• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 366
  • Last Modified:

DMZ hosts won't go to internet

Hello,

can anyone tell me why my DMZ nodes won't access the internet.  I had to turn my ACl off for this to happen.  Below is the config.  Thanks

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.200.100 dnsserver01
name 172.16.200.101 dnsserver02
name 172.16.200.102 exchangeweb
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit tcp any host 199.44.67.68 eq domain
access-list outside_in permit udp any host 199.44.67.68 eq domain
access-list outside_in permit tcp any host 199.44.67.69 eq domain
access-list outside_in permit udp any host 199.44.67.69 eq domain
access-list outside_in permit tcp any host 199.44.67.68 eq www
access-list outside_in permit tcp any host 199.44.67.69 eq www
access-list outside_in permit tcp any host 199.44.67.69 eq ftp
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any host 199.44.67.69
access-list outside_in permit tcp any host 199.44.67.76 eq www
access-list outside_in permit tcp any host 199.44.67.77 eq www
access-list outside_in permit tcp any host 199.44.67.78 eq www
access-list outside_in permit icmp any host 199.44.67.68
access-list outside_in permit icmp any host 199.44.67.76
access-list outside_in permit icmp any host 199.44.67.77
access-list outside_in permit icmp any host 199.44.67.78
access-list outside_in permit icmp any host 199.44.67.70
access-list outside_in permit tcp any host 199.44.67.70 eq www
access-list outside_in permit tcp any host 199.44.67.70 eq https
access-list DMZ_IN permit icmp any any echo-reply
access-list DMZ_IN permit icmp any any unreachable
access-list DMZ_IN permit icmp any any time-exceeded
access-list DMZ_IN permit tcp any host exchangeweb eq 135
access-list DMZ_IN permit tcp any host exchangeweb eq ldap
access-list DMZ_IN permit udp any host exchangeweb eq 389
access-list DMZ_IN permit tcp any host exchangeweb eq ldaps
access-list DMZ_IN permit tcp any host exchangeweb eq 3268
access-list DMZ_IN permit tcp any host exchangeweb eq 3269
access-list DMZ_IN permit tcp any host exchangeweb eq domain
access-list DMZ_IN permit udp any host exchangeweb eq domain
access-list DMZ_IN permit tcp any host exchangeweb eq 88
access-list DMZ_IN permit udp any host exchangeweb eq 88
access-list DMZ_IN permit tcp any host exchangeweb eq 445
access-list dmz_in permit tcp host dnsserver01 any eq www
access-list dmz_in permit udp host dnsserver01 any eq domain
access-list dmz_in permit tcp host dnsserver02 any eq www
access-list dmz_in permit udp host dnsserver02 any eq domain
access-list dmz_in permit tcp host exchangeweb any eq www
access-list dmz_in permit udp host exchangeweb any eq domain
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 199.44.67.33 255.255.255.0
ip address inside 10.200.1.2 255.255.255.0
ip address dmz 172.16.200.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 199.44.67.34
failover ip address inside 10.200.1.3
failover ip address dmz 172.16.200.2
pdm history enable
arp timeout 14400
global (outside) 1 199.44.67.35-199.44.67.64
global (outside) 1 199.44.67.65
global (dmz) 1 172.16.200.10-172.16.200.30
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (dmz) 1 172.16.200.0 255.255.255.0 0 0
static (dmz,outside) tcp 199.44.67.68 www dnsserver01 www netmask 255.255.255.255 0 0
static (dmz,outside) tcp 199.44.67.69 www dnsserver02 www netmask 255.255.255.255 0 0
static (dmz,outside) 199.44.67.70 exchangeweb netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 199.44.67.1 1
route inside 10.0.0.0 255.0.0.0 10.200.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.200.3.0 255.255.255.0 inside
telnet 10.200.2.5 255.255.255.255 inside
telnet 10.200.3.0 255.255.255.0 dmz
telnet 10.200.2.5 255.255.255.255 dmz
telnet timeout 15
ssh timeout 5
console timeout 0
terminal width 80
0
KB593
Asked:
KB593
  • 7
  • 6
1 Solution
 
lrmooreCommented:
You have to remember the thing about acls. Once you have a single permit, there is an implied deny all at the end.

