Unable to access web server in DMZ on PIX 515e
I have a PIX 515e running ver 7.2(1).
I have one web server in the DMZ. I am able to access the Internet on that server and able to access the server from internal clients. However, I cannot access the server from the outsode.
This is the sequence of events reported in the syslog:
<166>Jul 11 2006 09:12:45: %PIX-6-302013: Built inbound TCP connection 140123 for outside:72.30.132.208/5627
<166>Jul 11 2006 09:12:45: %PIX-6-305011: Built dynamic TCP translation from inside:Porthos_DMZ/80 to outside:69.7.32.3/17
<166>Jul 11 2006 09:12:45: %PIX-6-106015: Deny TCP (no connection) from Porthos_DMZ/80 to 72.30.132.208/56275 flags SYN ACK on interface inside
<166>Jul 11 2006 09:12:45: %PIX-6-305011: Built dynamic TCP translation from inside:72.30.132.208/56275
<166>Jul 11 2006 09:12:45: %PIX-6-106015: Deny TCP (no connection) from 72.30.132.208/56275 to Porthos_DMZ/80 flags RST ACK on interface inside
<166>Jul 11 2006 09:13:15: %PIX-6-302014: Teardown TCP connection 140123 for outside:72.30.132.208/5627
If I run the packet trace tool in ASDM, it shows that the traffic is being denied by an implicit incoming rule. What I don't understand though is that I have several servers on the Inside zone that work just fine. The server I'm having trouble with is the only one in the DMZ and I've configured it just the same as the inside servers.
I need to get this done today because I have several managers breathing down my back. I'd give more points but they only allow 500.
Here's the config:
--------------------------
asdm image flash:/asdm-521.bin
asdm location NISC_inbound_Mandan 255.255.255.255 outside
asdm location ES 255.255.248.0 inside
asdm location 172.16.1.2 255.255.255.255 inside
asdm location Proton_int 255.255.255.255 inside
asdm location Brian_int 255.255.255.255 inside
asdm location 0.0.0.0 255.255.248.0 inside
asdm location 172.16.1.5 255.255.255.255 inside
asdm location FH 255.255.248.0 inside
asdm location ebill_ext 255.255.255.255 outside
asdm location Proton_ext 255.255.255.255 outside
asdm location Porthos_ext 255.255.255.255 outside
asdm location C1-3060_ext 255.255.255.255 outside
asdm location iVUE_Server 255.255.255.255 inside
asdm location Athos_DMZ 255.255.255.255 DMZ
asdm location Porthos_DMZ 255.255.255.255 DMZ
asdm location Andromeda_int 255.255.255.255 inside
asdm location Dartagnan_int 255.255.255.255 inside
asdm location C1-3060_int 255.255.255.255 inside
asdm location NISC_inbound_StLewis 255.255.255.255 outside
asdm group Domain_Controllers inside
asdm group Domain_Controllers_ref DMZ reference Domain_Controllers
asdm history enable
: Saved
:
PIX Version 7.2(1)
!
hostname PIX515
domain-name opalco.com
enable password xxxx encrypted
names
name 172.16.4.1 Brian_int
name 172.16.1.3 Proton_int
name 69.7.xx.xx Proton_ext
name 172.16.1.9 iVUE_Server
name 192.168.10.2 Athos_DMZ
name 192.168.10.3 Porthos_DMZ
name 69.7.xx.xx ebill_ext
name 172.16.8.0 FH
name 172.16.0.0 ES
name 69.7.xx.xx Public
name 172.16.1.8 Andromeda_int
name 172.16.1.14 Dartagnan_int
name 207.243.68.200 NISC_inbound_Mandan
name 12.10.126.135 NISC_inbound_StLewis
name 69.7.xx.xx Porthos_ext
name 172.16.1.18 C1-3060_int
name 69.7.xx.xx C1-3060_ext
dns-guard
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 69.7.xx.xx 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.2 255.255.248.0
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 192.168.10.1 255.255.255.0
!
passwd xxxx encrypted
banner login --------------------------
banner login Authorized access only!
