Link to home
Start Free TrialLog in
Avatar of saladart
saladart

asked on

PIX 515E CONFIG ASSIST

I have a webserver in a DMZ.  I can access the webserver from the internet and I can access the server from inside the protected network.

Here is a diagram...

INTERNET---ROUTER (ISP's)--------|firewall|--------router--------protected subnet 192.168.1.0
                            |
                            |
                        D M Z------WEBSERVER (192.168.20.49)

What is happening (or not happening I should say) is the WEBSERVER is submitting a CREDIT CARD transaction to a HTTPS (secure) website and the website is sending back a response - approved or denied with other information, of course.

I have verified with the Credit Card processing company that they are receiving my requests and they send off a response.  I am not getting the response at the webserver - and there is only two areas that I believe could cause this - either the Firewall or the webserver security.

The CC responds to a specified URL that is sent along with the REQUEST FOR APPROVAL.  The URL that is sent is valid - I can access it from the internet.  The response is in fact being sent from the CC Approval Website - I verified this by leaving out the URL to redirect the response to and the approval is displayed in the browser.

I am really needing some help getting this working...  This is my 3rd day working on this with no success - and it is probably something very obvious that I am overlooking...

Here is the PIX config:

PIXFIREWALL# conf t
PIXFIREWALL(config)# show conf
: Saved
: Written by enable_15 at 12:11:56.501 UTC Thu Mar 23 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password xxxxx level 10 encrypted
enable password xxxxx encrypted
passwd CchT5YiB9kSAWob1 encrypted
hostname PIXFIREWALL
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl permit tcp any host 24.1.3.36 eq 10000
access-list outside_acl deny tcp any any eq telnet
access-list outside_acl permit tcp host 24.1.3.37 any
access-list outside_acl permit tcp host 66.1.7.58 host 24.1.3.37
access-list outside_acl permit ip host 66.1.7.58 host 24.1.3.37
access-list outside_acl permit tcp any host 24.1.3.37
access-list dmz_in permit ip host 192.168.20.49 host 192.168.1.50
access-list dmz_in permit udp host 192.168.20.49 host 192.168.1.50 eq 88
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq 445
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq domain
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.40 eq 1161
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.40 eq 1433
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq 88
access-list dmz_in permit udp host 192.168.20.49 host 192.168.1.50 eq domain
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq ldap
access-list dmz_in permit icmp 192.168.20.0 255.255.255.0 192.168.1.0 255.255.25
5.0
access-list dmz_in permit ip any any
access-list dmz_in permit ip host 192.168.20.49 host 192.168.1.40
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (inside,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0
static (dmz,outside) 24.1.3.37 192.168.20.49 dns netmask 255.255.255.255 0 0

access-group outside_acl in interface outside
access-group inside_acl in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 24.1.3.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.1.3.38 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username username password xxxxxxxx encrypted privilege 15
terminal width 90
Cryptochecksum:aedefa89ed558077bed7baa2d225db7d

Your assistance will be greatly appreciated....

Sean
Avatar of jjoseph_x
jjoseph_x

static (inside,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0

shouldn't that be (dmz,outside) if 192.168.20.49 is in the DMZ?
Avatar of Keith Alabaster
static (inside,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0
static (dmz,outside) 24.1.3.37 192.168.20.49 dns netmask 255.255.255.255 0 0

You have the static in twice. As the first will confuse it, this may be your issue
Avatar of saladart

ASKER

Keith_alabaster,

R U saying to get rid of the first static (static (inside,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0) or the other one?

Sean
What I am saying is get rid of the one you do not want as you cannot set a one-one static to two different places. As the static needs to go to the dmz, get rid of the first one as this is associating the inside interface with an IP address that is assigned to the DMZ interface.

May not fix it yet though......
Ok - did it - still am not getting response from website...  What else?

Sean
you might also need to run "clear xlate" to remove the translation.
You mention that the CC server responds to the Webserver you supply in the outbound REQUEST. This implies a asynchronous communication. This means that the CC server is creating a HTTPS session from the outside, as opposed to responding the the HTTPS created session from the inside.

Therefore, you would need to allow HTTPS sessions to be initiated from the outside (ie CC server), into you Webserver. All your ACL rules relate to the Webserver and its outbound communication.

Hope this helps
Barny
IPKON Networks Ltd
Please - provide more info - what access-list(s) would need to be added or modified?  Like I mentioned - I have been struggling with this for 3 days...need to get it fixed...

you would need to allow HTTPS sessions to be initiated from the outside (ie CC server), into you Webserver - HOW???  

