host 10.100.10.60 10.100.0.0 255.255.255.0
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit tcp any any
    access-list inside_access_in permit udp any any
    access-list inside_access_in permit icmp any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside 66.234.131.139 255.255.255.248
    ip address inside 10.100.10.100 255.255.255.0
    ip address DMZ 66.234.131.209 255.255.255.248
    ip audit info action alarm
    no pdm history enable
    arp timeout 14400
    global (outside) 5 interface
    nat (inside) 5 10.100.0.0 255.255.0.0 0 0
    nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
    static (inside,outside) 66.234.131.212 10.100.10.2 netmask 255.255.255.255 0 0
    static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
    static (inside,outside) 10.100.10.60 66.234.131.213 netmask 255.255.255.255 0 0

    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact

    0
     

    Author Comment

    by:echunn
    The Good News:
    SPoke to my ISP and sure enough they weren't routing the servers IP.   I can now connnect from the internet to the server.

    The BAD News:
    I'm unable to communicate from the server to my internal net as well as from my internal net to my server.  

    Any suggestions?   .......I'm in the home-stretch!!
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    That is good news. I guess I was right.

    Now. For internal net to server communications:

                               nat (inside) 5 10.100.0.0 255.255.0.0 0 0
    Remove this ==> nat (DMZ) 5 66.234.131.0 255.255.255.0 0 0
    Remove this ==> static (inside,outside) 66.234.131.212 10.100.10.2 netmask 255.255.255.255 0 0
                              static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
    Remove this ==> static (inside,outside) 10.100.10.60 66.234.131.213 netmask 255.255.255.255 0 0

    Remove this ==> access-group inside_access_in in interface inside

    This is what you should end up with:

      global (outside) 5 interface
      nat (inside) 5 10.100.0.0 255.255.0.0 0 0
      static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
      static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0

    Next, for the server in the DMZ to talk to the internal network (if this server initiates the connection)
      access-list DMZ permit ip host 66.234.131.210 10.100.10.0 255.255.255.0
      access-list DMZ permit ip host 66.234.131.210 any
      access-list DMZ in interface DMZ

    Once you get everything working, we can refine the DMZ access-list

    0
     

    Author Comment

    by:echunn
    From my internal net I can connect to my server and everywhere else.  However, my server still is unable to establish a connection to an internal system.
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    So, 2 out of 3 down?
    can you post your current latest running config?

    These three lines are the keys to making that work:
     static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0
      access-list DMZ permit ip host 66.234.131.210 10.100.10.0 255.255.255.0
       access-list DMZ in interface DMZ
    0
     

    Author Comment

    by:echunn
    Sure, here it is:
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security4
    enable password bSZmERppDxozfltT encrypted
    passwd jBkDTusFb45REzoX encrypted
    hostname MAGMA
    domain-name MAGMA
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol icmp error
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside_access_in permit icmp any host 66.234.131.210
    access-list outside_access_in permit ip any any
    access-list outside_access_in permit tcp any any
    access-list outside_access_in permit udp any any
    access-list outside_access_in permit icmp any any
    access-list outside_access_in permit tcp any host 66.234.131.210 eq www
    access-list dmz_out permit icmp host 10.100.10.102 10.100.0.0 255.255.255.0
    access-list dmz_out permit icmp host 10.100.10.60 10.100.0.0 255.255.255.0
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit tcp any any
    access-list inside_access_in permit udp any any
    access-list inside_access_in permit icmp any any
    access-list DMZ permit ip host 66.234.131.210 10.100.10.0 255.255.255.0
    access-list DMZ permit ip host 66.234.131.210 10.100.11.0 255.255.255.0
    access-list DMZ permit ip host 66.234.131.210 10.100.12.0 255.255.255.0
    access-list DMZ permit ip host 66.234.131.210 10.100.13.0 255.255.255.0
    access-list DMZ permit ip host 66.234.131.210 10.100.15.0 255.255.255.0
    access-list DMZ permit ip host 66.234.131.210 10.100.16.0 255.255.255.0
    access-list DMZ permit ip host 66.234.131.210 10.100.17.0 255.255.255.0
    access-list DMZ permit ip host 66.234.131.210 any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside 66.234.131.139 255.255.255.248
    ip address inside 10.100.10.100 255.255.255.0
    ip address DMZ 66.234.131.209 255.255.255.248
    ip audit info action alarm
    ip audit attack action alarm
    no pdm history enable
    arp timeout 14400
    global (outside) 5 interface
    nat (inside) 5 10.100.0.0 255.255.0.0 0 0
    static (DMZ,outside) 66.234.131.210 66.234.131.210 netmask 255.255.255.255 0 0
    static (inside,outside) 66.234.131.214 10.100.10.52 netmask 255.255.255.255 0 0
    static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    management-access inside
    console timeout 0
    terminal width 80
    Cryptochecksum:
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    You have to remove this. You cannot apply a static map to a public IP from an inside host to the DMZ subnet..  
       > static (inside,outside) 66.234.131.214 10.100.10.52 netmask 255.255.255.255 0 0

