saladart
asked on
PIX 515E CONFIGURATION QUESTION
I am trying to do Online Credit Card transactions using a HTTPS post to the CC Approval service's website. Here is a description on how the method works - from their development Manual.
This HTTPS interface offers expanded transaction options, including support for
sale, void, credit, settle, voice authorization, debit card and ACH transaction
types. Transaction data is entered on an online payment form or application
developed by you or a third party. Using sample code that TransFirst provides,
transaction data is sent to Transaction Central through an SSL connection for
processing. Transaction data is saved on your servers. Responses are returned
to a designated URL or passed back as a post string.
The designated URL that the post string is sent to (on my side) is HTTP://192.168.1.49/chargeapprove.asp
I have talked to their technical support guys - the responses can be returned to an IP address - which is what I am using. The problem is I am not getting any response back at my server - which happens to be behind the firewall. Their technical staff believes that the firewall is the roadblock. I don't know...
I would like to keep it behind the firewall for security reasons.
I am needing assistance on the config of the PIX to allow the Credit Card transactions responses to be sent directly to the origination webserver.
Here is my current config:
PIXFIREWALL# show run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password NA3kCu/6slD/O7aS level 10 encrypted
enable password rOx8.Y2f6t2O2J6d encrypted
passwd CchT5YiB9kSAWob1 encrypted
hostname PIXFIREWALL
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl deny tcp any any eq ftp
access-list outside_acl permit tcp any host 24.1.3.36 eq 10000
access-list outside_acl deny tcp any any eq telnet
*****I added the following line to allow the server sending the CC Transaction response to get through the firewall directly to the webserver.
>>>access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 192.168.1.49 eq www<<<
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
*****I added the following line to allow the server sending the CC Transaction response to get through the firewall directly to the webserver.
<<<<static (inside,outside) tcp 24.1.3.37 www 192.168.1.49 www netmask 255.255.255.255 0 0>>>>
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 24.227.133.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username USER password epNzeQOJEcyLcSzn encrypted privilege 15
terminal width 90
Cryptochecksum:6af7661efd1
: end
Being that the HTTP request is getting to the TRANSACTION WEBSITE successfully (this has been verified by their technical staff), do I need to do anything with the firewall? My thoughts were that the webserver sending the response back to my server would need to be able to send incoming traffic through the firewall - but, being that the outbound connection is successfully connecting to the transaction server, shouldn't the same connection be open to receive the HTTPS post being sent from the webserver? I don't know exactly how this works and need some help...
Thanks!
Sean
This HTTPS interface offers expanded transaction options, including support for
sale, void, credit, settle, voice authorization, debit card and ACH transaction
types. Transaction data is entered on an online payment form or application
developed by you or a third party. Using sample code that TransFirst provides,
transaction data is sent to Transaction Central through an SSL connection for
processing. Transaction data is saved on your servers. Responses are returned
to a designated URL or passed back as a post string.
The designated URL that the post string is sent to (on my side) is HTTP://192.168.1.49/chargeapprove.asp
I have talked to their technical support guys - the responses can be returned to an IP address - which is what I am using. The problem is I am not getting any response back at my server - which happens to be behind the firewall. Their technical staff believes that the firewall is the roadblock. I don't know...
I would like to keep it behind the firewall for security reasons.
I am needing assistance on the config of the PIX to allow the Credit Card transactions responses to be sent directly to the origination webserver.
Here is my current config:
PIXFIREWALL# show run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password NA3kCu/6slD/O7aS level 10 encrypted
enable password rOx8.Y2f6t2O2J6d encrypted
passwd CchT5YiB9kSAWob1 encrypted
hostname PIXFIREWALL
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl deny tcp any any eq ftp
access-list outside_acl permit tcp any host 24.1.3.36 eq 10000
access-list outside_acl deny tcp any any eq telnet
*****I added the following line to allow the server sending the CC Transaction response to get through the firewall directly to the webserver.
>>>access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 192.168.1.49 eq www<<<
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
*****I added the following line to allow the server sending the CC Transaction response to get through the firewall directly to the webserver.
