Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

PIX 515E CONFIG ASSIST

Posted on 2006-03-23
22
Medium Priority
?
780 Views
Last Modified: 2010-04-08
I have a webserver in a DMZ.  I can access the webserver from the internet and I can access the server from inside the protected network.

Here is a diagram...

INTERNET---ROUTER (ISP's)--------|firewall|--------router--------protected subnet 192.168.1.0
                            |
                            |
                        D M Z------WEBSERVER (192.168.20.49)

What is happening (or not happening I should say) is the WEBSERVER is submitting a CREDIT CARD transaction to a HTTPS (secure) website and the website is sending back a response - approved or denied with other information, of course.

I have verified with the Credit Card processing company that they are receiving my requests and they send off a response.  I am not getting the response at the webserver - and there is only two areas that I believe could cause this - either the Firewall or the webserver security.

The CC responds to a specified URL that is sent along with the REQUEST FOR APPROVAL.  The URL that is sent is valid - I can access it from the internet.  The response is in fact being sent from the CC Approval Website - I verified this by leaving out the URL to redirect the response to and the approval is displayed in the browser.

I am really needing some help getting this working...  This is my 3rd day working on this with no success - and it is probably something very obvious that I am overlooking...

Here is the PIX config:

PIXFIREWALL# conf t
PIXFIREWALL(config)# show conf
: Saved
: Written by enable_15 at 12:11:56.501 UTC Thu Mar 23 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password xxxxx level 10 encrypted
enable password xxxxx encrypted
passwd CchT5YiB9kSAWob1 encrypted
hostname PIXFIREWALL
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl permit tcp any host 24.1.3.36 eq 10000
access-list outside_acl deny tcp any any eq telnet
access-list outside_acl permit tcp host 24.1.3.37 any
access-list outside_acl permit tcp host 66.1.7.58 host 24.1.3.37
access-list outside_acl permit ip host 66.1.7.58 host 24.1.3.37
access-list outside_acl permit tcp any host 24.1.3.37
access-list dmz_in permit ip host 192.168.20.49 host 192.168.1.50
access-list dmz_in permit udp host 192.168.20.49 host 192.168.1.50 eq 88
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq 445
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq domain
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.40 eq 1161
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.40 eq 1433
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq 88
access-list dmz_in permit udp host 192.168.20.49 host 192.168.1.50 eq domain
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq ldap
access-list dmz_in permit icmp 192.168.20.0 255.255.255.0 192.168.1.0 255.255.25
5.0
access-list dmz_in permit ip any any
access-list dmz_in permit ip host 192.168.20.49 host 192.168.1.40
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (inside,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0
static (dmz,outside) 24.1.3.37 192.168.20.49 dns netmask 255.255.255.255 0 0

access-group outside_acl in interface outside
access-group inside_acl in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 24.1.3.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.1.3.38 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username username password xxxxxxxx encrypted privilege 15
terminal width 90
Cryptochecksum:aedefa89ed558077bed7baa2d225db7d

Your assistance will be greatly appreciated....

Sean
0
Comment
Question by:saladart
  • 10
  • 5
  • 2
  • +3
22 Comments
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 16274054
static (inside,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0

shouldn't that be (dmz,outside) if 192.168.20.49 is in the DMZ?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16274177
static (inside,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0
static (dmz,outside) 24.1.3.37 192.168.20.49 dns netmask 255.255.255.255 0 0

You have the static in twice. As the first will confuse it, this may be your issue
0
 

Author Comment

by:saladart
ID: 16274316
Keith_alabaster,

R U saying to get rid of the first static (static (inside,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0) or the other one?

Sean
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16274544
What I am saying is get rid of the one you do not want as you cannot set a one-one static to two different places. As the static needs to go to the dmz, get rid of the first one as this is associating the inside interface with an IP address that is assigned to the DMZ interface.

May not fix it yet though......
0
 

Author Comment

by:saladart
ID: 16274815
Ok - did it - still am not getting response from website...  What else?

