DMZ routing on PIX

May be I cannot see the wood for the trees.....

I can see that static for the dmz,outside but not a permit statement, nor can I see an access-group applied to the DMZ interface. Sorry if its there and I have just missed it

If you can't see it, it may not be there. I don't know PIX as well as I wish I did and, therefore, do all the configuration through PDM. I thought that I set it up properly as I used the other interfaces as a template.

Regardless, I think the main issue may be the route issue as reported by syslog:
<166>Mar 28 2006 13:00:21: %PIX-6-110001: No route to 192.168.10.3 from 64.119.13.87

Shouldn't really need a route as the interface is directly connected but...
route DMZ 192.168.10.0 255.255.255.0

is the web server trying to call something inside on your LAN?
access-list acl_out permit tcp any host 69.7.32.9 eq www log   Is this the permit line for the webserver in the DMZ?
If so,
static (DMZ,outside) 69.7.xx.xx Porthos_DMZ netmask 255.255.255.255 0 0 would then be the permit statement as per your listing.
As you are not filtering any outgoing traffic from the DMZ no access-group statement would be needed.

however, the error is being reported for interface inside. I would have expected the error to have been for interface DMZ or outside.

Maybe it will help if you know what the address ranges are for each interfacve:
inside: 172.16.xx.xx
DMZ: 192.168.10.xx
outside: 69.7.xx.xx

The syslog clearly shows that it's able to pass traffic from outside to DMZ but can't pass traffic from DMZ to outside because of (what appears to be) a routing issue. There's no router on the DMZ subnet therefore, no gateway address.

This is what I can't figure out.

As long as the boxes on the DMZ subnet are default-gateway'ed to the DMz pix address, nothing else should be needed as the PIX default route will deal with it. As the DMZ subnet is directly attached to the PIX, this should not need a route either. However, I do agree that that is how the log reads.

A clear xlate may be all that is needed Brian simply to reset the cache.

PS. The only element that i can not see is what is in your rip tables.

If you do a show ip rip, what do you see?
Also sh ip route

PIX515# sh rip
rip inside default version 2

PIX515# sh route
        outside 0.0.0.0 0.0.0.0 69.7.32.1 1 OTHER static
        outside Public 255.255.255.240 69.7.32.3 1 CONNECT static
        inside ES 255.255.248.0 172.16.0.2 1 CONNECT static
        inside FH 255.255.248.0 172.16.0.7 1 OTHER static
        DMZ 192.168.10.0 255.255.255.0 192.168.10.1 1 CONNECT static

Yes, so the route for the DMZ is already there.

So I wonder why the heck it thinks it has a better route to the 69 network through the inside interface.
Brian, on your internal devices, I assume these are running RIP also. Do you have any static routes set anywhere for the 69.x.y.z addresses? If so, these could be being passed via the rip statements and then being picked up by the PIX. The PIX will see thr ip updates and be told that hey, i have a route to the 69 network and i learnt it trough the inside interface.

Try turning off the RIP in the PIX for a while so that the PIX uses its own routing. this might need a reboot.
if you don#t feel comfortable doing this, disconnect the internal nic at a suitable time and reboot the PIX. See if you can get to the web server now when the PIX has not learnt any router from elsewhere

The internal routers use rip but the gateway of last resort on them is the internal interface of the PIX.
In retrospect, neither the routers nor the PIX really need to have RIP turned on since I have static routes set up
I don't have any static routes set up for the outside network.

I'll try your suggestions when I have a chance.

OK :)

I cleared xlate and turned off RIP but I still can't get to the server in the DMZ.
This is what syslog is showing now:

<166>Mar 29 2006 12:33:18: %PIX-6-106015: Deny TCP (no connection) from 192.168.10.3/80 to 64.119.13.87/4740 flags SYN ACK  on interface inside
<166>Mar 29 2006 12:33:18: %PIX-6-110001: No route to 192.168.10.3 from 64.119.13.87

(The 64.119 address is my external testing computer)

I don't know why it's denying the connection unless it's related to the routing issue. I do have a permit rule to alolow traffic to the DMZ server on port 80.