<<<<static (inside,outside) tcp 24.1.3.37 www 192.168.1.49 www netmask 255.255.255.255 0 0>>>>
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 24.227.133.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username USER password epNzeQOJEcyLcSzn encrypted privilege 15
terminal width 90
Cryptochecksum:6af7661efd1
: end
Being that the HTTP request is getting to the TRANSACTION WEBSITE successfully (this has been verified by their technical staff), do I need to do anything with the firewall? My thoughts were that the webserver sending the response back to my server would need to be able to send incoming traffic through the firewall - but, being that the outbound connection is successfully connecting to the transaction server, shouldn't the same connection be open to receive the HTTPS post being sent from the webserver? I don't know exactly how this works and need some help...
Thanks!
Sean
ASKER
nodisco,
I did as you recommended - that still doesn't resolve the issue...
Sean
I did as you recommended - that still doesn't resolve the issue...
Sean
ASKER
Do I need to modify the ACCESS-LIST to reflect the public IP address as well?
Sean
Sean
ASKER
FORGET THE LAST POST...BRAIN FART...
Sean
Sean
hi again
Is the remote company using the public ip to access you? e.g. http://24.1.3.37 /chargeapprove.asp
Post the output of sh access-list to see if you are getting hits on the acl.
Can you draw up a quick diagram of the network so as to make sure i'm not missing something
e.g.
remote>>>>>>>>>internet>>>
Is the remote company using the public ip to access you? e.g. http://24.1.3.37 /chargeapprove.asp
Post the output of sh access-list to see if you are getting hits on the acl.
Can you draw up a quick diagram of the network so as to make sure i'm not missing something
e.g.
remote>>>>>>>>>internet>>>
ASKER
Is the remote company using the public ip to access you? e.g. http://24.1.3.37 /chargeapprove.asp
Answer: Yes
Post the output of sh access-list to see if you are getting hits on the acl.
There are no hits on the ACCESS-LIST entry for the public IP...
access-list outside_acl line 9 permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www (hitcnt=0)
The config is as follows: (INBOUND)
REMOTE WEB SERVER 66.1.2.58 >>>>> INTERNET>>>>>>ISP EQUIP - (24.1.3.33 ROADRUNNER ROUTER)>>>>> FIREWALL 24.1.3.37 / 192.168.1.1 (internal) >>>>>>>>> 192.168.1.2 ROUTER(INTERNAL) >>>>>>> SWITCH >>>>>>> WEB SERVER (192.168.1.49)
Sean
Answer: Yes
Post the output of sh access-list to see if you are getting hits on the acl.
There are no hits on the ACCESS-LIST entry for the public IP...
access-list outside_acl line 9 permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www (hitcnt=0)
The config is as follows: (INBOUND)
REMOTE WEB SERVER 66.1.2.58 >>>>> INTERNET>>>>>>ISP EQUIP - (24.1.3.33 ROADRUNNER ROUTER)>>>>> FIREWALL 24.1.3.37 / 192.168.1.1 (internal) >>>>>>>>> 192.168.1.2 ROUTER(INTERNAL) >>>>>>> SWITCH >>>>>>> WEB SERVER (192.168.1.49)
Sean
Just noticed -
<<<<<<<<<I am trying to do Online Credit Card transactions using a HTTPS >>
^^^
HTTPS works on 443 - not www however you may need both protocols
As a test can you do the following:
no access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www
no static (inside,outside) tcp 24.1.3.37 www 192.168.1.49 www netmask 255.255.255.255
static (inside,outside) 24.1.3.37 192.168.1.49 netmask 255.255.255.255
access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www
access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq 443
then get them to try it again - make sure with the other company that the 66.1.2.58/31 address range is definetly correct
hth
<<<<<<<<<I am trying to do Online Credit Card transactions using a HTTPS >>
^^^
HTTPS works on 443 - not www however you may need both protocols
As a test can you do the following:
no access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www
no static (inside,outside) tcp 24.1.3.37 www 192.168.1.49 www netmask 255.255.255.255
static (inside,outside) 24.1.3.37 192.168.1.49 netmask 255.255.255.255
access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www
access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq 443
then get them to try it again - make sure with the other company that the 66.1.2.58/31 address range is definetly correct
hth
ASKER
Did what you recommended - I am getting no hits against the IP Address 24.1.3.37 still. If the firewall is not allowing the data to go through, would I still expect to hits? (just asking...).