Thank you very much!!

Sean
Try these commands:

\\remove the acl from the inside interface. It is not necessary with PIX unless you want to *restrict* outbound traffic
no access-group inside_acl in interface inside

\\allow the https server to respond to "any"
access-list dmz_in permit tcp host 192.168.20.49 eq 443 any

\\re-apply the acl any time you change it
access-group dmz_in in interface dmz

\\remove the incorrect static xlate
no static (inside,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0

\\ run clear xlate
clear xlate

\\ no allow https from "any" to the static public ip
access-list outside_acl permit tcp any host 24.1.3.37 eq 443

\\ you can remove this because it is a huge security problem
no access-list outside_acl permit tcp any host 24.1.3.37


>PIX Version 6.3(3)
As an aside, this is a buggy verision. Suggest you upgrade to 6.3(5)
Question:  Shouldn't I be able to send the HTTPS post to the CC approval company and receive the response fromt he WEBSERVER in the DMZ?  If so, it still isn't working...  If not, let me know and I will have someone outside try...

Here is the latest config - if you see anything wrong - please let me know.

Thanks for your input!

Sean

PIXFIREWALL(config)# show conf
: Saved
: Written by enable_15 at 07:59:56.235 UTC Fri Mar 24 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password xxxxx level 10 encrypted
enable password xxxxx encrypted
passwd CchT5YiB9kSAWob1 encrypted
hostname PIXFIREWALL
domain-name ocusoft.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl permit tcp any host 24.1.3.36 eq 21012
access-list outside_acl deny tcp any any eq telnet
access-list outside_acl permit tcp host 24.1.3.37 any
access-list outside_acl permit tcp any host 24.1.3.37 eq https
access-list dmz_in permit ip host 192.168.20.49 host 192.168.1.50
access-list dmz_in permit udp host 192.168.20.49 host 192.168.1.50 eq 88
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq 445
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq domain
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.40 eq 1161
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.40 eq 1433
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq 88
access-list dmz_in permit udp host 192.168.20.49 host 192.168.1.50 eq domain
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq ldap
access-list dmz_in permit icmp 192.168.20.0 255.255.255.0 192.168.1.0 255.255.25
5.0
access-list dmz_in permit ip any any
access-list dmz_in permit ip host 192.168.20.49 host 192.168.1.40
access-list dmz_in permit tcp host 192.168.20.49 eq https any
access-list dmz_in permit tcp host 192.168.20.49 eq www any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) 24.1.3.37 192.168.20.49 dns netmask 255.255.255.255 0 0

access-group outside_acl in interface outside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 24.1.3.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.1.3.38 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username username password xxxxxxx encrypted privilege 15
terminal width 90
Cryptochecksum:8a219ff9a31c4d1a6ed64f6fe1bc5ced
https://webservices.company.com/billing/TransactionCompany/processCC.asp?merchantID=11111&Regkey=XXXXXXXXX&Amount=100.40&AccountNo=123467890123456&CCMonth=12&CCYear=2007&NameonAccount=MyName&AVSADDR=12345 gable woods Dr&AVSZIP=23456&refid=p100036&Cvv2=313&ccrurl=http://www.mywebsite.com/charge.asp

Above is the script that is used when getting credit card approval.  The ccrurl=http://www.mywebsite.com/charge.asp is where the response is supposed to be sent to.

The website is (of course) named differently - but I can tell you that if someone outside the firewall goes to the URL - minus the charge.asp - they are able to log into the website with the proper credentials.  The domain name is registered publically and is directed to the 24.1.3.37 address.  Please help...  (Now I am getting desperate...)

Thanks!

Sean
You need to add http access in the acl also:

// add this
access-list outside_acl permit tcp any host 24.1.3.37 eq http

// re-apply the acl to the interface
access-group outside_acl in interface outside

Ok - thanks for the update.  However, I am still not able to receive the response back at the webserver...

Thanks!

Sean
Can you post result of "show access-list"
Is the ccrurl supposed to be directed to your server via http or https? I thought it should be https
Have you tried ccrurl=https://www.......
                                     ^
LRMOORE,

The request goes to an HTTPS server - the reply goes to my webserver - which is an HTTP server.  Hopt this helps...