Would it be better for me to bite the bullet and upgrade the OS to v7.1?

I knew this month had gone too well for me.

On the web server, does it have a log? Does it show the traffic arriving from the outside?
do a show access-list. Are there any hits against the www permit line for the DMZ targeted traffic?

There is no need for what you are doing here. Yes, v7 has some good features but (no offence) you are doing nothing special. this is bread-and-butter stuff and 6.3 shouldn't be causing this issue at all. According to your config, you should get one access-list shown.

One other thing i just noticed,, you can assign a NAT group to the DMZ interface please and retry.

Sorry, hit the return key by accident. Was going to ask, can the webserver surf the web in its own right?

PIX515# sh access-list
access-list compiled
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list acl_out turbo-configured; 12 elements
access-list acl_out line 11 remark New web site
access-list acl_out line 12 permit tcp any host 69.7.32.9 eq www log 6 interval 300 (hitcnt=5)
access-list inside_outbound_nat0_acl turbo-configured; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any ES 255.255.0.0 (hitcnt=61)

(I've removed the data for the other rules)

The server doesn't show any hits from outside.

I don't really understand your request, "assign a NAT group to the DMZ interface ".
Can you elaborate or instruct me how?

The web server cannot browse the web. When I connect the second NIC to the inside network, then I can.

lol, I take it that the default gateway of the web server is pointing to the ip address of the pix dmz interface isn't it?
Sorry, i had to ask.....

global (11) outside interface
nat (DMZ) 11 0.0.0.0 0.0.0.0 0 0

What that SHOULD do it so tell the pix that any traffic originating from the DMZ interface should leave as if it had come from the outside interface of the PIX. Same as the Global/NAT lines do for the inside interface.

Really clutching at straws so I am going to call in some assistance.

I'm about to leave for the day so I'll try this in the morning.

Thanks

OK. I have escalated this one so hopefully you should have a response when you get it.

regards
keith

I also assume your interface is not still shutdown either....

I stopped at my office before I went home and yes, the server is pointed at the PIX DMZ interface for its GW.

I ran the commands that you recommended and they seem to solve anything. Now I have an error in PDM under translation rules that says "Pool 11 not found on any lower security interface."

No, problem. just remove the ID 11 statements.

ID 11 statements?
Such as the ones you suggested I put in?

"global (11) outside interface
nat (DMZ) 11 0.0.0.0 0.0.0.0 0 0"

