?
Solved

PDM keeps quiting when launched from DMZ.

Posted on 2005-02-27
3
Medium Priority
?
347 Views
Last Modified: 2012-05-05
Hello Everyone.

I have a Cisco PIX 515e with four interfaces:inside, outisde,dmz and state (for failover). I am running 6.3.4 of the OS and 3.0.2 of the PDM.

My problem is that whenever I try to PDM to the dmz port from my adim server on the dmz I get:

1. Very, very slow PDM load times, it will take about 10 minutes to finally load the java applet with the PDM interface.
2. Within 10 seconds of the PDM applet loading it quits. The Java console shows a series of java exception errors.

I can access the PDM just fine from the inside with the same JRE 1.4.2._7 inistalled as on the dmz server.

Any help is appreciated. Here is my config:

pixfirewall(config)# show config
: Saved
: Written by enable_15 at 18:07:41.514 EST Fri Feb 25 2005
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 state security20
enable password oEs48LIIjm3JH8OP encrypted
passwd oEs48LIIjm3JH8OP encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit tcp any host 12.111.131.196 eq www
access-list acl_out permit tcp any host 12.111.131.196 eq smtp
access-list acl_out permit tcp any host 12.111.131.196 eq 3389
access-list acl_out permit tcp any host 12.111.131.196 eq pop3
access-list acl_out permit udp any host 12.111.131.196 eq 110
access-list acl_dmz permit tcp host 192.168.201.196 192.168.200.0 255.255.255.0
eq domain
access-list acl_dmz permit udp host 192.168.201.196 192.168.200.0 255.255.255.0
eq domain
access-list acl_dmz permit tcp host 192.168.201.196 192.168.200.0 255.255.255.0
eq imap4
access-list acl_dmz permit tcp host 192.168.201.196 192.168.200.0 255.255.255.0
eq ldap
access-list acl_dmz permit icmp host 192.168.201.196 192.168.200.0 255.255.255.0
access-list acl_dmz permit ip host 192.168.201.196 any
access-list acl_dmz permit tcp host 192.168.201.196 192.168.200.0 255.255.255.0
eq 135
access-list acl_dmz permit tcp host 192.168.201.196 192.168.200.0 255.255.255.0
eq 993
access-list acl_dmz permit tcp host 192.168.201.196 192.168.200.0 255.255.255.0
eq 102
access-list acl_dmz permit tcp host 192.168.201.196 192.168.200.0 255.255.255.0
eq ldaps
access-list acl_dmz permit tcp host 192.168.201.196 192.168.200.0 255.255.255.0
eq nntp
access-list acl_dmz permit tcp host 192.168.201.196 192.168.200.0 255.255.255.0
eq 563
access-list acl_dmz permit tcp host 192.168.201.196 192.168.200.0 255.255.255.0
eq 88
access-list acl_dmz permit udp host 192.168.201.196 192.168.200.0 255.255.255.0
eq 88
access-list acl_dmz permit udp host 192.168.201.196 192.168.200.0 255.255.255.0
eq netbios-dgm
access-list acl_dmz permit tcp host 192.168.201.196 192.168.200.0 255.255.255.0
eq 138
access-list acl_dmz permit udp host 192.168.201.196 192.168.200.0 255.255.255.0
eq netbios-ns
access-list acl_dmz permit tcp host 192.168.201.196 192.168.200.0 255.255.255.0
eq netbios-ssn
access-list acl_dmz permit tcp host 192.168.201.196 192.168.200.0 255.255.255.0
eq pop3
access-list acl_dmz permit udp host 192.168.201.196 192.168.200.0 255.255.255.0
eq 110
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu state 1500
ip address outside 12.111.131.194 255.255.255.192
ip address inside 192.168.200.11 255.255.255.0
ip address dmz 192.168.201.1 255.255.255.0
ip address state 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 10
failover ip address outside 12.111.131.195
failover ip address inside 192.168.200.12
failover ip address dmz 192.168.201.2
failover ip address state 192.168.100.2
failover link state
pdm location 192.168.0.101 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.201.196 255.255.255.255 dmz
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 1 12.111.131.222-12.111.131.252 netmask 255.255.255.192
global (outside) 1 12.111.131.253 netmask 255.255.255.192
global (dmz) 1 192.168.201.3-192.168.201.253 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 12.111.131.196 192.168.201.196 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 0 0
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 12.111.131.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 172.23.58.142 source outside prefer
http server enable
http 192.168.0.101 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.200.0 255.255.255.0 inside
http 192.168.201.0 255.255.255.0 dmz
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.200.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:d9adcd1fff0aa30e64aee8b0969f6a63


0
Comment
Question by:valsilva
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Author Comment

by:valsilva
ID: 13415409
For clarity:

Outside is:12.111.131.x
Inside is:192.168.200.x
Dmz is:192.168.201.x
State is:192.168.100.x
The admin server is at 192.168.201.196 talking the PIX is primary dmz address of 192.168.201.1.

Thanks.
0
 

Author Comment

by:valsilva
ID: 13415421
One more thing, sorry:

Sometimes the initial web window simply sits there and I see this in the Java console:

Requesting URL: https://192.168.201.1/jploader.jar

nothing else happens.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 1500 total points
ID: 13416130
You shouldn't be managing your PIX from the DMZ - it's a big security risk.
Also, your encrypted passwords can be reversed using rainbow tables, so please change the passwords asap as you have in effect posted them on a public forum !  :)
What happens if you clear out the Java application cache ?
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question