Thanks for your assistance.
Sean
Thanks for your assistance.
Sean
No but you should see hits incrementing on the deny at the bottom.
Can you post the full config as it is now and the full sh access-list and I'll have a look - I am wondering if there is anything that your outbound access-list may be blocking - You can remove this as it is allowing all ip, tcp/udp out and is blocking very little out - to remove it:
conf t
no access-group inside_acl in interface inside
But post the above and we'll sort it
Can you post the full config as it is now and the full sh access-list and I'll have a look - I am wondering if there is anything that your outbound access-list may be blocking - You can remove this as it is allowing all ip, tcp/udp out and is blocking very little out - to remove it:
conf t
no access-group inside_acl in interface inside
But post the above and we'll sort it
ASKER
PIXFIREWALL(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list inside_acl; 3 elements
access-list inside_acl line 1 permit tcp any any (hitcnt=2238512)
access-list inside_acl line 2 permit ip any any (hitcnt=962907)
access-list inside_acl line 3 permit udp any any (hitcnt=0)
access-list outside_acl; 10 elements
access-list outside_acl line 1 permit gre any host 24.1.3.35 (hitcnt=81)
access-list outside_acl line 2 permit ah any host 24.1.3.35 (hitcnt=0)
access-list outside_acl line 3 permit esp any host 24.1.3.35 (hitcnt=0)
access-list outside_acl line 4 permit tcp any host 24.1.3.35 eq pptp (hitcnt=784)
access-list outside_acl line 5 deny tcp any any eq netbios-ssn (hitcnt=86450)
access-list outside_acl line 6 deny tcp any any eq ftp (hitcnt=344)
access-list outside_acl line 7 permit tcp any host 24.1.3.36 eq 10000 (hitcn
t=5126)
access-list outside_acl line 8 deny tcp any any eq telnet (hitcnt=38)
access-list outside_acl line 9 permit tcp any host 24.1.3.37 eq www (hitcnt=
0)
access-list outside_acl line 10 permit tcp any host 24.1.3.37 eq 433 (hitcnt
=0)
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list inside_acl; 3 elements
access-list inside_acl line 1 permit tcp any any (hitcnt=2238512)
access-list inside_acl line 2 permit ip any any (hitcnt=962907)
access-list inside_acl line 3 permit udp any any (hitcnt=0)
access-list outside_acl; 10 elements
access-list outside_acl line 1 permit gre any host 24.1.3.35 (hitcnt=81)
access-list outside_acl line 2 permit ah any host 24.1.3.35 (hitcnt=0)
access-list outside_acl line 3 permit esp any host 24.1.3.35 (hitcnt=0)
access-list outside_acl line 4 permit tcp any host 24.1.3.35 eq pptp (hitcnt=784)
access-list outside_acl line 5 deny tcp any any eq netbios-ssn (hitcnt=86450)
access-list outside_acl line 6 deny tcp any any eq ftp (hitcnt=344)
access-list outside_acl line 7 permit tcp any host 24.1.3.36 eq 10000 (hitcn
t=5126)
access-list outside_acl line 8 deny tcp any any eq telnet (hitcnt=38)
access-list outside_acl line 9 permit tcp any host 24.1.3.37 eq www (hitcnt=
0)
access-list outside_acl line 10 permit tcp any host 24.1.3.37 eq 433 (hitcnt
=0)
ASKER
PIXFIREWALL(config)# show config
: Saved
: Written by enable_15 at 12:35:40.820 UTC Tue Mar 21 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password level 10 encrypted
enable password encrypted
passwd encrypted
hostname PIXFIREWALL
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl deny tcp any any eq ftp
access-list outside_acl permit tcp any host 24.1.3.36 eq 10000
access-list outside_acl deny tcp any any eq telnet
access-list outside_acl permit tcp any host 24.1.3.37 eq www
access-list outside_acl permit tcp any host 24.1.3.37 eq 433
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.37 192.168.1.49 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 24.1.3.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.1.3.38 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username username password encrypted privilege 15
terminal width 90
Cryptochecksum:9f965f9e12f
: Saved
: Written by enable_15 at 12:35:40.820 UTC Tue Mar 21 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password level 10 encrypted