Sean
0
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 16274954
you might also need to run "clear xlate" to remove the translation.
0
 
LVL 9

Expert Comment

by:IPKON_Networks
ID: 16275844
You mention that the CC server responds to the Webserver you supply in the outbound REQUEST. This implies a asynchronous communication. This means that the CC server is creating a HTTPS session from the outside, as opposed to responding the the HTTPS created session from the inside.

Therefore, you would need to allow HTTPS sessions to be initiated from the outside (ie CC server), into you Webserver. All your ACL rules relate to the Webserver and its outbound communication.

Hope this helps
Barny
IPKON Networks Ltd
0
 

Author Comment

by:saladart
ID: 16276026
Please - provide more info - what access-list(s) would need to be added or modified?  Like I mentioned - I have been struggling with this for 3 days...need to get it fixed...

you would need to allow HTTPS sessions to be initiated from the outside (ie CC server), into you Webserver - HOW???  

Thank you very much!!

Sean
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16276274
Try these commands:

\\remove the acl from the inside interface. It is not necessary with PIX unless you want to *restrict* outbound traffic
no access-group inside_acl in interface inside

\\allow the https server to respond to "any"
access-list dmz_in permit tcp host 192.168.20.49 eq 443 any

\\re-apply the acl any time you change it
access-group dmz_in in interface dmz

\\remove the incorrect static xlate
no static (inside,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0

\\ run clear xlate
clear xlate

\\ no allow https from "any" to the static public ip
access-list outside_acl permit tcp any host 24.1.3.37 eq 443

\\ you can remove this because it is a huge security problem
no access-list outside_acl permit tcp any host 24.1.3.37


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16276278
>PIX Version 6.3(3)
As an aside, this is a buggy verision. Suggest you upgrade to 6.3(5)
0
 

Author Comment

by:saladart
ID: 16279830
Question:  Shouldn't I be able to send the HTTPS post to the CC approval company and receive the response fromt he WEBSERVER in the DMZ?  If so, it still isn't working...  If not, let me know and I will have someone outside try...

Here is the latest config - if you see anything wrong - please let me know.

Thanks for your input!

Sean

PIXFIREWALL(config)# show conf
: Saved
: Written by enable_15 at 07:59:56.235 UTC Fri Mar 24 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password xxxxx level 10 encrypted
enable password xxxxx encrypted
passwd CchT5YiB9kSAWob1 encrypted
hostname PIXFIREWALL
domain-name ocusoft.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl permit tcp any host 24.1.3.36 eq 21012
access-list outside_acl deny tcp any any eq telnet
access-list outside_acl permit tcp host 24.1.3.37 any
access-list outside_acl permit tcp any host 24.1.3.37 eq https
access-list dmz_in permit ip host 192.168.20.49 host 192.168.1.50
access-list dmz_in permit udp host 192.168.20.49 host 192.168.1.50 eq 88
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq 445
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq domain
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.40 eq 1161
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.40 eq 1433
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq 88
access-list dmz_in permit udp host 192.168.20.49 host 192.168.1.50 eq domain
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq ldap
access-list dmz_in permit icmp 192.168.20.0 255.255.255.0 192.168.1.0 255.255.25
5.0
access-list dmz_in permit ip any any
access-list dmz_in permit ip host 192.168.20.49 host 192.168.1.40
access-list dmz_in permit tcp host 192.168.20.49 eq https any
access-list dmz_in permit tcp host 192.168.20.49 eq www any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) 24.1.3.37 192.168.20.49 dns netmask 255.255.255.255 0 0

access-group outside_acl in interface outside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 24.1.3.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.1.3.38 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username username password xxxxxxx encrypted privilege 15
terminal width 90
Cryptochecksum:8a219ff9a31c4d1a6ed64f6fe1bc5ced
0
 

Author Comment

by:saladart
ID: 16280042
https://webservices.company.com/billing/TransactionCompany/processCC.asp?merchantID=11111&Regkey=XXXXXXXXX&Amount=100.40&AccountNo=123467890123456&CCMonth=12&CCYear=2007&NameonAccount=MyName&AVSADDR=12345 gable woods Dr&AVSZIP=23456&refid=p100036&Cvv2=313&ccrurl=http://www.mywebsite.com/charge.asp

Above is the script that is used when getting credit card approval.  The ccrurl=http://www.mywebsite.com/charge.asp is where the response is supposed to be sent to.