For your reference, here is the complete configuration with only the sensitive parts edited.
-----------------
PIX515# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password xxxx encrypted
passwd xxxx encrypted
hostname PIX515
domain-name xxxx
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 207.243.68.200 NISC_inbound
name 172.16.4.1 Brian_int
name 172.16.1.5 Positron_int
name 172.16.1.3 Proton_int
name 172.16.1.2 Electron_int
name 69.7.xx.xx Positron_ext
name 69.7.xx.xx Electron_ext
name 69.7.xx.xx Proton_ext
name 172.16.1.9 iVUE_Server
name 192.168.10.2 Athos_DMZ
name 192.168.10.3 Porthos_DMZ
name 69.7.xx.xx ebill_ext
name 172.16.8.0 FH
name 172.16.0.0 ES
name 69.7.xx.xx Public
object-group service TERMINAL_SERVICES tcp
  description Microsoft Terminal Services
  port-object eq 3389
object-group service Messenger_File_Transfer tcp
  port-object range 6891 6900
access-list compiled
access-list acl_out deny udp any eq netbios-ns any
access-list acl_out deny udp any eq netbios-dgm any
access-list acl_out deny tcp any eq netbios-ssn any
access-list acl_out permit tcp any any object-group Messenger_File_Transfer
access-list acl_out remark Outlook Web Access (for redirect)
access-list acl_out permit tcp any host Proton_ext eq www
access-list acl_out remark Outlook Web Access
access-list acl_out permit tcp any host Proton_ext eq https
access-list acl_out remark Inbound mail
access-list acl_out permit tcp any host Proton_ext eq smtp
access-list acl_out remark New web site
access-list acl_out permit tcp any host 69.7.xx.xx eq www log
access-list acl_out remark Web Site
access-list acl_out permit tcp any host Electron_ext eq www
access-list acl_out remark E-Bill
access-list acl_out permit tcp any host ebill_ext eq https
access-list acl_out remark NISC secure telnet
access-list acl_out permit tcp host NISC_inbound host ebill_ext eq ssh
access-list acl_out remark NISC Term Svcs to Positron
access-list acl_out permit tcp host NISC_inbound host Positron_ext object-group TERMINAL_SERVICES
access-list inside_outbound_nat0_acl permit ip any ES 255.255.0.0
no pager
logging on
logging timestamp
logging trap informational
logging host inside Brian_int
no logging message 405001
icmp deny any outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp deny any inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 69.7.xx.xx 255.255.255.240
ip address inside 172.16.0.2 255.255.248.0
ip address DMZ 192.168.10.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name Test attack action alarm drop reset
ip audit interface outside Test
ip audit interface inside Test
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool PPTP_Pool 172.16.2.246-172.16.2.255
pdm location NISC_inbound 255.255.255.255 outside
pdm location ES 255.255.248.0 inside
pdm location Electron_int 255.255.255.255 inside
pdm location Proton_int 255.255.255.255 inside
pdm location Brian_int 255.255.255.255 inside
pdm location 0.0.0.0 255.255.248.0 inside
pdm location Positron_int 255.255.255.255 inside
pdm location FH 255.255.248.0 inside
pdm location ebill_ext 255.255.255.255 outside
pdm location Proton_ext 255.255.255.255 outside
pdm location Electron_ext 255.255.255.255 outside
pdm location Positron_ext 255.255.255.255 outside
pdm location iVUE_Server 255.255.255.255 inside
pdm location Athos_DMZ 255.255.255.255 DMZ
pdm location Porthos_DMZ 255.255.255.255 DMZ
pdm logging warnings 512
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (DMZ) 11 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 11 0.0.0.0 0.0.0.0 0 0
static (inside,outside) Proton_ext Proton_int netmask 255.255.255.255 0 0
static (inside,outside) Electron_ext Electron_int netmask 255.255.255.255 0 0
static (inside,outside) ebill_ext iVUE_Server netmask 255.255.255.255 0 0
static (inside,outside) Positron_ext Positron_int netmask 255.255.255.255 0 0
static (DMZ,outside) 69.7.xx.xx Porthos_DMZ netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 69.7.xx.xx 1
route inside FH 255.255.248.0 172.16.0.7 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 131.107.1.10 source outside prefer
http server enable
http ES 255.255.248.0 inside
http FH 255.255.248.0 inside
snmp-server location xxxx
snmp-server contact Brian S. Longworth
snmp-server community xxxx
no snmp-server enable traps
tftp-server inside Brian_int /pix_config
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet ES 255.255.248.0 inside
telnet FH 255.255.248.0 inside
telnet timeout 10
ssh timeout 5
management-access inside
console timeout 10
vpdn group PPTP_Group accept dialin pptp
vpdn group PPTP_Group ppp authentication pap
vpdn group PPTP_Group ppp authentication chap
vpdn group PPTP_Group ppp authentication mschap
vpdn group PPTP_Group ppp encryption mppe 128 required
vpdn group PPTP_Group client configuration address local PPTP_Pool
vpdn group PPTP_Group client configuration dns 172.16.1.14 172.16.1.8
vpdn group PPTP_Group client configuration wins 172.16.1.14 172.16.1.8
vpdn group PPTP_Group pptp echo 60
vpdn group PPTP_Group client authentication local
vpdn username Beth password *********
vpdn username Betty password *********
vpdn username Rick password *********
vpdn username Judi password *********
vpdn username BrianL password *********
vpdn enable outside
username orcaspower password xxxx encrypted privilege 15
terminal width 80
banner login ----------------------------------------------------------------------
banner login                         Authorized access only!
banner login        Disconnect IMMEDIATELY if you are not an authorized user
banner login ----------------------------------------------------------------------
Cryptochecksum:xxxx
: end

hi there

You may have an arp issue if there is an inside router at work - try the following on the pix:

clear arp
sysopt noproxyarp inside
sysopt noproxyarp dmz
no global (DMZ) 11 interface
no nat (DMZ) 11 0.0.0.0 0.0.0.0
clear xlate