enable password encrypted
passwd encrypted
hostname PIXFIREWALL
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl deny tcp any any eq ftp
access-list outside_acl permit tcp any host 24.1.3.36 eq 10000
access-list outside_acl deny tcp any any eq telnet
access-list outside_acl permit tcp any host 24.1.3.37 eq www
access-list outside_acl permit tcp any host 24.1.3.37 eq 433
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.37 192.168.1.49 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 24.1.3.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.1.3.38 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username username password encrypted privilege 15
terminal width 90
Cryptochecksum:9f965f9e12f
Ok test time
no access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www
no access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq 443
access-list outside_acl permit tcp any host 24.1.3.37 eq www
access-list outside_acl permit tcp any host 24.1.3.37 eq 443
If you can use the clear xlate below - it will disconnect all connections through your pix momentarily. Its safe to do after hours but will cause connections to drop - they will work again straight away though.
clear xlate
Advise when you have done this
no access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www
no access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq 443
access-list outside_acl permit tcp any host 24.1.3.37 eq www
access-list outside_acl permit tcp any host 24.1.3.37 eq 443
If you can use the clear xlate below - it will disconnect all connections through your pix momentarily. Its safe to do after hours but will cause connections to drop - they will work again straight away though.
clear xlate
Advise when you have done this
Ignore! but run the clear xlate if you can
ASKER
I just ran the cleara xlate.
Sean
Sean
ASKER
Tried the post again - same result.
Sean
Sean
Using your 192.168.1.49 machine - go on the web and go to whatismyip.com and check your ip address
Also pls remove the access-list applied to your inside interface:
conf t
no access-group inside_acl in interface inside
Also pls remove the access-list applied to your inside interface:
conf t
no access-group inside_acl in interface inside
ASKER
Ok. When I follow your instructions - Using your 192.168.1.49 machine - go on the web and go to whatismyip.com and check your ip address
- I get 24.1.3.37 (the address that I have statically mapped to this system via firewall).
I also removed the access-list applied to the inside interface.
Sean
- I get 24.1.3.37 (the address that I have statically mapped to this system via firewall).
I also removed the access-list applied to the inside interface.
Sean
FIREWALL 24.1.3.37 / 192.168.1.1 (internal) >>>>>>>>> 192.168.1.2 ROUTER(INTERNAL) >>>>>>> SWITCH >>>>>>> WEB SERVER (192.168.1.49)
Why is the webserver on a different internal network to the pix inside?
This would explain why you can get out to the internet (whatismyip showing the static nat) but not get any return traffic.
If you add the following to the pix -
route inside 192.168.1.49 255.255.255.255 192.168.1.2
Why is the webserver on a different internal network to the pix inside?
This would explain why you can get out to the internet (whatismyip showing the static nat) but not get any return traffic.
If you add the following to the pix -
route inside 192.168.1.49 255.255.255.255 192.168.1.2
ASKER
Did as you suggested - add the following to the pix - route inside 192.168.1.49 255.255.255.255 192.168.1.2
still get the same results...
You asked - Why is the webserver on a different internal network to the pix inside? It isn't on a different internal network - 192.168.1 is the network for both...or am I missing something?
If I were to register a domain name and redirect the REGISTERED NAME to this IP address, would I open the door for attacks (being that it is behind the firewall)? The credit card processing company is now saying that SSL doesn't work with an IP address - which they first told me that it would... Is this true?
Sean
still get the same results...