Sean

PIXFIREWALL# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list inside_acl; 3 elements
access-list inside_acl line 1 permit tcp any any (hitcnt=2269537)
access-list inside_acl line 2 permit ip any any (hitcnt=977474)
access-list inside_acl line 3 permit udp any any (hitcnt=0)
access-list outside_acl; 10 elements
access-list outside_acl line 1 permit gre any host 24.1.3.35 (hitcnt=81)
access-list outside_acl line 2 permit ah any host 24.1.3.35 (hitcnt=0)
access-list outside_acl line 3 permit esp any host 24.1.3.35 (hitcnt=0)
access-list outside_acl line 4 permit tcp any host 24.1.3.35 eq pptp (hitcnt
=813)
access-list outside_acl line 5 deny tcp any any eq netbios-ssn (hitcnt=86958)
access-list outside_acl line 6 permit tcp any host 24.1.3.36 eq 21012 (hitcn
t=5610)
access-list outside_acl line 7 deny tcp any any eq telnet (hitcnt=38)
access-list outside_acl line 8 permit tcp host 24.1.3.37 any (hitcnt=0)
access-list outside_acl line 9 permit tcp any host 24.1.3.37 eq https (hitcn
t=0)
access-list outside_acl line 10 permit tcp any host 24.1.3.37 eq www (hitcnt
=12)
access-list dmz_in; 14 elements
access-list dmz_in line 1 permit ip host 192.168.20.49 host 192.168.1.50 (hitcnt
=5201)
access-list dmz_in line 2 permit udp host 192.168.20.49 host 192.168.1.50 eq 88
(hitcnt=0)
access-list dmz_in line 3 permit tcp host 192.168.20.49 host 192.168.1.50 eq 445
 (hitcnt=0)
access-list dmz_in line 4 permit tcp host 192.168.20.49 host 192.168.1.50 eq dom
ain (hitcnt=0)
access-list dmz_in line 5 permit tcp host 192.168.20.49 host 192.168.1.40 eq 116
1 (hitcnt=615)
access-list dmz_in line 6 permit tcp host 192.168.20.49 host 192.168.1.40 eq 143
3 (hitcnt=30)
access-list dmz_in line 7 permit tcp host 192.168.20.49 host 192.168.1.50 eq 88
(hitcnt=0)
access-list dmz_in line 8 permit udp host 192.168.20.49 host 192.168.1.50 eq dom
ain (hitcnt=0)
access-list dmz_in line 9 permit tcp host 192.168.20.49 host 192.168.1.50 eq lda
p (hitcnt=0)
access-list dmz_in line 10 permit icmp 192.168.20.0 255.255.255.0 192.168.1.0 25
5.255.255.0 (hitcnt=3932)
access-list dmz_in line 11 permit ip any any (hitcnt=794)
access-list dmz_in line 12 permit ip host 192.168.20.49 host 192.168.1.40 (hitcn
t=0)
access-list dmz_in line 13 permit tcp host 192.168.20.49 eq https any (hitcnt=0)

access-list dmz_in line 14 permit tcp host 192.168.20.49 eq www any (hitcnt=0)
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Just to ensure we are on the same page, here is how the process works:

Client computer login into website - could be from internal network or internet.
Transaction is processed - the request for credit card approval is sent from webserver to a HTTPS: URL that resolves through IP address 66.1.7.58.
The CC server processes the transaction - and replies to the URL specified in the request sent by my webserver - the reply-to address being 24.1.3.37.

Now, IF I leave the URL to return the reply to (24.1.3.7) out the reply is displayed ont the client computer display.  I need it to, however, be returned to the webserver - so it can be written to a database.  There is an .ASP file that will process the request when it is received.  Here is the REQUEST that I am sending to the CC APPROVAL Website:

https://webservices.company.com/billing/TransactionCompany/processCC.asp?merchantID=11111&Regkey=XXXXXXXXX&Amount=100.40&AccountNo=123467890123456&CCMonth=12&CCYear=2007&NameonAccount=MyName&AVSADDR=12345 gable woods Dr&AVSZIP=23456&refid=p100036&Cvv2=313&ccrurl=http://www.mywebsite.com/charge.ASP<<<<---this is the file that will take the response and insert the info into the database.

Diagrams:

From Client to CC APPROLVAL WEBSITE:
CLIENT>>>>>REQUEST CC APPROVAL>>>>CC APPROVAL WEBSITE>>>>REPLY

From CC APPROVAL BACK TO WEBSERVER:
CC APPROVAL WEBSITE>>>>

Hope this helps...

Sean
Sean,

please post the sh xlate output here
Sorry for the delay.  I've been out training...

Here is the sh xlate as requested.