Then try from your dmz webserver to access the internet - and try to access it from outside.
hope this helps

Thanks nodisco.
Cheers
keith

one of two work:
I can now access the server pages from outside  (big thumbs up - thanks)

However, I cannot access the web FROM the server.
What do I need to do to allow the server to access ports 80 and 443 on the outside interface and port 53 (for DNS) on the inside interface?

Brian, this is where the global and NAT pairs come in.
I'll let nodisco answer this one though as i must have got the command wrong last time although it was I use and i have six interfaces on all of my 9 PIX boxes :(

Hi there

You *should* have internet connectivity from the webserver now as you are - minus dns of course.  A 1-1 static is natting your DMZ address out the outside with a public address.

See if you can go to http://68.142.226.33/
from the webserver - or configure a public dns server on the local connection of the webserver - i.e. 198.6.1.2

For a matching nat pool for other DMZ machines to go out the internet you would need the following:
nat (DMZ) 10 0.0.0.0 0.0.0.0
###Note that it matches the outside global nat id of 10###

For allowing the webserver in to your inside network to get access to dns:
static (DMZ, inside) 192.168.10.3 192.168.10.3 netmask 255.255.255.255
access-list DMZaccess_in permit udp 192.168.10.3 [ip address of dns server] eq 53
access-list DMZaccess_in permit tcp 192.168.10.3 [ip address of dns server] eq 53
access-group DMZaccess_in in interface DMZ

hope this helps

I was wrong: I must have fat-fingered the address I was trying to test because I can indeed access the web from the DMZ server.

When I run this command:
"access-list DMZaccess_in permit udp 192.168.10.3 172.16.1.8 eq 53"

I get this error: "ERROR: Source address,mask <Porthos_DMZ,172.16.1.8> doesn't pair"

How can I fix this?

Once this issue is resolved there remains only one simple issue to take care of - I want to block all outbound traffic FROM the DMZ server except ports 80 and 443.

<<When I run this command:
"access-list DMZaccess_in permit udp 192.168.10.3 172.16.1.8 eq 53"

I get this error: "ERROR: Source address,mask <Porthos_DMZ,172.16.1.8> doesn't pair"

How can I fix this?
>>

Sorry - i neglected the host variable.  To allow the dmzserver access to the dns server and only www and 443 traffic out:

that should be:
access-list DMZaccess_in permit udp host 192.168.10.3 host 172.16.1.8 eq 53
access-list DMZaccess_in permit tcp host 192.168.10.3 host 172.16.1.8 eq 53
access-list DMZaccess_in permit tcp host 182.168.10.3 any eq www
access-list DMZaccess_in permit tcp host 192.168.10.3 any eq 443
access-group DMZaccess_in in interface DMZ

Can do a DNS lookup - get this error in the syslog:

<163>Mar 30 2006 15:19:23: %PIX-3-305005: No translation group found for udp src DMZ:Porthos_DMZ/1026 dst inside:172.16.1.8/53

Have you got this line in the config:
static (DMZ, inside) 192.168.10.3 192.168.10.3 netmask 255.255.255.255

You may also need to run a
clear xlate

hth

I have that line already and I ran a clear xlate - no go, same error.

Why do you still have the following in the config ?

 
global (DMZ) 11 interface
nat (DMZ) 11 0.0.0.0 0.0.0.0 0 0

remove 'em, your Webserver is statically mapped with an ip and it should serve it. It is going to be 2 way. So do a clear xlate after removing them and try it.

Cheers,
Rajesh

hi brian75

Can you post your current config and also the results of
sh xlate

We are most of the way there!