You asked - Why is the webserver on a different internal network to the pix inside? It isn't on a different internal network - 192.168.1 is the network for both...or am I missing something?
If I were to register a domain name and redirect the REGISTERED NAME to this IP address, would I open the door for attacks (being that it is behind the firewall)? The credit card processing company is now saying that SSL doesn't work with an IP address - which they first told me that it would... Is this true?
Sean
<<You asked - Why is the webserver on a different internal network to the pix inside? It isn't on a different internal network - 192.168.1 is the network for both...or am I missing something?
Your network diagram showed that the 192.168.1.49 host was on the other side of a router from the pix. So it is not locally connected to the pix - is the diagram accurate?
Where are the other servers (192.168.1.50, 100) located?
<<If I were to register a domain name and redirect the REGISTERED NAME to this IP address, would I open the door for attacks (being that it is behind the firewall)?
No - DNS is just name resolution of an ip address. Whether an outside host accesses you by ip or dns name it makes no difference - you would be just as secure/unsecure.
<<The credit card processing company is now saying that SSL doesn't work with an IP address - which they first told me that it would... Is this true?
Absolutely not! I don't know where they got that from.
I have to sign out as its v late here but will check on this tomorrow. Can you try removing the acls to .137 and recreating them at line1 of the acls. Also reapply the access-list to the interface by typing :
access-group outside_acl in interface outside
let me know how it goes
Your network diagram showed that the 192.168.1.49 host was on the other side of a router from the pix. So it is not locally connected to the pix - is the diagram accurate?
Where are the other servers (192.168.1.50, 100) located?
<<If I were to register a domain name and redirect the REGISTERED NAME to this IP address, would I open the door for attacks (being that it is behind the firewall)?
No - DNS is just name resolution of an ip address. Whether an outside host accesses you by ip or dns name it makes no difference - you would be just as secure/unsecure.
<<The credit card processing company is now saying that SSL doesn't work with an IP address - which they first told me that it would... Is this true?
Absolutely not! I don't know where they got that from.
I have to sign out as its v late here but will check on this tomorrow. Can you try removing the acls to .137 and recreating them at line1 of the acls. Also reapply the access-list to the interface by typing :
access-group outside_acl in interface outside
let me know how it goes
ASKER
So it is not locally connected to the pix - is the diagram accurate?
Yes, the diagram is accurate...I see now what you mean.
Am I going to need to put the server in a DMZ? If so, I will need to know how to configure the PIX to allow inside clients access to the server.
Can I do this without putting the server in a DMZ (keep it behind the firewall)?
I also put the ACL's to .37 as number 1 and number 2 (www is #1, 443 is #2) and still getting no hits on either. I even went as far as to set up a new domain and redirected it to the .37 address - the domain name is in fact redirected to the .37 but I still get no hits on the access-list for .37.
Thanks for your help on this...
Sean
Yes, the diagram is accurate...I see now what you mean.
Am I going to need to put the server in a DMZ? If so, I will need to know how to configure the PIX to allow inside clients access to the server.
Can I do this without putting the server in a DMZ (keep it behind the firewall)?
I also put the ACL's to .37 as number 1 and number 2 (www is #1, 443 is #2) and still getting no hits on either. I even went as far as to set up a new domain and redirected it to the .37 address - the domain name is in fact redirected to the .37 but I still get no hits on the access-list for .37.
Thanks for your help on this...
Sean
Yes - putting the servers in the DMZ is no problem - you just need to give the DMZ an ip address and create the statics accordingly
e.g
ip address dmz 192.168.20.1 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz, outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255
access-list outside_acl permit tcp any host 24.1.3.37 eq www
access-list outside_acl permit tcp any host 24.1.3.37 eq 443
Where 192.168.20.49 is the ip address of your host machine. (Its gateway address would be 192.168.20.1
e.g
ip address dmz 192.168.20.1 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz, outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255
access-list outside_acl permit tcp any host 24.1.3.37 eq www
access-list outside_acl permit tcp any host 24.1.3.37 eq 443
Where 192.168.20.49 is the ip address of your host machine. (Its gateway address would be 192.168.20.1
ASKER
Nodisco - question.
