• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2908
  • Last Modified:

DMZ routing on PIX

I have a PIX 515e running v6.3(5).
I've recently turned up the DMZ interface and want to place a web server behind it.
I've set up the interfaces and created the proper rules but no one on the Internet can access the server.
This is the message that I get in the syslog server:

<166>Mar 28 2006 13:00:21: %PIX-6-106100: access-list acl_out permitted tcp outside/64.119.13.87(2681) -> DMZ/69.7.x.x(80) hit-cnt 1 (first hit)
<166>Mar 28 2006 13:00:21: %PIX-6-302013: Built inbound TCP connection 423 for outside:64.119.13.87/2681 (64.119.13.87/2681) to DMZ:192.168.10.3/80 (69.7.x.x/80)
<166>Mar 28 2006 13:00:21: %PIX-6-106015: Deny TCP (no connection) from 192.168.10.3/80 to 64.119.13.87/2681 flags SYN ACK  on interface inside
<166>Mar 28 2006 13:00:21: %PIX-6-110001: No route to 192.168.10.3 from 64.119.13.87

And here is my configuration (I've stripped out the irrelevent data):
----------------
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 207.243.xx.xx NISC_inbound
name 172.16.4.1 Brian_int
name 172.16.1.5 Positron_int
name 172.16.1.3 Proton_int
name 172.16.1.2 Electron_int
name 69.7.32.7 Positron_ext
name 69.7.32.6 Electron_ext
name 69.7.32.5 Proton_ext
name 172.16.1.9 iVUE_Server
name 192.168.10.2 Athos_DMZ
name 192.168.10.3 Porthos_DMZ
name 69.7.32.4 ebill_ext
name 172.16.8.0 FH
name 172.16.0.0 ES
name 69.7.xx.xx Public
object-group service TERMINAL_SERVICES tcp
  description Microsoft Terminal Services
  port-object eq 3389
object-group service Messenger_File_Transfer tcp
  port-object range 6891 6900
access-list compiled
access-list acl_out deny udp any eq netbios-ns any
access-list acl_out deny udp any eq netbios-dgm any
access-list acl_out deny tcp any eq netbios-ssn any
access-list acl_out permit tcp any any object-group Messenger_File_Transfer
access-list acl_out remark Outlook Web Access (for redirect)
access-list acl_out permit tcp any host Proton_ext eq www
access-list acl_out remark Outlook Web Access
access-list acl_out permit tcp any host Proton_ext eq https
access-list acl_out remark Inbound mail
access-list acl_out permit tcp any host Proton_ext eq smtp
access-list acl_out remark New web site
access-list acl_out permit tcp any host 69.7.32.9 eq www log
access-list acl_out remark Web Site
access-list acl_out permit tcp any host Electron_ext eq www
access-list acl_out remark E-Bill
access-list acl_out permit tcp any host ebill_ext eq https
access-list acl_out remark NISC secure telnet
access-list acl_out permit tcp host NISC_inbound host ebill_ext eq ssh
access-list acl_out remark NISC Term Svcs to Positron
access-list acl_out permit tcp host NISC_inbound host Positron_ext object-group TERMINAL_SERVICES
access-list inside_outbound_nat0_acl permit ip any ES 255.255.0.0
icmp deny any outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp deny any inside
ip address outside 69.7.xx.xx 255.255.255.240
ip address inside 172.16.0.2 255.255.248.0
ip address DMZ 192.168.10.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name Test attack action alarm drop reset
ip audit interface outside Test
ip audit interface inside Test
ip audit info action alarm drop
ip audit attack action alarm drop
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) Proton_ext Proton_int netmask 255.255.255.255 0 0
static (inside,outside) Electron_ext Electron_int netmask 255.255.255.255 0 0
static (inside,outside) ebill_ext iVUE_Server netmask 255.255.255.255 0 0
static (inside,outside) Positron_ext Positron_int netmask 255.255.255.255 0 0
static (DMZ,outside) 69.7.xx.xx Porthos_DMZ netmask 255.255.255.255 0 0
access-group acl_out in interface outside
rip inside default version 2
route outside 0.0.0.0 0.0.0.0 69.7.xx.xx 1
route inside FH 255.255.248.0 172.16.0.7 1
: end
[OK]
----------------

I don't have a router in the DMZ and am hoping that this issue can be resolved without one.
Can anyone help?
0
Brian Longworth
Asked:
Brian Longworth
  • 23
  • 22
  • 10
  • +1
2 Solutions
 
Keith AlabasterEnterprise ArchitectCommented:
May be I cannot see the wood for the trees.....