Here you go
---------------------
PIX515# sh xlate
41 in use, 874 most used
PAT Global 69.7.32.3(52339) Local 172.16.12.7(1156)
PAT Global 69.7.32.3(52323) Local 172.16.1.6(4864)
Global ebill_ext Local iVUE_Server
PAT Global 69.7.32.3(115) Local 172.16.12.20(137)
PAT Global 69.7.32.3(52338) Local 172.16.12.7(1155)
PAT Global 69.7.32.3(52290) Local 172.16.1.6(4862)
PAT Global 69.7.32.3(46322) Local Brian_int(2548)
PAT Global 69.7.32.3(482) Local 172.16.0.7(123)
PAT Global 69.7.32.3(52337) Local 172.16.12.7(1154)
PAT Global 69.7.32.3(52305) Local 172.16.12.7(1123)
PAT Global 69.7.32.3(52336) Local 172.16.12.7(1152)
Global Electron_ext Local Electron_int
PAT Global 69.7.32.3(52327) Local 172.16.12.7(1140)
PAT Global 69.7.32.3(52311) Local 172.16.12.7(1127)
Global Porthos_DMZ Local Porthos_DMZ
PAT Global 69.7.32.3(2791) Local 172.16.2.7(37586)
PAT Global 69.7.32.3(52310) Local 172.16.12.7(1128)
PAT Global 69.7.32.3(52294) Local 172.16.1.6(4863)
PAT Global 69.7.32.3(52341) Local 172.16.1.6(4865)
PAT Global 69.7.32.3(52309) Local 172.16.12.7(1126)
PAT Global 69.7.32.3(52293) Local 172.16.12.7(1113)
PAT Global 69.7.32.3(52244) Local 172.16.4.169(1170)
PAT Global 69.7.32.3(52340) Local 172.16.12.7(1157)
PAT Global 69.7.32.3(52331) Local 172.16.12.7(1147)
PAT Global 69.7.32.3(52299) Local 172.16.12.7(1118)
PAT Global 69.7.32.3(3179) Local Dartagnan_int(1058)
PAT Global 69.7.32.3(52186) Local 172.16.12.11(1115)
PAT Global 69.7.32.3(52330) Local 172.16.12.7(1146)
PAT Global 69.7.32.3(52314) Local 172.16.12.7(1130)
PAT Global 69.7.32.3(52298) Local 172.16.12.7(1116)
PAT Global 69.7.32.3(52297) Local 172.16.12.7(1117)
PAT Global 69.7.32.3(52312) Local 172.16.12.7(1129)
Global Proton_ext Local Proton_int
PAT Global 69.7.32.3(52287) Local 172.16.1.6(4861)
PAT Global 69.7.32.3(52335) Local 172.16.12.7(1153)
PAT Global 69.7.32.3(52303) Local 172.16.12.7(1121)
PAT Global 69.7.32.3(52334) Local 172.16.12.7(1149)
PAT Global 69.7.32.3(52333) Local 172.16.12.7(1150)
PAT Global 69.7.32.3(52332) Local 172.16.12.7(1148)
PAT Global 69.7.32.3(52300) Local 172.16.12.7(1119)
PAT Global 69.7.32.3(3180) Local Andromeda_int(1045)
-----------------------
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
hostname PIX515
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 207.243.68.200 NISC_inbound
name 172.16.4.1 Brian_int
name 172.16.1.5 Positron_int
name 172.16.1.3 Proton_int
name 172.16.1.2 Electron_int
name 69.7.xx.xx Positron_ext
name 69.7.xx.xx Electron_ext
name 69.7.xx.xx Proton_ext
name 172.16.1.9 iVUE_Server
name 192.168.10.2 Athos_DMZ
name 192.168.10.3 Porthos_DMZ
name 69.7.xx.xx ebill_ext
name 172.16.8.0 FH
name 172.16.0.0 ES
name 69.7.xx.xx Public
name 172.16.1.8 Andromeda_int
name 172.16.1.14 Dartagnan_int
object-group service TERMINAL_SERVICES tcp
  description Microsoft Terminal Services
  port-object eq 3389
object-group service Messenger_File_Transfer tcp
  port-object range 6891 6900
object-group network Domain_Controllers
  network-object Andromeda_int 255.255.255.255
  network-object Dartagnan_int 255.255.255.255
access-list compiled
access-list acl_out deny udp any eq netbios-ns any
access-list acl_out deny udp any eq netbios-dgm any
access-list acl_out deny tcp any eq netbios-ssn any
access-list acl_out permit tcp any any object-group Messenger_File_Transfer
access-list acl_out remark Outlook Web Access (for redirect)
access-list acl_out permit tcp any host Proton_ext eq www
access-list acl_out remark Outlook Web Access
access-list acl_out permit tcp any host Proton_ext eq https
access-list acl_out remark Inbound mail
access-list acl_out permit tcp any host Proton_ext eq smtp
access-list acl_out remark New web site
access-list acl_out permit tcp any host 69.7.xx.xx eq www log
access-list acl_out remark Web Site
access-list acl_out permit tcp any host Electron_ext eq www
access-list acl_out remark E-Bill
access-list acl_out permit tcp any host ebill_ext eq https
access-list acl_out remark NISC secure telnet
access-list acl_out permit tcp host NISC_inbound host ebill_ext eq ssh
access-list acl_out remark NISC Term Svcs to Positron
