• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 539
  • Last Modified:

Cisco PIX Config

I have a cisco router with two eth interfaces one is 192.168.67.254 and the other is 10.0.1.1 now my problem is this. I am able to get to my DMZ at 172.16.1.x when I am on the 192.168.67.0 segment but not when I am on the 10.0.1 segment. I have added this line into my PIX box.    access-list no-nat permit ip 10.0.0.0 255.255.0.0.      Now when i do a port scan I can see two devices but I am unable to see my webmail ip of 172.16.1.10.
0
sharthun
Asked:
sharthun
1 Solution
 
jjoseph_xCommented:
It might help if you post your scrubbed PIX configuration.
0
 
rsivanandanCommented:
Post your configuration please.

Cheers,
Rajesh
0
 
sharthunAuthor Commented:
I made a couple of typos in my original problem description. The IP 192.168.67.254 should have been 165.154.67.254 ans 192.168.67.0 should have said 165.154.67.0 any how is my PIX Config.

User Access Verification

Password:
Type help or '?' for a list of available commands.
transfreight1> en
Password: *******
transfreight1# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password EQmbi8jWTG5itKsV encrypted
passwd Zz8jJsmACnsNkGl5 encrypted
hostname transfreight1
domain-name transfreight.com
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.1.2 dmz
name 165.154.67.27 private
name 172.16.1.3 int-www
name 165.154.67.3 int-dbsvr
name 172.16.1.4 dmz-dbsvr
name 172.16.1.1 pub-inside
name 172.16.1.5 dmz-syslog
name 165.154.67.10 int-lotus
name 172.16.1.6 dmz-lotus
name 172.16.1.10 int-domino
name 165.154.67.13 int-syslog
name 172.16.1.15 dmz-term
name 172.16.1.7 dmz-lotus2
name 165.154.67.32 int-lotus2
name 172.16.1.25 int-www2
name 172.16.1.24 int-www1
access-list acl_out permit udp host int-www host dmz-dbsvr range 5162 5163
access-list acl_out permit tcp host int-www host dmz-dbsvr range 3056 3065
access-list acl_out permit tcp host int-www host dmz-dbsvr range 3202 3502
access-list acl_out permit tcp host int-www host dmz-dbsvr eq 20931
access-list acl_out permit udp host int-www host dmz-dbsvr eq sunrpc
access-list acl_out permit tcp host int-www host dmz-dbsvr eq sunrpc
access-list acl_out permit tcp host int-www host dmz-dbsvr eq 2049
access-list acl_out permit udp host int-www host dmz-dbsvr eq 2049
access-list acl_out permit udp host pub-inside host dmz-syslog eq syslog
access-list acl_out permit tcp host 172.16.1.14 host 172.16.1.11
access-list acl_out permit udp host 172.16.1.14 host 172.16.1.11
access-list acl_out permit udp host 172.16.1.11 host 172.16.1.14 eq netbios-ns
access-list acl_out permit tcp host 172.16.1.11 host 172.16.1.14 eq netbios-ssn
access-list acl_out permit icmp any any
access-list acl_out permit tcp host 172.16.1.17 host 172.16.1.11
access-list acl_out permit udp host 172.16.1.17 host 172.16.1.11
access-list acl_out permit udp host 172.16.1.11 host 172.16.1.17 eq netbios-ns
access-list acl_out permit udp host 172.16.1.11 host 172.16.1.17 eq netbios-dgm
access-list acl_out permit tcp host 172.16.1.11 host 172.16.1.17 eq netbios-ssn
access-list acl_out permit udp host int-www2 host dmz-dbsvr range 5162 5163
access-list acl_out permit tcp host int-www2 host dmz-dbsvr range 3056 3065
access-list acl_out permit tcp host int-www2 host dmz-dbsvr range 3202 3502
access-list acl_out permit tcp host int-www2 host dmz-dbsvr eq 20931
access-list acl_out permit udp host int-www2 host dmz-dbsvr eq sunrpc
access-list acl_out permit tcp host int-www2 host dmz-dbsvr eq sunrpc
access-list acl_out permit tcp host int-www2 host dmz-dbsvr eq 2049
access-list acl_out permit udp host int-www2 host dmz-dbsvr eq 2049
access-list acl_out permit tcp host int-www1 host dmz-dbsvr range 3202 3502
access-list acl_out permit tcp host int-www1 host dmz-dbsvr eq 20931
access-list acl_out permit tcp host int-www1 host dmz-dbsvr eq sunrpc