Try something like this:
access-list dmz_in permit tcp host dnsserver01 any eq www
access-list dmz_in permit udp host dnsserver01 any eq domain
access-list dmz_in permit tcp host dnsserver02 any eq www
access-list dmz_in permit udp host dnsserver02 any eq domain
access-list dmz_in permit tcp host exchangeweb any eq www
access-list dmz_in permit udp host exchangeweb any eq domain
<plus the following>
access-list dmz_in permit tcp host dnsserver01 eq www any
access-list dmz_in permit udp host dnsserver01 eq domain any
access-list dmz_in permit tcp host dnsserver02  eq www any
access-list dmz_in permit udp host dnsserver02 eq domain any
access-list dmz_in permit tcp host exchangeweb eq www any
access-list dmz_in permit icmp any any echo-reply
access-list dmz_in permit icmp any any unreachable
access-list dmz_in permit icmp any any time-exceeded


0
 
KB593Author Commented:
Now I can't ping my internal boxes from the DMZ.  did I mess something up.

access-list DMZ_IN permit tcp any host exchangeweb eq 135
access-list DMZ_IN permit tcp any host exchangeweb eq ldap
access-list DMZ_IN permit udp any host exchangeweb eq 389
access-list DMZ_IN permit tcp any host exchangeweb eq ldaps
access-list DMZ_IN permit tcp any host exchangeweb eq 3268
access-list DMZ_IN permit tcp any host exchangeweb eq 3269
access-list DMZ_IN permit tcp any host exchangeweb eq domain
access-list DMZ_IN permit udp any host exchangeweb eq domain
access-list DMZ_IN permit tcp any host exchangeweb eq 88
access-list DMZ_IN permit udp any host exchangeweb eq 88
access-list DMZ_IN permit tcp any host exchangeweb eq www
access-list DMZ_IN permit tcp any host exchangeweb eq imap4
access-list DMZ_IN permit tcp any host exchangeweb eq pop3
access-list DMZ_IN permit tcp any host exchangeweb eq smtp
access-list DMZ_IN permit tcp any host exchangeweb eq 691
access-list DMZ_IN permit tcp any host exchangeweb eq 1776
access-list DMZ_IN permit icmp any any
access-list DMZ_IN permit tcp host dnsserver01 any eq www
access-list DMZ_IN permit udp host dnsserver01 any eq domain
access-list DMZ_IN permit tcp host dnsserver02 any eq www
access-list DMZ_IN permit udp host dnsserver02 any eq domain
access-list DMZ_IN permit tcp host exchangeweb any eq www
access-list DMZ_IN permit udp host exchangeweb any eq domain
access-list DMZ_IN permit tcp host dnsserver01 eq www any
access-list DMZ_IN permit udp host dnsserver01 eq domain any
access-list DMZ_IN permit tcp host dnsserver02 eq www any
access-list DMZ_IN permit udp host dnsserver02 eq domain any
access-list DMZ_IN permit tcp host exchangeweb eq www any
0
 
lrmooreCommented:
Did you re-apply the acl to the interface?
  access-group DMZ_IN in interface dmz

You don't need any of these lines....
"any" will never be the source originating on the dmz interface, going to destination of dmz hosts...