If my internal network is 192.168.1 - wouldn't I need to configure the IP address for the DMZ with the same subnet (192.168.1.25 for example)? I am trying to make sense of this - understanding it makes things a whole lot easier for me...
Also, once I create the DMZ, will I need another router on the DMZ interface at the PIX?
Do I need to connect the servers ethernet connection to the PIX DMZ interface or can I leave it on the network as it is now? Just need to know how to do this properly - haven't had a need for a DMZ just yet...learn as I go is what I am doing...
Thanks again for your guidance!
Sean
If my internal network is 192.168.1 - wouldn't I need to configure the IP address for the DMZ with the same subnet (192.168.1.25 for example)? I am trying to make sense of this - understanding it makes things a whole lot easier for me...
Also, once I create the DMZ, will I need another router on the DMZ interface at the PIX?
Do I need to connect the servers ethernet connection to the PIX DMZ interface or can I leave it on the network as it is now? Just need to know how to do this properly - haven't had a need for a DMZ just yet...learn as I go is what I am doing...
Thanks again for your guidance!
Sean
ASKER
One more question...
The clients behind the firewall - on the 192.168.1 network - will they be able to access the server in the DMZ? They will need to...
Sean
The clients behind the firewall - on the 192.168.1 network - will they be able to access the server in the DMZ? They will need to...
Sean
<<If my internal network is 192.168.1 - wouldn't I need to configure the IP address for the DMZ with the same subnet (192.168.1.25 for example)? I am trying to make sense of this - understanding it makes things a whole lot easier for me...
No - has to be a different subnet as its a different interface on the PIX. PIX interfaces all have different security levels - to protect the individual networks from each other. By default inside is most secure, then DMZ, then outside. See the lines at the top of your config:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
The security no dicates how the traffic should go - higher can go to lower by default once natted - but lower cannot go to higher unless specified by an access-list
<<Also, once I create the DMZ, will I need another router on the DMZ interface at the PIX?
No - you can connect the machine straight to the dmz network. This was why i was wondering why you had an internal router inside your pix - and then your clients inside the router. The pix inside interface is as secure as you are going to get already - I didn't get the router.
<<Do I need to connect the servers ethernet connection to the PIX DMZ interface or can I leave it on the network as it is now? Just need to know how to do this properly - haven't had a need for a DMZ just yet...learn as I go is what I am doing...
If you want to move the server to the dmz, then you will have to physically connect it to the dmz network. Most dmzs have a switch that the pix dmz interface connects to - and then the servers sit on the switch.
<<The clients behind the firewall - on the 192.168.1 network - will they be able to access the server in the DMZ? They will need to...
Yes - you can setup internal users to be able to hit the dmz - its just a static nat.
hope this helps
No - has to be a different subnet as its a different interface on the PIX. PIX interfaces all have different security levels - to protect the individual networks from each other. By default inside is most secure, then DMZ, then outside. See the lines at the top of your config:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
The security no dicates how the traffic should go - higher can go to lower by default once natted - but lower cannot go to higher unless specified by an access-list
<<Also, once I create the DMZ, will I need another router on the DMZ interface at the PIX?
No - you can connect the machine straight to the dmz network. This was why i was wondering why you had an internal router inside your pix - and then your clients inside the router. The pix inside interface is as secure as you are going to get already - I didn't get the router.
<<Do I need to connect the servers ethernet connection to the PIX DMZ interface or can I leave it on the network as it is now? Just need to know how to do this properly - haven't had a need for a DMZ just yet...learn as I go is what I am doing...
If you want to move the server to the dmz, then you will have to physically connect it to the dmz network. Most dmzs have a switch that the pix dmz interface connects to - and then the servers sit on the switch.
<<The clients behind the firewall - on the 192.168.1 network - will they be able to access the server in the DMZ? They will need to...
Yes - you can setup internal users to be able to hit the dmz - its just a static nat.
hope this helps
ASKER
Another question...