I can see that static for the dmz,outside but not a permit statement, nor can I see an access-group applied to the DMZ interface. Sorry if its there and I have just missed it
0
 
Brian LongworthSystem EngineerAuthor Commented:
If you can't see it, it may not be there. I don't know PIX as well as I wish I did and, therefore, do all the configuration through PDM. I thought that I set it up properly as I used the other interfaces as a template.

Regardless, I think the main issue may be the route issue as reported by syslog:
<166>Mar 28 2006 13:00:21: %PIX-6-110001: No route to 192.168.10.3 from 64.119.13.87
0
 
Keith AlabasterEnterprise ArchitectCommented:
Shouldn't really need a route as the interface is directly connected but...
route DMZ 192.168.10.0 255.255.255.0

is the web server trying to call something inside on your LAN?
access-list acl_out permit tcp any host 69.7.32.9 eq www log   Is this the permit line for the webserver in the DMZ?
If so,
static (DMZ,outside) 69.7.xx.xx Porthos_DMZ netmask 255.255.255.255 0 0 would then be the permit statement as per your listing.
As you are not filtering any outgoing traffic from the DMZ no access-group statement would be needed.

however, the error is being reported for interface inside. I would have expected the error to have been for interface DMZ or outside.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Brian LongworthSystem EngineerAuthor Commented:
Maybe it will help if you know what the address ranges are for each interfacve:
inside: 172.16.xx.xx
DMZ: 192.168.10.xx
outside: 69.7.xx.xx

The syslog clearly shows that it's able to pass traffic from outside to DMZ but can't pass traffic from DMZ to outside because of (what appears to be) a routing issue. There's no router on the DMZ subnet therefore, no gateway address.

This is what I can't figure out.
0
 
Keith AlabasterEnterprise ArchitectCommented:
As long as the boxes on the DMZ subnet are default-gateway'ed to the DMz pix address, nothing else should be needed as the PIX default route will deal with it. As the DMZ subnet is directly attached to the PIX, this should not need a route either. However, I do agree that that is how the log reads.

A clear xlate may be all that is needed Brian simply to reset the cache.

0
 
Keith AlabasterEnterprise ArchitectCommented:
PS. The only element that i can not see is what is in your rip tables.

If you do a show ip rip, what do you see?
Also sh ip route
0
 
Brian LongworthSystem EngineerAuthor Commented:
PIX515# sh rip
rip inside default version 2

PIX515# sh route
        outside 0.0.0.0 0.0.0.0 69.7.32.1 1 OTHER static
        outside Public 255.255.255.240 69.7.32.3 1 CONNECT static
        inside ES 255.255.248.0 172.16.0.2 1 CONNECT static
        inside FH 255.255.248.0 172.16.0.7 1 OTHER static
        DMZ 192.168.10.0 255.255.255.0 192.168.10.1 1 CONNECT static
0
 
Keith AlabasterEnterprise ArchitectCommented:
Yes, so the route for the DMZ is already there.

So I wonder why the heck it thinks it has a better route to the 69 network through the inside interface.
Brian, on your internal devices, I assume these are running RIP also. Do you have any static routes set anywhere for the 69.x.y.z addresses? If so, these could be being passed via the rip statements and then being picked up by the PIX. The PIX will see thr ip updates and be told that hey, i have a route to the 69 network and i learnt it trough the inside interface.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Try turning off the RIP in the PIX for a while so that the PIX uses its own routing. this might need a reboot.
if you don#t feel comfortable doing this, disconnect the internal nic at a suitable time and reboot the PIX. See if you can get to the web server now when the PIX has not learnt any router from elsewhere
0
 
Brian LongworthSystem EngineerAuthor Commented:
The internal routers use rip but the gateway of last resort on them is the internal interface of the PIX.
In retrospect, neither the routers nor the PIX really need to have RIP turned on since I have static routes set up
I don't have any static routes set up for the outside network.

I'll try your suggestions when I have a chance.
0
 
Keith AlabasterEnterprise ArchitectCommented:
OK :)
0
 
Brian LongworthSystem EngineerAuthor Commented:
I cleared xlate and turned off RIP but I still can't get to the server in the DMZ.
This is what syslog is showing now:

<166>Mar 29 2006 12:33:18: %PIX-6-106015: Deny TCP (no connection) from 192.168.10.3/80 to 64.119.13.87/4740 flags SYN ACK  on interface inside
<166>Mar 29 2006 12:33:18: %PIX-6-110001: No route to 192.168.10.3 from 64.119.13.87

(The 64.119 address is my external testing computer)

I don't know why it's denying the connection unless it's related to the routing issue. I do have a permit rule to alolow traffic to the DMZ server on port 80.
0
 
Brian LongworthSystem EngineerAuthor Commented:
Would it be better for me to bite the bullet and upgrade the OS to v7.1?
0
 
Keith AlabasterEnterprise ArchitectCommented:
I knew this month had gone too well for me.