access-list DMZ_IN permit tcp any host exchangeweb eq 135
access-list DMZ_IN permit tcp any host exchangeweb eq ldap
access-list DMZ_IN permit udp any host exchangeweb eq 389
access-list DMZ_IN permit tcp any host exchangeweb eq ldaps
access-list DMZ_IN permit tcp any host exchangeweb eq 3268
access-list DMZ_IN permit tcp any host exchangeweb eq 3269
access-list DMZ_IN permit tcp any host exchangeweb eq domain
access-list DMZ_IN permit udp any host exchangeweb eq domain
access-list DMZ_IN permit tcp any host exchangeweb eq 88
access-list DMZ_IN permit udp any host exchangeweb eq 88
access-list DMZ_IN permit tcp any host exchangeweb eq www
access-list DMZ_IN permit tcp any host exchangeweb eq imap4
access-list DMZ_IN permit tcp any host exchangeweb eq pop3
access-list DMZ_IN permit tcp any host exchangeweb eq smtp
access-list DMZ_IN permit tcp any host exchangeweb eq 691
access-list DMZ_IN permit tcp any host exchangeweb eq 1776
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
KB593Author Commented:
I was trying to initiate this traffic from the dmz to my internal hosts.  do I have the acl backwards?
0
 
lrmooreCommented:
If you want to initiate traffic from the dmz to internal hosts:

\\- create a static xlate for internal to dmz
static (inside,dmz)  10.200.1.0 10.200.1.0 netmask 255.255.255.0

\\- now be specific in the acl

access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 135
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 445
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq ldap
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 389
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq ldaps
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq domain
access-list DMZ_IN permit udp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq domain
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 88
access-list DMZ_IN permit udp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 88
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq smtp
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 691
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 1776


0
 
KB593Author Commented:
I still can't get my DMZ to ping internal hosts.  I thought it was working, but maybe not.  can you see anything prohibiting this?
0
 
KB593Author Commented:
for the access list you just created, what if my servers are on the 10.200.4.x subnet.  intervlan routing is working.
0
 
KB593Author Commented:
I still can't get my DMZ to ping internal hosts.  I thought it was working, but maybe not.  can you see anything prohibiting this?
0
 
lrmooreCommented:
Add:
 access-list DMZ_IN permit icmp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0
0
 
KB593Author Commented:
That didn't work.  This is my config so far, please tell me if you see any reason why its not working.  Thanks.  BTW, I gave you the points and made another question for this one.  Thanks for the help.