banner login Disconnect IMMEDIATELY if you are not an authorized user
banner login --------------------------
boot system flash:/pix721.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server Andromeda_int
name-server Dartagnan_int
domain-name opalco.com
object-group service TERMINAL_SERVICES tcp
description Microsoft Terminal Services
port-object eq 3389
object-group service Messenger_File_Transfer tcp
port-object range 6891 6900
object-group service Windows_TCP_Domain_Service
description Services required for a domain member to comunicate
port-object eq 88
port-object eq netbios-ssn
port-object eq ldap
port-object eq 3268
port-object eq 135
port-object eq 445
port-object eq domain
port-object eq 1026
port-object eq 8530
object-group service Windows_UDP_Domain_Service
description Services required for a domain member to comunicate
port-object eq 88
port-object eq 389
port-object eq netbios-ns
port-object eq ntp
port-object eq domain
port-object eq 8530
object-group network Domain_Controllers
network-object Andromeda_int 255.255.255.255
network-object Dartagnan_int 255.255.255.255
access-list acl_out extended permit tcp any any object-group Messenger_File_Transfer
access-list acl_out remark Outlook Web Access (for redirect)
access-list acl_out extended permit tcp any host Proton_ext eq www
access-list acl_out remark Outlook Web Access
access-list acl_out extended permit tcp any host Proton_ext eq https
access-list acl_out remark Inbound mail
access-list acl_out extended permit tcp any host Proton_ext eq smtp
access-list acl_out remark E-Bill
access-list acl_out extended permit tcp any host ebill_ext eq https
access-list acl_out remark NISC Mandan secure telnet
access-list acl_out extended permit tcp host NISC_inbound_Mandan host ebill_ext eq ssh
access-list acl_out remark NISC Mandan RDP access
access-list acl_out extended permit tcp host NISC_inbound_Mandan host C1-3060_ext object-group TERMINAL_SERVICES
access-list acl_out remark NISC St. Lewis secure telnet
access-list acl_out extended permit tcp host NISC_inbound_StLewis host ebill_ext eq ssh
access-list acl_out remark NISC St. Lewis RDP access
access-list acl_out extended permit tcp host NISC_inbound_StLewis host C1-3060_ext object-group TERMINAL_SERVICES
access-list acl_out remark Web Site
access-list acl_out extended permit tcp any host Porthos_ext eq www
access-list acl_out remark Outlook Web Access (for redirect)
access-list acl_out remark Outlook Web Access
access-list acl_out remark Inbound mail
access-list acl_out remark New web site
access-list acl_out remark E-Bill
access-list acl_out remark NISC secure telnet
access-list acl_out remark NISC Term Svcs to Positron
access-list inside_outbound_nat0_acl extended permit ip any ES 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip any 172.16.2.240 255.255.255.240
access-list DMZaccess_in extended permit udp host Porthos_DMZ object-group Domain_Controllers object-group Windows_UDP_Domain_Service
access-list DMZaccess_in extended permit tcp host Porthos_DMZ object-group Domain_Controllers object-group Windows_TCP_Domain_Service
access-list DMZaccess_in extended permit tcp host Porthos_DMZ any eq www
access-list DMZaccess_in extended permit tcp host Porthos_DMZ any eq https
access-list DefaultRAGroup_splitTunnel
access-list outside_cryptomap extended permit ip any 172.16.2.240 255.255.255.240
no pager
logging enable
logging timestamp
logging asdm-buffer-size 512
logging trap informational
logging asdm informational
logging host inside Brian_int
no logging message 405001
no logging message 106023
logging rate-limit 1 300 message 313005
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
ip audit name Test attack action alarm drop reset
ip audit interface outside Test
ip audit interface inside Test
ip audit info action alarm drop
ip audit attack action alarm drop
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2009 disable
ip audit signature 2010 disable
icmp deny any outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp deny any inside
asdm image flash:/asdm-521.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (DMZ) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DMZ) 10 0.0.0.0 0.0.0.0
static (inside,outside) Proton_ext Proton_int netmask 255.255.255.255
static (inside,outside) ebill_ext iVUE_Server netmask 255.255.255.255
static (DMZ,outside) Porthos_ext Porthos_DMZ netmask 255.255.255.255
static (inside,DMZ) Andromeda_int Andromeda_int netmask 255.255.255.255