access-list acl_out permit tcp host NISC_inbound host Positron_ext object-group TERMINAL_SERVICES
access-list inside_outbound_nat0_acl permit ip any ES 255.255.0.0
access-list DMZaccess_in permit udp host Porthos_DMZ host Andromeda_int eq domain
access-list DMZaccess_in permit tcp host Porthos_DMZ host Andromeda_int eq domain
access-list DMZaccess_in permit tcp host Porthos_DMZ any eq www
access-list DMZaccess_in permit tcp host Porthos_DMZ any eq https
no pager
logging on
logging timestamp
logging trap informational
logging host inside Brian_int
no logging message 405001
icmp deny any outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp deny any inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 69.7.xx.xx 255.255.255.240
ip address inside 172.16.0.2 255.255.248.0
ip address DMZ 192.168.10.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name Test attack action alarm drop reset
ip audit interface outside Test
ip audit interface inside Test
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool PPTP_Pool 172.16.2.246-172.16.2.255
pdm location NISC_inbound 255.255.255.255 outside
pdm location ES 255.255.248.0 inside
pdm location Electron_int 255.255.255.255 inside
pdm location Proton_int 255.255.255.255 inside
pdm location Brian_int 255.255.255.255 inside
pdm location 0.0.0.0 255.255.248.0 inside
pdm location Positron_int 255.255.255.255 inside
pdm location FH 255.255.248.0 inside
pdm location ebill_ext 255.255.255.255 outside
pdm location Proton_ext 255.255.255.255 outside
pdm location Electron_ext 255.255.255.255 outside
pdm location Positron_ext 255.255.255.255 outside
pdm location iVUE_Server 255.255.255.255 inside
pdm location Athos_DMZ 255.255.255.255 DMZ
pdm location Porthos_DMZ 255.255.255.255 DMZ
pdm location Andromeda_int 255.255.255.255 inside
pdm location Dartagnan_int 255.255.255.255 inside
pdm group Domain_Controllers inside
pdm logging warnings 512
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) Proton_ext Proton_int netmask 255.255.255.255 0 0
static (inside,outside) Electron_ext Electron_int netmask 255.255.255.255 0 0
static (inside,outside) ebill_ext iVUE_Server netmask 255.255.255.255 0 0
static (inside,outside) Positron_ext Positron_int netmask 255.255.255.255 0 0
static (DMZ,outside) 69.7.xx.xx Porthos_DMZ netmask 255.255.255.255 0 0
static (DMZ,inside) Porthos_DMZ Porthos_DMZ netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group DMZaccess_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 69.7.xx.xx 1
route inside FH 255.255.248.0 172.16.0.7 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 131.107.1.10 source outside prefer
http server enable
http ES 255.255.248.0 inside
http FH 255.255.248.0 inside
tftp-server inside Brian_int /pix_config
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp inside
sysopt noproxyarp DMZ
telnet ES 255.255.248.0 inside
telnet FH 255.255.248.0 inside
telnet timeout 10
ssh timeout 5
management-access inside
console timeout 10
vpdn group PPTP_Group accept dialin pptp
vpdn group PPTP_Group ppp authentication pap
vpdn group PPTP_Group ppp authentication chap
vpdn group PPTP_Group ppp authentication mschap
vpdn group PPTP_Group ppp encryption mppe 128 required
vpdn group PPTP_Group client configuration address local PPTP_Pool
vpdn group PPTP_Group client configuration dns Dartagnan_int Andromeda_int
vpdn group PPTP_Group client configuration wins Dartagnan_int Andromeda_int
vpdn group PPTP_Group pptp echo 60
vpdn group PPTP_Group client authentication local
vpdn username Beth password *********
vpdn username Betty password *********
vpdn username Rick password *********
vpdn username Judi password *********
vpdn username BrianL password *********
vpdn enable outside
username orcaspower password encrypted privilege 15
terminal width 80
banner login ----------------------------------------------------------------------
banner login                         Authorized access only!
banner login        Disconnect IMMEDIATELY if you are not an authorized user
banner login ----------------------------------------------------------------------
: end
[OK]