On the web server, does it have a log? Does it show the traffic arriving from the outside?
do a show access-list. Are there any hits against the www permit line for the DMZ targeted traffic?
0
 
Keith AlabasterEnterprise ArchitectCommented:
There is no need for what you are doing here. Yes, v7 has some good features but (no offence) you are doing nothing special. this is bread-and-butter stuff and 6.3 shouldn't be causing this issue at all. According to your config, you should get one access-list shown.

One other thing i just noticed,, you can assign a NAT group to the DMZ interface please and retry.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Sorry, hit the return key by accident. Was going to ask, can the webserver surf the web in its own right?
0
 
Brian LongworthSystem EngineerAuthor Commented:
PIX515# sh access-list
access-list compiled
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list acl_out turbo-configured; 12 elements
access-list acl_out line 11 remark New web site
access-list acl_out line 12 permit tcp any host 69.7.32.9 eq www log 6 interval 300 (hitcnt=5)
access-list inside_outbound_nat0_acl turbo-configured; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any ES 255.255.0.0 (hitcnt=61)

(I've removed the data for the other rules)

The server doesn't show any hits from outside.
0
 
Brian LongworthSystem EngineerAuthor Commented:
I don't really understand your request, "assign a NAT group to the DMZ interface ".
Can you elaborate or instruct me how?

The web server cannot browse the web. When I connect the second NIC to the inside network, then I can.
0
 
Keith AlabasterEnterprise ArchitectCommented:
lol, I take it that the default gateway of the web server is pointing to the ip address of the pix dmz interface isn't it?
Sorry, i had to ask.....

global (11) outside interface
nat (DMZ) 11 0.0.0.0 0.0.0.0 0 0
0
 
Keith AlabasterEnterprise ArchitectCommented:
What that SHOULD do it so tell the pix that any traffic originating from the DMZ interface should leave as if it had come from the outside interface of the PIX. Same as the Global/NAT lines do for the inside interface.

Really clutching at straws so I am going to call in some assistance.
0
 
Brian LongworthSystem EngineerAuthor Commented:
I'm about to leave for the day so I'll try this in the morning.

Thanks
0
 
Keith AlabasterEnterprise ArchitectCommented:
OK. I have escalated this one so hopefully you should have a response when you get it.

regards
keith
0
 
Keith AlabasterEnterprise ArchitectCommented:
I also assume your interface is not still shutdown either....
0
 
Brian LongworthSystem EngineerAuthor Commented:
I stopped at my office before I went home and yes, the server is pointed at the PIX DMZ interface for its GW.

I ran the commands that you recommended and they seem to solve anything. Now I have an error in PDM under translation rules that says "Pool 11 not found on any lower security interface."
0
 
Keith AlabasterEnterprise ArchitectCommented:
No, problem. just remove the ID 11 statements.
0
 
Brian LongworthSystem EngineerAuthor Commented:
ID 11 statements?
Such as the ones you suggested I put in?

"global (11) outside interface
nat (DMZ) 11 0.0.0.0 0.0.0.0 0 0"
0
 
Keith AlabasterEnterprise ArchitectCommented:
yes; thanks for reminding me :(

i have escalated this call to the Page editor for firewalls asking him to take a look as obviously I am missing something.
0
 