static (inside,DMZ) Dartagnan_int Dartagnan_int netmask 255.255.255.255
static (inside,outside) C1-3060_ext C1-3060_int netmask 255.255.255.255
access-group acl_out in interface outside
access-group DMZaccess_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 69.7.xx.xx 1
route inside FH 255.255.248.0 172.16.0.7 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 172.16.1.8 172.16.1.14
dns-server value 172.16.1.8 172.16.1.14
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnel
default-domain value opalco.com
username BrianL password xxxx== nt-encrypted privilege 15
username CWestlake password xxxx== nt-encrypted
username Beth password xxxx== nt-encrypted
username Betty password xxxx== nt-encrypted
username Rick password xxxx== nt-encrypted
username orcaspower password xxxx encrypted privilege 15
username Judi password xxxx== nt-encrypted
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http ES 255.255.248.0 inside
http FH 255.255.248.0 inside
snmp-server location Eastsound, WA
snmp-server contact Brian S. Longworth
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp DMZ
crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_AES-128_SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
dhcp-server Dartagnan_int
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
no vpn-addr-assign local
telnet ES 255.255.248.0 inside
telnet FH 255.255.248.0 inside
telnet timeout 10
ssh timeout 5
ssh version 1
console timeout 10
management-access inside
vpdn group PPTP_Group ppp authentication pap
vpdn group PPTP_Group ppp authentication chap
vpdn group PPTP_Group ppp authentication mschap
dhcp-client update dns server both
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ntp server 131.107.1.10 source outside prefer
tftp-server inside Brian_int /pix_config
smtp-server 172.16.1.3
prompt hostname context
Cryptochecksum:6adc651571a
: end
I have one web server in the DMZ. I am able to access the Internet on that server and able to access the server from internal clients. However, I cannot access the server from the outsode.
This is the sequence of events reported in the syslog:
<166>Jul 11 2006 09:12:45: %PIX-6-302013: Built inbound TCP connection 140123 for outside:72.30.132.208/5627
<166>Jul 11 2006 09:12:45: %PIX-6-305011: Built dynamic TCP translation from inside:Porthos_DMZ/80 to outside:69.7.32.3/17
<166>Jul 11 2006 09:12:45: %PIX-6-106015: Deny TCP (no connection) from Porthos_DMZ/80 to 72.30.132.208/56275 flags SYN ACK on interface inside
<166>Jul 11 2006 09:12:45: %PIX-6-305011: Built dynamic TCP translation from inside:72.30.132.208/56275
<166>Jul 11 2006 09:12:45: %PIX-6-106015: Deny TCP (no connection) from 72.30.132.208/56275 to Porthos_DMZ/80 flags RST ACK on interface inside
<166>Jul 11 2006 09:13:15: %PIX-6-302014: Teardown TCP connection 140123 for outside:72.30.132.208/5627
If I run the packet trace tool in ASDM, it shows that the traffic is being denied by an implicit incoming rule. What I don't understand though is that I have several servers on the Inside zone that work just fine. The server I'm having trouble with is the only one in the DMZ and I've configured it just the same as the inside servers.
I need to get this done today because I have several managers breathing down my back. I'd give more points but they only allow 500.
Here's the config:
--------------------------
asdm image flash:/asdm-521.bin
asdm location NISC_inbound_Mandan 255.255.255.255 outside
asdm location ES 255.255.248.0 inside
asdm location 172.16.1.2 255.255.255.255 inside
asdm location Proton_int 255.255.255.255 inside
asdm location Brian_int 255.255.255.255 inside
asdm location 0.0.0.0 255.255.248.0 inside
asdm location 172.16.1.5 255.255.255.255 inside
asdm location FH 255.255.248.0 inside
asdm location ebill_ext 255.255.255.255 outside
asdm location Proton_ext 255.255.255.255 outside
asdm location Porthos_ext 255.255.255.255 outside
asdm location C1-3060_ext 255.255.255.255 outside
asdm location iVUE_Server 255.255.255.255 inside
asdm location Athos_DMZ 255.255.255.255 DMZ
asdm location Porthos_DMZ 255.255.255.255 DMZ
asdm location Andromeda_int 255.255.255.255 inside
asdm location Dartagnan_int 255.255.255.255 inside
asdm location C1-3060_int 255.255.255.255 inside
asdm location NISC_inbound_StLewis 255.255.255.255 outside
asdm group Domain_Controllers inside
asdm group Domain_Controllers_ref DMZ reference Domain_Controllers
asdm history enable
: Saved
:
PIX Version 7.2(1)
!