Is internet connectivity still working from the webserver?
If so - what is not working - just DNS?

Just to see if the access-list is getting in the way here - can you create an access-list as follows:
access-list DMZaccess_in line 1 permit ip host Porthos_DMZ any

Then try again and when finished post the output of :
sh access-list DMZaccess_in

hth

Internet still works - both directions; DNS does not.

PIX515# sh access-list DMZaccess_in
access-list DMZaccess_in turbo-configured; 5 elements
access-list DMZaccess_in line 1 permit ip host Porthos_DMZ any (hitcnt=24)
access-list DMZaccess_in line 2 permit udp host Porthos_DMZ host Andromeda_int eq domain (hitcnt=1083)
access-list DMZaccess_in line 3 permit tcp host Porthos_DMZ host Andromeda_int eq domain (hitcnt=0)
access-list DMZaccess_in line 4 permit tcp host Porthos_DMZ any eq www (hitcnt=3)
access-list DMZaccess_in line 5 permit tcp host Porthos_DMZ any eq https (hitcnt=0)

PDM says that the DNS rules are a "null rule" and, if I open the rule in PDM then close it I get this message:

"No static Network Address Translation (NAT) rule is configured for the destination host or network on interface DMZ. Would you like to add a static NAT rule for the host or network now?"

Add the following to the config

global (DMZ) 10 interface

Didn't work. Syslog shows:
<163>Mar 31 2006 09:56:02: %PIX-3-305005: No translation group found for udp src DMZ:Porthos_DMZ/1027 dst inside:Andromeda_int/53
PDM shows the same message as before

That was it! You're a genius.
Thank you very much for your help.

Thanks Nodisco; I owe you one.

Happy to help.

Keith put in a lot of time helping you on this and I think a points split would be fairer.  You can ask Community Support to reopen the question and split accordingly - up to you.

Glad you got working!

Its no problem nodisco.

I had to call for help, you answered the call, you got the points. Only right.
Regards
keith

I did a split already. The question was 500 points  - Keith got 200, nodisco got 300.
If either of you think the spit was unfail, I'll be glad to have the questioned reopened and reapportion them.

Brian

:)  I think then that you hit the wrong buttons as you gave the points to nodisco and then split them between nodisco and nodisco lol .

I'm comfortable with the result as it is as Nodisco assisted you. If you really feel they should be amended, reply to this post Brian and i will make the change myself.

Best regards
Keith

Please change the point allocation.

You both worked hard in my behalf and I appreciate it. I'd even give more points if it were possible.

Again, thank you both.

Brian

Thanks Brian.

Regards
Keith

Cheers to you both