Brian LongworthSystem EngineerAuthor Commented:
For your reference, here is the complete configuration with only the sensitive parts edited.
-----------------
PIX515# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password xxxx encrypted
passwd xxxx encrypted
hostname PIX515
domain-name xxxx
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 207.243.68.200 NISC_inbound
name 172.16.4.1 Brian_int
name 172.16.1.5 Positron_int
name 172.16.1.3 Proton_int
name 172.16.1.2 Electron_int
name 69.7.xx.xx Positron_ext
name 69.7.xx.xx Electron_ext
name 69.7.xx.xx Proton_ext
name 172.16.1.9 iVUE_Server
name 192.168.10.2 Athos_DMZ
name 192.168.10.3 Porthos_DMZ
name 69.7.xx.xx ebill_ext
name 172.16.8.0 FH
name 172.16.0.0 ES
name 69.7.xx.xx Public
object-group service TERMINAL_SERVICES tcp
  description Microsoft Terminal Services
  port-object eq 3389
object-group service Messenger_File_Transfer tcp
  port-object range 6891 6900
access-list compiled
access-list acl_out deny udp any eq netbios-ns any
access-list acl_out deny udp any eq netbios-dgm any
access-list acl_out deny tcp any eq netbios-ssn any
access-list acl_out permit tcp any any object-group Messenger_File_Transfer
access-list acl_out remark Outlook Web Access (for redirect)
access-list acl_out permit tcp any host Proton_ext eq www
access-list acl_out remark Outlook Web Access
access-list acl_out permit tcp any host Proton_ext eq https
access-list acl_out remark Inbound mail
access-list acl_out permit tcp any host Proton_ext eq smtp
access-list acl_out remark New web site
access-list acl_out permit tcp any host 69.7.xx.xx eq www log
access-list acl_out remark Web Site
access-list acl_out permit tcp any host Electron_ext eq www
access-list acl_out remark E-Bill
access-list acl_out permit tcp any host ebill_ext eq https
access-list acl_out remark NISC secure telnet
access-list acl_out permit tcp host NISC_inbound host ebill_ext eq ssh
access-list acl_out remark NISC Term Svcs to Positron
access-list acl_out permit tcp host NISC_inbound host Positron_ext object-group TERMINAL_SERVICES
access-list inside_outbound_nat0_acl permit ip any ES 255.255.0.0
no pager
logging on
logging timestamp
logging trap informational
logging host inside Brian_int
no logging message 405001
icmp deny any outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp deny any inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 69.7.xx.xx 255.255.255.240
ip address inside 172.16.0.2 255.255.248.0
ip address DMZ 192.168.10.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name Test attack action alarm drop reset
ip audit interface outside Test
ip audit interface inside Test
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool PPTP_Pool 172.16.2.246-172.16.2.255
pdm location NISC_inbound 255.255.255.255 outside
pdm location ES 255.255.248.0 inside
pdm location Electron_int 255.255.255.255 inside
pdm location Proton_int 255.255.255.255 inside
pdm location Brian_int 255.255.255.255 inside
pdm location 0.0.0.0 255.255.248.0 inside
pdm location Positron_int 255.255.255.255 inside
pdm location FH 255.255.248.0 inside
pdm location ebill_ext 255.255.255.255 outside
pdm location Proton_ext 255.255.255.255 outside
pdm location Electron_ext 255.255.255.255 outside
pdm location Positron_ext 255.255.255.255 outside
pdm location iVUE_Server 255.255.255.255 inside
pdm location Athos_DMZ 255.255.255.255 DMZ
pdm location Porthos_DMZ 255.255.255.255 DMZ
pdm logging warnings 512
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (DMZ) 11 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 11 0.0.0.0 0.0.0.0 0 0
static (inside,outside) Proton_ext Proton_int netmask 255.255.255.255 0 0
static (inside,outside) Electron_ext Electron_int netmask 255.255.255.255 0 0
static (inside,outside) ebill_ext iVUE_Server netmask 255.255.255.255 0 0
static (inside,outside) Positron_ext Positron_int netmask 255.255.255.255 0 0
static (DMZ,outside) 69.7.xx.xx Porthos_DMZ netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 69.7.xx.xx 1
route inside FH 255.255.248.0 172.16.0.7 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 131.107.1.10 source outside prefer
http server enable
http ES 255.255.248.0 inside
http FH 255.255.248.0 inside
snmp-server location xxxx
snmp-server contact Brian S. Longworth
snmp-server community xxxx
no snmp-server enable traps
tftp-server inside Brian_int /pix_config
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet ES 255.255.248.0 inside
telnet FH 255.255.248.0 inside
telnet timeout 10
ssh timeout 5
management-access inside
console timeout 10
vpdn group PPTP_Group accept dialin pptp
vpdn group PPTP_Group ppp authentication pap
vpdn group PPTP_Group ppp authentication chap
vpdn group PPTP_Group ppp authentication mschap
vpdn group PPTP_Group ppp encryption mppe 128 required
vpdn group PPTP_Group client configuration address local PPTP_Pool
vpdn group PPTP_Group client configuration dns 172.16.1.14 172.16.1.8
vpdn group PPTP_Group client configuration wins 172.16.1.14 172.16.1.8
vpdn group PPTP_Group pptp echo 60
vpdn group PPTP_Group client authentication local
vpdn username Beth password *********
vpdn username Betty password *********
vpdn username Rick password *********
vpdn username Judi password *********
vpdn username BrianL password *********
vpdn enable outside
username orcaspower password xxxx encrypted privilege 15
terminal width 80
banner login ----------------------------------------------------------------------
banner login                         Authorized access only!
banner login        Disconnect IMMEDIATELY if you are not an authorized user
banner login ----------------------------------------------------------------------
Cryptochecksum:xxxx
: end
0
 