PIXFIREWALL# sh xlate
69 in use, 497 most used
Global 24.1.3.36 Local 192.168.1.100
Global 192.168.1.62 Local 192.168.1.62
Global 192.168.1.51 Local 192.168.1.51
Global 24.1.3.37 Local 192.168.20.49
Global 192.168.1.74 Local 192.168.1.74
Global 192.168.1.82 Local 192.168.1.82
Global 192.168.1.3 Local 192.168.1.3
Global 192.168.1.98 Local 192.168.1.98
Global 192.168.1.90 Local 192.168.1.90
Global 192.168.1.50 Local 192.168.1.50
Global 192.168.1.40 Local 192.168.1.40
PAT Global 24.1.3.38(50052) Local 192.168.1.68(4458)
Global 192.168.1.83 Local 192.168.1.83
Global 192.168.1.99 Local 192.168.1.99
PAT Global 24.1.3.38(50048) Local 192.168.1.68(4454)
PAT Global 24.1.3.38(50049) Local 192.168.1.68(4455)
PAT Global 24.1.3.38(50050) Local 192.168.1.68(4456)
Global 192.168.1.75 Local 192.168.1.75
PAT Global 24.1.3.38(50051) Local 192.168.1.68(4457)
Global 192.168.1.67 Local 192.168.1.67
Global 192.168.1.93 Local 192.168.1.93
Global 192.168.1.101 Local 192.168.1.101
Global 192.168.1.77 Local 192.168.1.77
Global 192.168.1.84 Local 192.168.1.84
Global 192.168.1.92 Local 192.168.1.92
PAT Global 24.1.3.38(50044) Local 192.168.1.76(3958)
PAT Global 24.1.3.38(50045) Local 192.168.1.61(51361)
PAT Global 24.1.3.38(50046) Local 192.168.1.68(4452)
PAT Global 24.1.3.38(50047) Local 192.168.1.68(4453)
PAT Global 24.1.3.38(36711) Local 192.168.1.77(4039)
PAT Global 24.1.3.38(50004) Local 192.168.1.88(2858)
PAT Global 24.1.3.38(50000) Local 192.168.1.68(4426)
PAT Global 24.1.3.38(50001) Local 192.168.1.68(4427)
PAT Global 24.1.3.38(50010) Local 192.168.1.68(4433)
PAT Global 24.1.3.38(50011) Local 192.168.1.68(4434)
PAT Global 24.1.3.38(49990) Local 192.168.1.68(4421)
PAT Global 24.1.3.38(49984) Local 192.168.1.68(4415)
PAT Global 24.1.3.38(49985) Local 192.168.1.68(4416)
PAT Global 24.1.3.38(49986) Local 192.168.1.68(4417)
PAT Global 24.1.3.38(49994) Local 192.168.1.68(4425)
PAT Global 24.1.3.38(49972) Local 192.168.1.68(4403)
PAT Global 24.1.3.38(35637) Local 192.168.1.93(3491)
PAT Global 24.1.3.38(49973) Local 192.168.1.68(4404)
PAT Global 24.1.3.38(49974) Local 192.168.1.68(4405)
Global 192.168.1.103 Local 192.168.1.103
Global 192.168.1.95 Local 192.168.1.95
Global 192.168.1.79 Local 192.168.1.79
PAT Global 24.1.3.38(49980) Local 192.168.1.68(4412)
Global 192.168.1.71 Local 192.168.1.71
PAT Global 24.227.133.38(49982) Local 192.168.1.68(4413)
PAT Global 24.227.133.38(49979) Local 192.168.1.68(4410)
Global 192.168.1.57 Local 192.168.1.57
PAT Global 24.1.3.38(49192) Local 192.168.1.75(4514)
PAT Global 24.1.3.38(49940) Local 192.168.1.85(1341)
PAT Global 24.1.3.38(46357) Local 192.168.1.40(2634)
PAT Global 24.1.3.38(49941) Local 192.168.1.85(1342)
Global 192.168.1.209 Local 192.168.1.209
Global 192.168.1.64 Local 192.168.1.64
Global 192.168.1.88 Local 192.168.1.88
Global 192.168.1.96 Local 192.168.1.96
Global 192.168.1.80 Local 192.168.1.80
Global 192.168.1.43 Local 192.168.1.43
Global 24.1.3.35 Local 192.168.1.50
PAT Global 24.1.3.38(36615) Local 192.168.1.88(1119)
PAT Global 24.1.3.38(36611) Local 192.168.1.88(1106)
I have little consfusion on following statement:

static (dmz,outside) 24.1.3.37 192.168.20.49 dns netmask 255.255.255.255 0 0


why you  puted DNS word with static command?
It is something new with the PIX.  It is a documented command.

Sean