    If you have all those 10.100.x.0 subnets on the inside that you are trying to connect to, suggest :
      no static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0 0 0
      static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.0.0
                                                                                             ^^
    You will also need a route to them on the PIX pointing to the inside router:
       route inside 10.100.0.0 255.255.0.0 10.100.10.??

    And, don't forget to apply the DMZ Acl ( I don't see it in your posted config):
        access-list DMZ in interface DMZ

    0
     

    Author Comment

    by:echunn
    you mean:
    access-group DMZ in interface DMZ

    not:
    access-list DMZ in interface DMZ

    you mean:
    static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0

    not:
    static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.0.0

    route inside 10.100.0.0 255.255.0.0 10.100.10.1

    We're good to go now!  Excellent help, thank you very much!



    0
     
    LVL 79

    Accepted Solution

    by:
    H'OH! Yep, I did get carried away... it is access-group, not access-list when applying it...

    But this one.... I did mean to change the subnet mask to include all the other subnets that you have...
    >you mean:
    >static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.255.0

    >not:
    >static (inside,DMZ) 10.100.10.0 10.100.10.0 netmask 255.255.0.0
                                                                                              ^^^^ I really did mean to change this to 255.255.0.0

    Progress is always good!
    0
     

    Author Comment

    by:echunn
    One last thing.   To avoid having to set stactic routes on my router for the public IP of the server on my internal net, could I instead NAT to an IP routable on my internal net?  If so whats the correct syntax?
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    I don't follow you on that...
    As long as the PIX is the default gateway for everything, it shouldn't matter...
    Since you are not natting between the inside and the DMZ, nor from DMZ to outside, that's sort of an odd thing to need to do.
    0
     

    Author Comment

    by:echunn
    when i set my systems to use the PIX as the default gateway, I can't communicate to anything else on my 10.100.10.0 as well as my other networks, 10.100.13.x , 10.100.14.x etc.    even though I've got these route statments:

    route outside 0.0.0.0 0.0.0.0 66.234.131.138 1
    route inside 10.100.0.0 255.255.0.0 10.100.10.1 1
    route inside 10.100.15.0 255.255.255.0 10.100.10.1 1  
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    How about on your router, just point the default to the PIX, then use the router as your default.

      ip route 0.0.0.0 0.0.0.0 10.100.10.100

    0
     

    Author Comment

    by:echunn
    tried that to.  I seems like the routes on the PIX aren't even working....
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    They are, it's just that a PIX won't redirect like a router will...

    The routes on the PIX are there to respond to clients, not to act as a router for inside client to get to another subnet. Is there another default route in the router?

    0
     

    Author Comment

    by:echunn
    the default route on my main core router feeds out to our MPLS network which fingers out to the other 10.100.x.x subnets.  

    Here's the router route statements as it looks now:


    ip route 0.0.0.0 0.0.0.0 10.100.10.100
    ip route 66.234.131.210 255.255.255.255 10.100.10.100

    Before:

    ip route 0.0.0.0 0.0.0.0 192.168.100.57
    ip route 66.234.131.210 255.255.255.255 10.100.10.100
    0
     

    Author Comment

    by:echunn
    so to answer your question, no their are no other default routes
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    sounds like you still have a simple routing issue..
    what routing protocol are you using? You can enable OSPF between this router and the PIX..If you decide that you want to do that, post another question and we can work on that separately.

    Aren't you using bgp to the MPls network?
    0
     

    Author Comment

    by:echunn
    I'm running BGP.  Spoke to my ISP and the routes are now updated and everything is working.  Case closed !  Thanks for your patience and help.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    This video discusses moving either the default database or any database to a new volume.

    877 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now