access-list acl_out permit udp host int-www1 host dmz-dbsvr eq sunrpc
access-list acl_out permit tcp host int-www1 host dmz-dbsvr eq 2049
access-list acl_out permit udp host int-www1 host dmz-dbsvr eq 2049
access-list acl_out permit udp host int-www1 host dmz-dbsvr range 5162 5163
access-list acl_out permit tcp host int-www1 host dmz-dbsvr range 3056 3065
access-list acl_out permit tcp host int-domino host dmz-lotus eq lotusnotes
access-list acl_out permit tcp host int-domino host dmz-lotus2 eq lotusnotes
access-list acl_out permit icmp host int-domino host int-lotus
access-list acl_out permit udp host int-domino host 165.154.67.12 eq domain
access-list acl_out permit icmp host int-domino host 165.154.67.12
access-list acl_out permit ip host int-domino host 165.154.67.12
access-list acl_out permit icmp host int-domino host int-lotus2
access-list acl_out permit ip host int-domino host int-lotus2
access-list acl_out permit ip host int-domino host int-lotus
access-list debug_in permit ip host int-domino host int-lotus
access-list debug_in permit ip host int-domino host 165.154.67.1
access-list no-nat permit ip 165.154.67.0 255.255.255.0 any
access-list no-nat permit ip 192.168.0.0 255.255.0.0 any
access-list no-nat permit ip 10.0.0.0 255.255.0.0 any
access-list debug-dns permit udp host int-domino host 165.154.67.12
access-list debug-dns permit udp host 165.154.67.12 host int-domino
pager lines 20
logging on
logging timestamp
logging console debugging
logging buffered warnings
logging trap critical
logging host inside 165.154.67.12
logging host inside int-syslog
icmp permit 172.16.1.0 255.255.255.0 outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dmz 255.255.255.0
ip address inside private 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 172.16.1.11 255.255.255.255 inside
pdm location int-dbsvr 255.255.255.255 inside
pdm location 165.154.67.5 255.255.255.255 inside
pdm location int-lotus 255.255.255.255 inside
pdm location 165.154.67.12 255.255.255.255 inside
pdm location int-syslog 255.255.255.255 inside
pdm location int-lotus2 255.255.255.255 inside
pdm location 165.154.67.251 255.255.255.255 inside
pdm location 165.154.67.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location pub-inside 255.255.255.255 outside
pdm location int-www 255.255.255.255 outside
pdm location int-domino 255.255.255.255 outside
pdm location 172.16.1.11 255.255.255.255 outside
pdm location 172.16.1.14 255.255.255.255 outside
pdm location 172.16.1.17 255.255.255.255 outside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location int-www1 255.255.255.255 outside
pdm location int-www2 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 172.16.1.200-172.16.1.253 netmask 255.255.255.0
nat (inside) 0 access-list no-nat
static (inside,outside) dmz-dbsvr int-dbsvr netmask 255.255.255.255 0 0
static (inside,outside) 172.16.1.14 165.154.67.5 netmask 255.255.255.255 0 0
static (inside,outside) dmz-syslog int-syslog netmask 255.255.255.255 0 0
static (inside,outside) 172.16.1.17 165.154.67.251 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 pub-inside 1
route inside 10.0.0.0 255.0.0.0 165.154.67.254 1
route inside 192.168.0.0 255.255.0.0 165.154.67.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 165.154.67.0 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
http 10.0.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community monitoring
no snmp-server enable traps
no floodguard enable
telnet 165.154.0.0 255.255.0.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:7553a320dedfd17f63cc557fd47d33ad
: end
transfreight1#
transfreight1#
0
 
renillCommented:
access-list no-nat permit ip 10.0.0.0 255.255.0.0 any

do check in your access-list ..
 is there any change in the subnet mask???

renil
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now