The website is (of course) named differently - but I can tell you that if someone outside the firewall goes to the URL - minus the charge.asp - they are able to log into the website with the proper credentials.  The domain name is registered publically and is directed to the 24.1.3.37 address.  Please help...  (Now I am getting desperate...)

Thanks!

Sean
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16280212
You need to add http access in the acl also:

// add this
access-list outside_acl permit tcp any host 24.1.3.37 eq http

// re-apply the acl to the interface
access-group outside_acl in interface outside

0
 

Author Comment

by:saladart
ID: 16288382
Ok - thanks for the update.  However, I am still not able to receive the response back at the webserver...

Thanks!

Sean
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16288406
Can you post result of "show access-list"
Is the ccrurl supposed to be directed to your server via http or https? I thought it should be https
Have you tried ccrurl=https://www.......
                                     ^
0
 

Author Comment

by:saladart
ID: 16288790
LRMOORE,

The request goes to an HTTPS server - the reply goes to my webserver - which is an HTTP server.  Hopt this helps...

Sean

PIXFIREWALL# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list inside_acl; 3 elements
access-list inside_acl line 1 permit tcp any any (hitcnt=2269537)
access-list inside_acl line 2 permit ip any any (hitcnt=977474)
access-list inside_acl line 3 permit udp any any (hitcnt=0)
access-list outside_acl; 10 elements
access-list outside_acl line 1 permit gre any host 24.1.3.35 (hitcnt=81)
access-list outside_acl line 2 permit ah any host 24.1.3.35 (hitcnt=0)
access-list outside_acl line 3 permit esp any host 24.1.3.35 (hitcnt=0)
access-list outside_acl line 4 permit tcp any host 24.1.3.35 eq pptp (hitcnt
=813)
access-list outside_acl line 5 deny tcp any any eq netbios-ssn (hitcnt=86958)
access-list outside_acl line 6 permit tcp any host 24.1.3.36 eq 21012 (hitcn
t=5610)
access-list outside_acl line 7 deny tcp any any eq telnet (hitcnt=38)
access-list outside_acl line 8 permit tcp host 24.1.3.37 any (hitcnt=0)
access-list outside_acl line 9 permit tcp any host 24.1.3.37 eq https (hitcn
t=0)
access-list outside_acl line 10 permit tcp any host 24.1.3.37 eq www (hitcnt
=12)
access-list dmz_in; 14 elements
access-list dmz_in line 1 permit ip host 192.168.20.49 host 192.168.1.50 (hitcnt
=5201)
access-list dmz_in line 2 permit udp host 192.168.20.49 host 192.168.1.50 eq 88
(hitcnt=0)
access-list dmz_in line 3 permit tcp host 192.168.20.49 host 192.168.1.50 eq 445
 (hitcnt=0)
access-list dmz_in line 4 permit tcp host 192.168.20.49 host 192.168.1.50 eq dom
ain (hitcnt=0)
access-list dmz_in line 5 permit tcp host 192.168.20.49 host 192.168.1.40 eq 116
1 (hitcnt=615)
access-list dmz_in line 6 permit tcp host 192.168.20.49 host 192.168.1.40 eq 143
3 (hitcnt=30)
access-list dmz_in line 7 permit tcp host 192.168.20.49 host 192.168.1.50 eq 88
(hitcnt=0)
access-list dmz_in line 8 permit udp host 192.168.20.49 host 192.168.1.50 eq dom
ain (hitcnt=0)
access-list dmz_in line 9 permit tcp host 192.168.20.49 host 192.168.1.50 eq lda
p (hitcnt=0)
access-list dmz_in line 10 permit icmp 192.168.20.0 255.255.255.0 192.168.1.0 25
5.255.255.0 (hitcnt=3932)
access-list dmz_in line 11 permit ip any any (hitcnt=794)
access-list dmz_in line 12 permit ip host 192.168.20.49 host 192.168.1.40 (hitcn
t=0)
access-list dmz_in line 13 permit tcp host 192.168.20.49 eq https any (hitcnt=0)

access-list dmz_in line 14 permit tcp host 192.168.20.49 eq www any (hitcnt=0)
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 16288865
>access-list outside_acl line 10 permit tcp any host 24.1.3.37 eq www (hitcnt=12)

Increasing hitcounter here means that packets are arriving in on port 80 http

>access-list dmz_in line 14 permit tcp host 192.168.20.49 eq www any (hitcnt=0)
No hitcount on this line could mean the server is not answering - but . . .