NWR-PIX-01(config)# sh conf
: Saved
: Written by enable_15 at 17:19:25.710 UTC Sat Apr 16 2005
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.200.100 dnsserver01
name 172.16.200.101 dnsserver02
name 172.16.200.102 exchangeweb
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit tcp any host 199.44.67.68 eq domain
access-list outside_in permit udp any host 199.44.67.68 eq domain
access-list outside_in permit tcp any host 199.44.67.69 eq domain
access-list outside_in permit udp any host 199.44.67.69 eq domain
access-list outside_in permit tcp any host 199.44.67.68 eq www
access-list outside_in permit tcp any host 199.44.67.69 eq www
access-list outside_in permit tcp any host 199.44.67.69 eq ftp
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any host 199.44.67.69
access-list outside_in permit tcp any host 199.44.67.76 eq www
access-list outside_in permit tcp any host 199.44.67.77 eq www
access-list outside_in permit tcp any host 199.44.67.78 eq www
access-list outside_in permit icmp any host 199.44.67.68
access-list outside_in permit icmp any host 199.44.67.76
access-list outside_in permit icmp any host 199.44.67.77
access-list outside_in permit icmp any host 199.44.67.78
access-list outside_in permit icmp any host 199.44.67.70
access-list outside_in permit tcp any host 199.44.67.70 eq www
access-list outside_in permit tcp any host 199.44.67.70 eq https
access-list outside_in permit tcp any host 199.44.67.70 eq 993
access-list outside_in permit tcp any host 199.44.67.70 eq 995
access-list outside_in permit tcp any host 199.44.67.70 eq smtp
access-list DMZ_IN permit icmp any any
access-list DMZ_IN permit tcp host dnsserver01 any eq www
access-list DMZ_IN permit udp host dnsserver01 any eq domain
access-list DMZ_IN permit tcp host dnsserver02 any eq www
access-list DMZ_IN permit udp host dnsserver02 any eq domain
access-list DMZ_IN permit tcp host exchangeweb any eq www
access-list DMZ_IN permit udp host exchangeweb any eq domain
access-list DMZ_IN permit tcp host dnsserver01 eq www any
access-list DMZ_IN permit udp host dnsserver01 eq domain any
access-list DMZ_IN permit tcp host dnsserver02 eq www any
access-list DMZ_IN permit udp host dnsserver02 eq domain any
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 135
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 445
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq ldap
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq ldaps
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq domain
access-list DMZ_IN permit udp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq domain
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 88
access-list DMZ_IN permit udp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 88
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq smtp
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 691
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 1776
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 3268
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0 eq 3269
access-list DMZ_IN permit icmp host dnsserver01 host 10.200.4.20
access-list DMZ_IN permit icmp host dnsserver02 host 10.200.4.20
access-list DMZ_IN permit icmp host exchangeweb host 10.200.4.20
access-list DMZ_IN permit icmp 172.16.200.0 255.255.255.0 10.200.1.0 255.255.255.0
access-list dmz_in permit icmp any any echo-reply
access-list dmz_in permit icmp any any unreachable
access-list dmz_in permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 199.44.67.33 255.255.255.0
ip address inside 10.200.1.2 255.255.255.0
ip address dmz 172.16.200.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 199.44.67.34
failover ip address inside 10.200.1.3
failover ip address dmz 172.16.200.2
pdm history enable
arp timeout 14400
global (outside) 1 199.44.67.35-199.44.67.64
global (outside) 1 199.44.67.65
global (dmz) 1 172.16.200.10-172.16.200.30
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (dmz) 1 172.16.200.0 255.255.255.0 0 0
static (dmz,outside) 199.44.67.70 exchangeweb netmask 255.255.255.255 0 0
static (dmz,outside) 199.44.67.68 dnsserver01 netmask 255.255.255.255 0 0
static (dmz,outside) 199.44.67.69 dnsserver02 netmask 255.255.255.255 0 0
static (inside,dmz) 10.200.1.0 10.200.1.0 netmask 255.255.255.0 0 0
access-group outside_in in interface outside
access-group DMZ_IN in interface dmz
route outside 0.0.0.0 0.0.0.0 199.44.67.1 1
route inside 10.0.0.0 255.0.0.0 10.200.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.200.3.0 255.255.255.0 inside
telnet 10.200.2.5 255.255.255.255 inside
telnet 10.200.3.0 255.255.255.0 dmz
telnet 10.200.2.5 255.255.255.255 dmz
telnet timeout 15
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:ad4df1fd2b74269bdba5e432f09475b1
0
 
lrmooreCommented:
What exactly is not working at this point?
0
 
KB593Author Commented:
I wa able to figure it out by realizing that I am connecting my pix to 3550 with Vlans with that all start with 10.200.x.x, so I changed my address translation to the following and it started working.  I also changed the access-list to allow the dmz addresses to get to any of my 10.200.x.x addresses with the selected ports and icmp.  Thanks again for the help


static (inside,dmz) 10.200.0.0 10.200.0.0 netmask 255.255.0.0 0 0

access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.0.0 255.255.0.0 eq 135
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.0.0 255.255.0.0 eq 445
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.0.0 255.255.0.0 eq ldap
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.0.0 255.255.0.0 eq ldaps
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.0.0 255.255.0.0 eq domain
access-list DMZ_IN permit udp 172.16.200.0 255.255.255.0 10.200.0.0 255.255.0.0 eq domain
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.0.0 255.255.0.0 eq 88
access-list DMZ_IN permit udp 172.16.200.0 255.255.255.0 10.200.0.0 255.255.0.0 eq 88
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.0.0 255.255.0.0 eq smtp
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.0.0 255.255.0.0 eq 691
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.0.0 255.255.0.0 eq 1776
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.0.0 255.255.0.0 eq 3268
access-list DMZ_IN permit tcp 172.16.200.0 255.255.255.0 10.200.0.0 255.255.0.0 eq 3269
access-list DMZ_IN permit icmp 172.16.200.0 255.255.255.0 10.200.0.0 255.255.0.0
0
 
lrmooreCommented:
Good work!
- Cheers!
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now