nodiscoCommented:
hi there

You may have an arp issue if there is an inside router at work - try the following on the pix:

clear arp
sysopt noproxyarp inside
sysopt noproxyarp dmz
no global (DMZ) 11 interface
no nat (DMZ) 11 0.0.0.0 0.0.0.0
clear xlate

Then try from your dmz webserver to access the internet - and try to access it from outside.
hope this helps
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thanks nodisco.
Cheers
keith
0
 
Brian LongworthSystem EngineerAuthor Commented:
one of two work:
I can now access the server pages from outside  (big thumbs up - thanks)

However, I cannot access the web FROM the server.
What do I need to do to allow the server to access ports 80 and 443 on the outside interface and port 53 (for DNS) on the inside interface?
0
 
Keith AlabasterEnterprise ArchitectCommented:
Brian, this is where the global and NAT pairs come in.
I'll let nodisco answer this one though as i must have got the command wrong last time although it was I use and i have six interfaces on all of my 9 PIX boxes :(
0
 
nodiscoCommented:
Hi there

You *should* have internet connectivity from the webserver now as you are - minus dns of course.  A 1-1 static is natting your DMZ address out the outside with a public address.

See if you can go to http://68.142.226.33/
from the webserver - or configure a public dns server on the local connection of the webserver - i.e. 198.6.1.2

For a matching nat pool for other DMZ machines to go out the internet you would need the following:
nat (DMZ) 10 0.0.0.0 0.0.0.0
###Note that it matches the outside global nat id of 10###

For allowing the webserver in to your inside network to get access to dns:
static (DMZ, inside) 192.168.10.3 192.168.10.3 netmask 255.255.255.255
access-list DMZaccess_in permit udp 192.168.10.3 [ip address of dns server] eq 53
access-list DMZaccess_in permit tcp 192.168.10.3 [ip address of dns server] eq 53
access-group DMZaccess_in in interface DMZ

hope this helps


0
 
Brian LongworthSystem EngineerAuthor Commented:
I was wrong: I must have fat-fingered the address I was trying to test because I can indeed access the web from the DMZ server.

When I run this command:
"access-list DMZaccess_in permit udp 192.168.10.3 172.16.1.8 eq 53"

I get this error: "ERROR: Source address,mask <Porthos_DMZ,172.16.1.8> doesn't pair"

How can I fix this?

Once this issue is resolved there remains only one simple issue to take care of - I want to block all outbound traffic FROM the DMZ server except ports 80 and 443.
0
 
nodiscoCommented:
<<When I run this command:
"access-list DMZaccess_in permit udp 192.168.10.3 172.16.1.8 eq 53"

I get this error: "ERROR: Source address,mask <Porthos_DMZ,172.16.1.8> doesn't pair"

How can I fix this?
>>

Sorry - i neglected the host variable.  To allow the dmzserver access to the dns server and only www and 443 traffic out:

that should be:
access-list DMZaccess_in permit udp host 192.168.10.3 host 172.16.1.8 eq 53
access-list DMZaccess_in permit tcp host 192.168.10.3 host 172.16.1.8 eq 53
access-list DMZaccess_in permit tcp host 182.168.10.3 any eq www
access-list DMZaccess_in permit tcp host 192.168.10.3 any eq 443
access-group DMZaccess_in in interface DMZ


0
 
Brian LongworthSystem EngineerAuthor Commented:
Can do a DNS lookup - get this error in the syslog:

<163>Mar 30 2006 15:19:23: %PIX-3-305005: No translation group found for udp src DMZ:Porthos_DMZ/1026 dst inside:172.16.1.8/53
0
 
nodiscoCommented:
Have you got this line in the config:
static (DMZ, inside) 192.168.10.3 192.168.10.3 netmask 255.255.255.255

You may also need to run a
clear xlate

hth
0
 
Brian LongworthSystem EngineerAuthor Commented:
I have that line already and I ran a clear xlate - no go, same error.
0
 
rsivanandanCommented:
Why do you still have the following in the config ?

 
global (DMZ) 11 interface
nat (DMZ) 11 0.0.0.0 0.0.0.0 0 0

remove 'em, your Webserver is statically mapped with an ip and it should serve it. It is going to be 2 way. So do a clear xlate after removing them and try it.