hostname PIX515
domain-name opalco.com
enable password xxxx encrypted
names
name 172.16.4.1 Brian_int
name 172.16.1.3 Proton_int
name 69.7.xx.xx Proton_ext
name 172.16.1.9 iVUE_Server
name 192.168.10.2 Athos_DMZ
name 192.168.10.3 Porthos_DMZ
name 69.7.xx.xx ebill_ext
name 172.16.8.0 FH
name 172.16.0.0 ES
name 69.7.xx.xx Public
name 172.16.1.8 Andromeda_int
name 172.16.1.14 Dartagnan_int
name 207.243.68.200 NISC_inbound_Mandan
name 12.10.126.135 NISC_inbound_StLewis
name 69.7.xx.xx Porthos_ext
name 172.16.1.18 C1-3060_int
name 69.7.xx.xx C1-3060_ext
dns-guard
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 69.7.xx.xx 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.2 255.255.248.0
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 192.168.10.1 255.255.255.0
!
passwd xxxx encrypted
banner login --------------------------
banner login Authorized access only!
banner login Disconnect IMMEDIATELY if you are not an authorized user
banner login --------------------------
boot system flash:/pix721.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server Andromeda_int
name-server Dartagnan_int
domain-name opalco.com
object-group service TERMINAL_SERVICES tcp
description Microsoft Terminal Services
port-object eq 3389
object-group service Messenger_File_Transfer tcp
port-object range 6891 6900
object-group service Windows_TCP_Domain_Service
description Services required for a domain member to comunicate
port-object eq 88
port-object eq netbios-ssn
port-object eq ldap
port-object eq 3268
port-object eq 135
port-object eq 445
port-object eq domain
port-object eq 1026
port-object eq 8530
object-group service Windows_UDP_Domain_Service
description Services required for a domain member to comunicate
port-object eq 88
port-object eq 389
port-object eq netbios-ns
port-object eq ntp
port-object eq domain
port-object eq 8530
object-group network Domain_Controllers
network-object Andromeda_int 255.255.255.255
network-object Dartagnan_int 255.255.255.255
access-list acl_out extended permit tcp any any object-group Messenger_File_Transfer
access-list acl_out remark Outlook Web Access (for redirect)
access-list acl_out extended permit tcp any host Proton_ext eq www
access-list acl_out remark Outlook Web Access
access-list acl_out extended permit tcp any host Proton_ext eq https
access-list acl_out remark Inbound mail
access-list acl_out extended permit tcp any host Proton_ext eq smtp
access-list acl_out remark E-Bill
access-list acl_out extended permit tcp any host ebill_ext eq https
access-list acl_out remark NISC Mandan secure telnet
access-list acl_out extended permit tcp host NISC_inbound_Mandan host ebill_ext eq ssh
access-list acl_out remark NISC Mandan RDP access
access-list acl_out extended permit tcp host NISC_inbound_Mandan host C1-3060_ext object-group TERMINAL_SERVICES
access-list acl_out remark NISC St. Lewis secure telnet
access-list acl_out extended permit tcp host NISC_inbound_StLewis host ebill_ext eq ssh
access-list acl_out remark NISC St. Lewis RDP access
access-list acl_out extended permit tcp host NISC_inbound_StLewis host C1-3060_ext object-group TERMINAL_SERVICES
access-list acl_out remark Web Site
access-list acl_out extended permit tcp any host Porthos_ext eq www
access-list acl_out remark Outlook Web Access (for redirect)
access-list acl_out remark Outlook Web Access
access-list acl_out remark Inbound mail
access-list acl_out remark New web site
access-list acl_out remark E-Bill
access-list acl_out remark NISC secure telnet
access-list acl_out remark NISC Term Svcs to Positron
access-list inside_outbound_nat0_acl extended permit ip any ES 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip any 172.16.2.240 255.255.255.240
access-list DMZaccess_in extended permit udp host Porthos_DMZ object-group Domain_Controllers object-group Windows_UDP_Domain_Service
access-list DMZaccess_in extended permit tcp host Porthos_DMZ object-group Domain_Controllers object-group Windows_TCP_Domain_Service
access-list DMZaccess_in extended permit tcp host Porthos_DMZ any eq www
access-list DMZaccess_in extended permit tcp host Porthos_DMZ any eq https
access-list DefaultRAGroup_splitTunnel