This webserver uses Active Directory for authentication. Will implementing what you propose create any issues with the authenticaiton side? The server is a member of a domain that resides behind the firewall... Do any other ports need to be opened between the DMZ and INSIDE interface? In addition, this webserver accesses a SQL database - same question for this server.
I would be more than happy to open a new post if needed...
Sean
This webserver uses Active Directory for authentication. Will implementing what you propose create any issues with the authenticaiton side? The server is a member of a domain that resides behind the firewall... Do any other ports need to be opened between the DMZ and INSIDE interface? In addition, this webserver accesses a SQL database - same question for this server.
I would be more than happy to open a new post if needed...
Sean
Regarding AD - you can authenticate servers between the dmz and inside - likewise the SQL server.
Q - where are 192.168.1.50 and 192.168.1.100 located - I take it these servers work fine as regards access from outside
Q - where are 192.168.1.50 and 192.168.1.100 located - I take it these servers work fine as regards access from outside
ASKER
The 192.168.1.50 and .100 servers are behind the firewall and do in fact work fine from the outside.
Sean
Sean
Yes - but are they also inside the router? what i mean is that the .49 machine is on the inside of the router - are these 2 servers also located on the same subnet?
ASKER
I just posted an add on to this post.
https://www.experts-exchange.com/questions/21784446/PIX-515E-Configuration-for-DMZ-access-the-DMZ-from-internal-clients.html
Sean
https://www.experts-exchange.com/questions/21784446/PIX-515E-Configuration-for-DMZ-access-the-DMZ-from-internal-clients.html
Sean
ASKER
but are they also inside the router?
Both servers are inside the router - on the same subnet (192.168.1.0).
>>>>INTERNET>>>>>>FIREWALL
Sean
Both servers are inside the router - on the same subnet (192.168.1.0).
>>>>INTERNET>>>>>>FIREWALL
Sean
Can you advise where the 2 other servers are located - are they inside the router or just inside the firewall? As they seem to be getting hits on the access-lists from outside so they are working correctly
Sorry - didn't refresh
Can you post the router config - there must be something stopping the third address receiving the traffic back in as it is able to get out properly
ASKER
Look at post https://www.experts-exchange.com/questions/21784446/PIX-515E-Configuration-for-DMZ-access-the-DMZ-from-internal-clients.html - I just posted the latest config for the firewall...
Sean
Sean
ASKER
PIXFIREWALL# show conf
: Saved
: Written by enable_15 at 11:20:26.763 UTC Wed Mar 22 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password NA3kCu/6slD/O7aS level 10 encrypted
enable password rOx8.Y2f6t2O2J6d encrypted
passwd CchT5YiB9kSAWob1 encrypted
hostname PIXFIREWALL
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit tcp any host 24.1.3.37 eq www
access-list outside_acl permit tcp any host 24.1.3.37 eq https
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl deny tcp any any eq ftp
access-list outside_acl permit tcp any host 24.1.3.36 eq 10000
access-list outside_acl deny tcp any any eq telnet
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.37 192.168.1.49 netmask 255.255.255.255 0 0
static (dmz,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 24.1.3.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.1.3.38 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username username password epNzeQOJEcyLcSzn encrypted privilege 15
terminal width 90
Cryptochecksum:7c94591755b
: Saved
: Written by enable_15 at 11:20:26.763 UTC Wed Mar 22 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password NA3kCu/6slD/O7aS level 10 encrypted
enable password rOx8.Y2f6t2O2J6d encrypted
passwd CchT5YiB9kSAWob1 encrypted
hostname PIXFIREWALL
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit tcp any host 24.1.3.37 eq www
access-list outside_acl permit tcp any host 24.1.3.37 eq https
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl deny tcp any any eq ftp
access-list outside_acl permit tcp any host 24.1.3.36 eq 10000
access-list outside_acl deny tcp any any eq telnet
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.37 192.168.1.49 netmask 255.255.255.255 0 0
static (dmz,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 24.1.3.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.1.3.38 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username username password epNzeQOJEcyLcSzn encrypted privilege 15
terminal width 90
Cryptochecksum:7c94591755b
ASKER
Oh - just noticed ROUTER....disregard my previous post...