Cheers,
Rajesh
0
 
nodiscoCommented:
hi brian75

Can you post your current config and also the results of
sh xlate

We are most of the way there!
0
 
Brian LongworthSystem EngineerAuthor Commented:
Here you go
---------------------
PIX515# sh xlate
41 in use, 874 most used
PAT Global 69.7.32.3(52339) Local 172.16.12.7(1156)
PAT Global 69.7.32.3(52323) Local 172.16.1.6(4864)
Global ebill_ext Local iVUE_Server
PAT Global 69.7.32.3(115) Local 172.16.12.20(137)
PAT Global 69.7.32.3(52338) Local 172.16.12.7(1155)
PAT Global 69.7.32.3(52290) Local 172.16.1.6(4862)
PAT Global 69.7.32.3(46322) Local Brian_int(2548)
PAT Global 69.7.32.3(482) Local 172.16.0.7(123)
PAT Global 69.7.32.3(52337) Local 172.16.12.7(1154)
PAT Global 69.7.32.3(52305) Local 172.16.12.7(1123)
PAT Global 69.7.32.3(52336) Local 172.16.12.7(1152)
Global Electron_ext Local Electron_int
PAT Global 69.7.32.3(52327) Local 172.16.12.7(1140)
PAT Global 69.7.32.3(52311) Local 172.16.12.7(1127)
Global Porthos_DMZ Local Porthos_DMZ
PAT Global 69.7.32.3(2791) Local 172.16.2.7(37586)
PAT Global 69.7.32.3(52310) Local 172.16.12.7(1128)
PAT Global 69.7.32.3(52294) Local 172.16.1.6(4863)
PAT Global 69.7.32.3(52341) Local 172.16.1.6(4865)
PAT Global 69.7.32.3(52309) Local 172.16.12.7(1126)
PAT Global 69.7.32.3(52293) Local 172.16.12.7(1113)
PAT Global 69.7.32.3(52244) Local 172.16.4.169(1170)
PAT Global 69.7.32.3(52340) Local 172.16.12.7(1157)
PAT Global 69.7.32.3(52331) Local 172.16.12.7(1147)
PAT Global 69.7.32.3(52299) Local 172.16.12.7(1118)
PAT Global 69.7.32.3(3179) Local Dartagnan_int(1058)
PAT Global 69.7.32.3(52186) Local 172.16.12.11(1115)
PAT Global 69.7.32.3(52330) Local 172.16.12.7(1146)
PAT Global 69.7.32.3(52314) Local 172.16.12.7(1130)
PAT Global 69.7.32.3(52298) Local 172.16.12.7(1116)
PAT Global 69.7.32.3(52297) Local 172.16.12.7(1117)
PAT Global 69.7.32.3(52312) Local 172.16.12.7(1129)
Global Proton_ext Local Proton_int
PAT Global 69.7.32.3(52287) Local 172.16.1.6(4861)
PAT Global 69.7.32.3(52335) Local 172.16.12.7(1153)
PAT Global 69.7.32.3(52303) Local 172.16.12.7(1121)
PAT Global 69.7.32.3(52334) Local 172.16.12.7(1149)
PAT Global 69.7.32.3(52333) Local 172.16.12.7(1150)
PAT Global 69.7.32.3(52332) Local 172.16.12.7(1148)
PAT Global 69.7.32.3(52300) Local 172.16.12.7(1119)
PAT Global 69.7.32.3(3180) Local Andromeda_int(1045)
-----------------------
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
hostname PIX515
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 207.243.68.200 NISC_inbound
name 172.16.4.1 Brian_int
name 172.16.1.5 Positron_int
name 172.16.1.3 Proton_int
name 172.16.1.2 Electron_int
name 69.7.xx.xx Positron_ext
name 69.7.xx.xx Electron_ext
name 69.7.xx.xx Proton_ext
name 172.16.1.9 iVUE_Server
name 192.168.10.2 Athos_DMZ
name 192.168.10.3 Porthos_DMZ
name 69.7.xx.xx ebill_ext
name 172.16.8.0 FH
name 172.16.0.0 ES
name 69.7.xx.xx Public
name 172.16.1.8 Andromeda_int
name 172.16.1.14 Dartagnan_int
object-group service TERMINAL_SERVICES tcp
  description Microsoft Terminal Services
  port-object eq 3389
object-group service Messenger_File_Transfer tcp
  port-object range 6891 6900
object-group network Domain_Controllers
  network-object Andromeda_int 255.255.255.255
  network-object Dartagnan_int 255.255.255.255
access-list compiled
access-list acl_out deny udp any eq netbios-ns any
access-list acl_out deny udp any eq netbios-dgm any
access-list acl_out deny tcp any eq netbios-ssn any
access-list acl_out permit tcp any any object-group Messenger_File_Transfer
access-list acl_out remark Outlook Web Access (for redirect)
access-list acl_out permit tcp any host Proton_ext eq www
access-list acl_out remark Outlook Web Access
access-list acl_out permit tcp any host Proton_ext eq https
access-list acl_out remark Inbound mail
access-list acl_out permit tcp any host Proton_ext eq smtp
access-list acl_out remark New web site
access-list acl_out permit tcp any host 69.7.xx.xx eq www log
access-list acl_out remark Web Site
access-list acl_out permit tcp any host Electron_ext eq www
access-list acl_out remark E-Bill
access-list acl_out permit tcp any host ebill_ext eq https
access-list acl_out remark NISC secure telnet