access-list outside_cryptomap extended permit ip any 172.16.2.240 255.255.255.240
no pager
logging enable
logging timestamp
logging asdm-buffer-size 512
logging trap informational
logging asdm informational
logging host inside Brian_int
no logging message 405001
no logging message 106023
logging rate-limit 1 300 message 313005
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
ip audit name Test attack action alarm drop reset
ip audit interface outside Test
ip audit interface inside Test
ip audit info action alarm drop
ip audit attack action alarm drop
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2009 disable
ip audit signature 2010 disable
icmp deny any outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp deny any inside
asdm image flash:/asdm-521.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (DMZ) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DMZ) 10 0.0.0.0 0.0.0.0
static (inside,outside) Proton_ext Proton_int netmask 255.255.255.255
static (inside,outside) ebill_ext iVUE_Server netmask 255.255.255.255
static (DMZ,outside) Porthos_ext Porthos_DMZ netmask 255.255.255.255
static (inside,DMZ) Andromeda_int Andromeda_int netmask 255.255.255.255
static (inside,DMZ) Dartagnan_int Dartagnan_int netmask 255.255.255.255
static (inside,outside) C1-3060_ext C1-3060_int netmask 255.255.255.255
access-group acl_out in interface outside
access-group DMZaccess_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 69.7.xx.xx 1
route inside FH 255.255.248.0 172.16.0.7 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 172.16.1.8 172.16.1.14
dns-server value 172.16.1.8 172.16.1.14
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnel
default-domain value opalco.com
username BrianL password xxxx== nt-encrypted privilege 15
username CWestlake password xxxx== nt-encrypted
username Beth password xxxx== nt-encrypted
username Betty password xxxx== nt-encrypted
username Rick password xxxx== nt-encrypted
username orcaspower password xxxx encrypted privilege 15
username Judi password xxxx== nt-encrypted
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http ES 255.255.248.0 inside
http FH 255.255.248.0 inside
snmp-server location Eastsound, WA
snmp-server contact Brian S. Longworth
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp DMZ
crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_AES-128_SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
dhcp-server Dartagnan_int
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
no vpn-addr-assign local
telnet ES 255.255.248.0 inside
telnet FH 255.255.248.0 inside
telnet timeout 10
ssh timeout 5
ssh version 1
console timeout 10
management-access inside
vpdn group PPTP_Group ppp authentication pap
vpdn group PPTP_Group ppp authentication chap
vpdn group PPTP_Group ppp authentication mschap
dhcp-client update dns server both
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ntp server 131.107.1.10 source outside prefer
tftp-server inside Brian_int /pix_config
smtp-server 172.16.1.3
prompt hostname context
Cryptochecksum:6adc651571a
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No, they can augment those acls entries so that they can only access http/s sites and at the same time can serve www sites.
Any time you apply an acl on a DMZ or inside interface you have to be careful of inintended consequences. You may find now that your other DMZ servers can't do anything..
ASKER
Well, right now, the web server is the only one in the DMZ. Soon I will be adding a front-end SMTP server in the DMZ. Do you foresee any problems here?
No problems as long you plan it well and modify the acl as you add servers
ASKER
Excellent. Thank you very much for your good advice.
I greatly apprecaite it.
I greatly apprecaite it.
Glad to help!
ASKER
Question though: does that command invalidate or render redundant these commands?
access-list DMZaccess_in extended permit tcp host Porthos_DMZ any eq www
access-list DMZaccess_in extended permit tcp host Porthos_DMZ any eq https
I had those in there so that the web server could only access http and https web sites. I didn't want it trying to communicate to any other ports on the Internet.