Sean
Sean
ASKER
I suppose you are wanting the INSIDE router config right? (192.168.1.2)
Sean
Sean
correct
ASKER
RTR-Main>enable
Password:
RTR-Main#show conf
Using 1361 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-Main
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$W6Mb$bFJsTR5MyE9JoZwYlI
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
!
!
!
class-map match-any voice-control
match ip dscp af31
match ip dscp af32
match ip dscp cs3
match ip precedence 6
class-map match-any voice
match access-group 103
match dscp ef
match dscp cs5
match ip precedence 6
!
!
policy-map wan-edge
class voice
priority 512
class class-default
fair-queue
policy-map shaper
class class-default
shape average 512000
service-policy wan-edge
policy-map wan-edgte
!
!
!
interface FastEthernet0
ip address 192.168.1.2 255.255.255.0
ip route-cache flow
speed auto
full-duplex
!
interface Serial0
description Connected to Warehouse
ip address 10.0.0.1 255.255.255.252
ip route-cache flow
fair-queue
service-module t1 framing sf
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 255.255.255.255 24.153.161.217
ip route 192.168.2.0 255.255.255.0 10.0.0.2
no ip http server
!
access-list 103 permit ip host 192.168.1.5 host 192.168.2.5
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
line aux 0
line vty 0 4
password XXXXX
login
!
!
end
RTR-Main#
Password:
RTR-Main#show conf
Using 1361 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-Main
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$W6Mb$bFJsTR5MyE9JoZwYlI
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
!
!
!
class-map match-any voice-control
match ip dscp af31
match ip dscp af32
match ip dscp cs3
match ip precedence 6
class-map match-any voice
match access-group 103
match dscp ef
match dscp cs5
match ip precedence 6
!
!
policy-map wan-edge
class voice
priority 512
class class-default
fair-queue
policy-map shaper
class class-default
shape average 512000
service-policy wan-edge
policy-map wan-edgte
!
!
!
interface FastEthernet0
ip address 192.168.1.2 255.255.255.0
ip route-cache flow
speed auto
full-duplex
!
interface Serial0
description Connected to Warehouse
ip address 10.0.0.1 255.255.255.252
ip route-cache flow
fair-queue
service-module t1 framing sf
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 255.255.255.255 24.153.161.217
ip route 192.168.2.0 255.255.255.0 10.0.0.2
no ip http server
!
access-list 103 permit ip host 192.168.1.5 host 192.168.2.5
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
line aux 0
line vty 0 4
password XXXXX
login
!
!
end
RTR-Main#
Ok final Q - check the machines 192.168.1.49, 50, 100
What are their default gateways?
I am of the opinion that 50 and 100 are using 192.168.1.1 as its gateway and 49 is using 192.168.1.2
can you clarify?
What are their default gateways?
I am of the opinion that 50 and 100 are using 192.168.1.1 as its gateway and 49 is using 192.168.1.2
can you clarify?
ASKER
.50 and 100 are both using 1.2 as the gateway. I have already changed the IP address on .49 to the .20.49 address - and it's gateway is 20.1 - the DMZ address.
Sean
Sean
Is it now physically connected only to the dmz interface?
and can it ping the dmz interface?
and can it ping the dmz interface?
ASKER
It is now physically connected to the DMZ interface and it can ping the DMZ interface (.20.1)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok - thanks for your assistance!
Sean
Sean
The access-list you applied is incorrect -
access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 192.168.1.49 eq www
should be
access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www
the reason is that the outside client needs to be able to access the internal server at your site - the 192.168.1.49 is a private address behind your firewall. He cannot see it - no way, no how. If he sends to the 24.x.x.x address, it will be translated at the pix to the 192.168.1.49 internal server.
To do this on the pix:
conf t
no access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 192.168.1.49 eq www
access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www
write mem
hope this helps