access-list acl_out permit tcp host NISC_inbound host ebill_ext eq ssh
access-list acl_out remark NISC Term Svcs to Positron
access-list acl_out permit tcp host NISC_inbound host Positron_ext object-group TERMINAL_SERVICES
access-list inside_outbound_nat0_acl permit ip any ES 255.255.0.0
access-list DMZaccess_in permit udp host Porthos_DMZ host Andromeda_int eq domain
access-list DMZaccess_in permit tcp host Porthos_DMZ host Andromeda_int eq domain
access-list DMZaccess_in permit tcp host Porthos_DMZ any eq www
access-list DMZaccess_in permit tcp host Porthos_DMZ any eq https
no pager
logging on
logging timestamp
logging trap informational
logging host inside Brian_int
no logging message 405001
icmp deny any outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp deny any inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 69.7.xx.xx 255.255.255.240
ip address inside 172.16.0.2 255.255.248.0
ip address DMZ 192.168.10.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name Test attack action alarm drop reset
ip audit interface outside Test
ip audit interface inside Test
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool PPTP_Pool 172.16.2.246-172.16.2.255
pdm location NISC_inbound 255.255.255.255 outside
pdm location ES 255.255.248.0 inside
pdm location Electron_int 255.255.255.255 inside
pdm location Proton_int 255.255.255.255 inside
pdm location Brian_int 255.255.255.255 inside
pdm location 0.0.0.0 255.255.248.0 inside
pdm location Positron_int 255.255.255.255 inside
pdm location FH 255.255.248.0 inside
pdm location ebill_ext 255.255.255.255 outside
pdm location Proton_ext 255.255.255.255 outside
pdm location Electron_ext 255.255.255.255 outside
pdm location Positron_ext 255.255.255.255 outside
pdm location iVUE_Server 255.255.255.255 inside
pdm location Athos_DMZ 255.255.255.255 DMZ
pdm location Porthos_DMZ 255.255.255.255 DMZ
pdm location Andromeda_int 255.255.255.255 inside
pdm location Dartagnan_int 255.255.255.255 inside
pdm group Domain_Controllers inside
pdm logging warnings 512
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) Proton_ext Proton_int netmask 255.255.255.255 0 0
static (inside,outside) Electron_ext Electron_int netmask 255.255.255.255 0 0
static (inside,outside) ebill_ext iVUE_Server netmask 255.255.255.255 0 0
static (inside,outside) Positron_ext Positron_int netmask 255.255.255.255 0 0
static (DMZ,outside) 69.7.xx.xx Porthos_DMZ netmask 255.255.255.255 0 0
static (DMZ,inside) Porthos_DMZ Porthos_DMZ netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group DMZaccess_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 69.7.xx.xx 1
route inside FH 255.255.248.0 172.16.0.7 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 131.107.1.10 source outside prefer
http server enable
http ES 255.255.248.0 inside
http FH 255.255.248.0 inside
tftp-server inside Brian_int /pix_config
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp inside
sysopt noproxyarp DMZ
telnet ES 255.255.248.0 inside
telnet FH 255.255.248.0 inside
telnet timeout 10
ssh timeout 5
management-access inside
console timeout 10
vpdn group PPTP_Group accept dialin pptp
vpdn group PPTP_Group ppp authentication pap
vpdn group PPTP_Group ppp authentication chap
vpdn group PPTP_Group ppp authentication mschap
vpdn group PPTP_Group ppp encryption mppe 128 required
vpdn group PPTP_Group client configuration address local PPTP_Pool
vpdn group PPTP_Group client configuration dns Dartagnan_int Andromeda_int
vpdn group PPTP_Group client configuration wins Dartagnan_int Andromeda_int
vpdn group PPTP_Group pptp echo 60
vpdn group PPTP_Group client authentication local
vpdn username Beth password *********
vpdn username Betty password *********
vpdn username Rick password *********
vpdn username Judi password *********
vpdn username BrianL password *********
vpdn enable outside
username orcaspower password encrypted privilege 15
terminal width 80
banner login ----------------------------------------------------------------------
banner login                         Authorized access only!
banner login        Disconnect IMMEDIATELY if you are not an authorized user
banner login ----------------------------------------------------------------------
: end
[OK]