>access-list dmz_in line 11 permit ip any any (hitcnt=794)
This line comes before the specific port permit, so responses from the web server are catching this lin.
If you remove this access-list line, we'll be able to see the hitcounts on the specific www port.

If I understand the process, one issue could be that these transactions are originating from inside the pix (on your server), going outside to an external host, then back in to the public IP of your server. Generally you cannot go out then back in on the PIX, and the order of nat processing makes it difficult to access your own public IP.

One possible solution would be to use the "alias" command, and I see that you already have the "new and improved" alias in the dns fixup on the static xlate with the "dns" keyword. The key to making this work is to change your webserver to point to an external DNS server that will actually resolve www.yourcompany.com to the public IP adress 24.x.x.x

Again . . . 6.3(3) really is a buggy version of PIX code. Highly suggest upgrading it.
One of the bugs in it requires a reboot of the box whenever some config changes are made. I'd go ahead and schedule a reboot just in case.
0
 

Author Comment

by:saladart
ID: 16300739
Just to ensure we are on the same page, here is how the process works:

Client computer login into website - could be from internal network or internet.
Transaction is processed - the request for credit card approval is sent from webserver to a HTTPS: URL that resolves through IP address 66.1.7.58.
The CC server processes the transaction - and replies to the URL specified in the request sent by my webserver - the reply-to address being 24.1.3.37.

Now, IF I leave the URL to return the reply to (24.1.3.7) out the reply is displayed ont the client computer display.  I need it to, however, be returned to the webserver - so it can be written to a database.  There is an .ASP file that will process the request when it is received.  Here is the REQUEST that I am sending to the CC APPROVAL Website:

https://webservices.company.com/billing/TransactionCompany/processCC.asp?merchantID=11111&Regkey=XXXXXXXXX&Amount=100.40&AccountNo=123467890123456&CCMonth=12&CCYear=2007&NameonAccount=MyName&AVSADDR=12345 gable woods Dr&AVSZIP=23456&refid=p100036&Cvv2=313&ccrurl=http://www.mywebsite.com/charge.ASP<<<<---this is the file that will take the response and insert the info into the database.

Diagrams:

From Client to CC APPROLVAL WEBSITE:
CLIENT>>>>>REQUEST CC APPROVAL>>>>CC APPROVAL WEBSITE>>>>REPLY

From CC APPROVAL BACK TO WEBSERVER:
CC APPROVAL WEBSITE>>>>

Hope this helps...

Sean
0
 
LVL 5

Expert Comment

by:arvind
ID: 16340251
Sean,

please post the sh xlate output here
0
 

Author Comment

by:saladart
ID: 16363569
Sorry for the delay.  I've been out training...

Here is the sh xlate as requested.