0
 
nodiscoCommented:
Is internet connectivity still working from the webserver?
If so - what is not working - just DNS?

Just to see if the access-list is getting in the way here - can you create an access-list as follows:
access-list DMZaccess_in line 1 permit ip host Porthos_DMZ any

Then try again and when finished post the output of :
sh access-list DMZaccess_in

hth
0
 
Brian LongworthSystem EngineerAuthor Commented:
Internet still works - both directions; DNS does not.

PIX515# sh access-list DMZaccess_in
access-list DMZaccess_in turbo-configured; 5 elements
access-list DMZaccess_in line 1 permit ip host Porthos_DMZ any (hitcnt=24)
access-list DMZaccess_in line 2 permit udp host Porthos_DMZ host Andromeda_int eq domain (hitcnt=1083)
access-list DMZaccess_in line 3 permit tcp host Porthos_DMZ host Andromeda_int eq domain (hitcnt=0)
access-list DMZaccess_in line 4 permit tcp host Porthos_DMZ any eq www (hitcnt=3)
access-list DMZaccess_in line 5 permit tcp host Porthos_DMZ any eq https (hitcnt=0)
0
 
Brian LongworthSystem EngineerAuthor Commented:
PDM says that the DNS rules are a "null rule" and, if I open the rule in PDM then close it I get this message:

"No static Network Address Translation (NAT) rule is configured for the destination host or network on interface DMZ. Would you like to add a static NAT rule for the host or network now?"
0
 
nodiscoCommented:
Add the following to the config

global (DMZ) 10 interface

0
 
Brian LongworthSystem EngineerAuthor Commented:
Didn't work. Syslog shows:
<163>Mar 31 2006 09:56:02: %PIX-3-305005: No translation group found for udp src DMZ:Porthos_DMZ/1027 dst inside:Andromeda_int/53
PDM shows the same message as before
0
 
nodiscoCommented:
Think i found where the mistake is

no static (DMZ,inside) Porthos_DMZ Porthos_DMZ netmask 255.255.255.255 0 0
static (inside, DMZ) 172.16.1.8 172.16.1.8 netmask 255.255.255.255

You may need to run a clear xlate after it also


0
 
Brian LongworthSystem EngineerAuthor Commented:
That was it! You're a genius.
Thank you very much for your help.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thanks Nodisco; I owe you one.
0
 
nodiscoCommented:
Happy to help.

Keith put in a lot of time helping you on this and I think a points split would be fairer.  You can ask Community Support to reopen the question and split accordingly - up to you.

Glad you got working!
0
 
Keith AlabasterEnterprise ArchitectCommented:
Its no problem nodisco.

I had to call for help, you answered the call, you got the points. Only right.
Regards
keith
0
 
Brian LongworthSystem EngineerAuthor Commented:
I did a split already. The question was 500 points  - Keith got 200, nodisco got 300.
If either of you think the spit was unfail, I'll be glad to have the questioned reopened and reapportion them.

Brian
0
 
Keith AlabasterEnterprise ArchitectCommented:
:)  I think then that you hit the wrong buttons as you gave the points to nodisco and then split them between nodisco and nodisco lol .

I'm comfortable with the result as it is as Nodisco assisted you. If you really feel they should be amended, reply to this post Brian and i will make the change myself.

Best regards
Keith
0
 
Brian LongworthSystem EngineerAuthor Commented:
Please change the point allocation.

You both worked hard in my behalf and I appreciate it. I'd even give more points if it were possible.

Again, thank you both.

Brian
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thanks Brian.

Regards
Keith
0
 
nodiscoCommented:
Cheers to you both
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 23
  • 22
  • 10
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now