PIXFIREWALL# sh xlate
69 in use, 497 most used
Global 24.1.3.36 Local 192.168.1.100
Global 192.168.1.62 Local 192.168.1.62
Global 192.168.1.51 Local 192.168.1.51
Global 24.1.3.37 Local 192.168.20.49
Global 192.168.1.74 Local 192.168.1.74
Global 192.168.1.82 Local 192.168.1.82
Global 192.168.1.3 Local 192.168.1.3
Global 192.168.1.98 Local 192.168.1.98
Global 192.168.1.90 Local 192.168.1.90
Global 192.168.1.50 Local 192.168.1.50
Global 192.168.1.40 Local 192.168.1.40
PAT Global 24.1.3.38(50052) Local 192.168.1.68(4458)
Global 192.168.1.83 Local 192.168.1.83
Global 192.168.1.99 Local 192.168.1.99
PAT Global 24.1.3.38(50048) Local 192.168.1.68(4454)
PAT Global 24.1.3.38(50049) Local 192.168.1.68(4455)
PAT Global 24.1.3.38(50050) Local 192.168.1.68(4456)
Global 192.168.1.75 Local 192.168.1.75
PAT Global 24.1.3.38(50051) Local 192.168.1.68(4457)
Global 192.168.1.67 Local 192.168.1.67
Global 192.168.1.93 Local 192.168.1.93
Global 192.168.1.101 Local 192.168.1.101
Global 192.168.1.77 Local 192.168.1.77
Global 192.168.1.84 Local 192.168.1.84
Global 192.168.1.92 Local 192.168.1.92
PAT Global 24.1.3.38(50044) Local 192.168.1.76(3958)
PAT Global 24.1.3.38(50045) Local 192.168.1.61(51361)
PAT Global 24.1.3.38(50046) Local 192.168.1.68(4452)
PAT Global 24.1.3.38(50047) Local 192.168.1.68(4453)
PAT Global 24.1.3.38(36711) Local 192.168.1.77(4039)
PAT Global 24.1.3.38(50004) Local 192.168.1.88(2858)
PAT Global 24.1.3.38(50000) Local 192.168.1.68(4426)
PAT Global 24.1.3.38(50001) Local 192.168.1.68(4427)
PAT Global 24.1.3.38(50010) Local 192.168.1.68(4433)
PAT Global 24.1.3.38(50011) Local 192.168.1.68(4434)
PAT Global 24.1.3.38(49990) Local 192.168.1.68(4421)
PAT Global 24.1.3.38(49984) Local 192.168.1.68(4415)
PAT Global 24.1.3.38(49985) Local 192.168.1.68(4416)
PAT Global 24.1.3.38(49986) Local 192.168.1.68(4417)
PAT Global 24.1.3.38(49994) Local 192.168.1.68(4425)
PAT Global 24.1.3.38(49972) Local 192.168.1.68(4403)
PAT Global 24.1.3.38(35637) Local 192.168.1.93(3491)
PAT Global 24.1.3.38(49973) Local 192.168.1.68(4404)
PAT Global 24.1.3.38(49974) Local 192.168.1.68(4405)
Global 192.168.1.103 Local 192.168.1.103
Global 192.168.1.95 Local 192.168.1.95
Global 192.168.1.79 Local 192.168.1.79
PAT Global 24.1.3.38(49980) Local 192.168.1.68(4412)
Global 192.168.1.71 Local 192.168.1.71
PAT Global 24.227.133.38(49982) Local 192.168.1.68(4413)
PAT Global 24.227.133.38(49979) Local 192.168.1.68(4410)
Global 192.168.1.57 Local 192.168.1.57
PAT Global 24.1.3.38(49192) Local 192.168.1.75(4514)
PAT Global 24.1.3.38(49940) Local 192.168.1.85(1341)
PAT Global 24.1.3.38(46357) Local 192.168.1.40(2634)
PAT Global 24.1.3.38(49941) Local 192.168.1.85(1342)
Global 192.168.1.209 Local 192.168.1.209
Global 192.168.1.64 Local 192.168.1.64
Global 192.168.1.88 Local 192.168.1.88
Global 192.168.1.96 Local 192.168.1.96
Global 192.168.1.80 Local 192.168.1.80
Global 192.168.1.43 Local 192.168.1.43
Global 24.1.3.35 Local 192.168.1.50
PAT Global 24.1.3.38(36615) Local 192.168.1.88(1119)
PAT Global 24.1.3.38(36611) Local 192.168.1.88(1106)
0
 
LVL 5

Expert Comment

by:arvind
ID: 16367621
I have little consfusion on following statement:

static (dmz,outside) 24.1.3.37 192.168.20.49 dns netmask 255.255.255.255 0 0


why you  puted DNS word with static command?
0
 

Author Comment

by:saladart
ID: 16370194
It is something new with the PIX.  It is a documented command.

Sean
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 4 hours left to enroll

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question