Solved

PIX 525 DMZ2 Unable to surf the web

Posted on 2006-10-27
5
474 Views
Last Modified: 2013-11-16
All systems on the DMZ2 (10.10.20.0) are unable to surf the web. They are able to resolve DNS, supposedly because the DNS servers are on my inside interface. It is also unable to recieve ping replies. I've been struggling with this one for some time now. Everything on the DMZ1 is able to ping and surf and I feel like its set up the same as DMZ2.. Also, any suggestions regarding this bloated config would be appreciated.

BEGIN CONFIG PIX 525
******************************
PIX Version 7.0(1)
names
name 192.168.1.51 inside-sql-main
name 192.168.1.52 inside-sql-history
name 192.168.1.53 inside-greatplains
name 192.168.1.55 inside-backup
name 192.168.1.54 inside-test
name 192.168.1.57 inside-NAS
name 172.16.20.10 dmz1-dns
name 172.16.20.30 dmz1-sql
name XXX.XXX.XXX.XXX ram_dns1
name 10.10.20.10 dmz2-web
name 172.16.20.20 dmz1-mail
name 172.16.20.21 dmz1-tempmail
name 192.168.1.1 inside-ramad1
name 192.168.1.2 inside-ramad2
name 10.10.20.20 dmz2-webold
name 192.168.1.27 inside-fwap
name 192.168.1.196 inside-it-web
name 192.168.1.193 inside-it1
name 192.168.1.185 inside-it2
name 192.168.1.66 inside-axiscam
name 192.168.1.160 inside-finance
name 172.16.20.35 dmz1-mysql
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address XXX.XXX.XXX.XXX 255.255.255.240
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.10 255.255.255.0
!
interface Ethernet2
 nameif intf2
 security-level 4
 ip address 172.16.20.1 255.255.255.0
!
interface Ethernet3
 nameif intf3
 security-level 6
 ip address 10.10.20.1 255.255.255.0
!
enable password
passwd
hostname PIX1
domain-name mydomain.com
boot system flash:/image.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
access-list outside_in extended permit tcp any host XXX.XXX.XXX.14 eq www
access-list outside_in extended permit tcp any host XXX.XXX.XXX.14 eq https
access-list outside_in extended permit tcp any host XXX.XXX.XXX.2 eq pop3
access-list outside_in extended permit tcp any host XXX.XXX.XXX.2 eq smtp
access-list outside_in extended permit tcp any host XXX.XXX.XXX.2 eq www
access-list outside_in extended permit tcp any host XXX.XXX.XXX.7 eq www
access-list outside_in extended permit tcp any host XXX.XXX.XXX.7 eq https
access-list outside_in extended permit icmp any host XXX.XXX.XXX.7
access-list outside_in extended permit icmp any host XXX.XXX.XXX.14
access-list outside_in extended permit tcp any host XXX.XXX.XXX.5 eq telnet
access-list outside_in extended permit tcp any host XXX.XXX.XXX.2 eq https
access-list outside_in extended permit tcp any host XXX.XXX.XXX.12 eq www
access-list outside_in extended permit tcp any host XXX.XXX.XXX.9 eq 5000
access-list dmz2_in extended permit ip any any
access-list dmz2_in extended permit tcp any host dmz1-tempmail
access-list dmz2_in extended permit tcp any host dmz1-mail
access-list dmz2_in extended permit tcp any host dmz1-mysql
access-list dmz2_in extended permit tcp any host dmz1-sql
access-list dmz2_in extended permit ip any 172.16.20.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 101 extended permit ip 192.168.150.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 101 extended permit ip 172.16.20.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list dmz1nonat extended permit ip 172.16.20.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list dmz1nonat extended permit ip 172.16.20.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list outside_cryptomap_dyn_10 extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list outside_cryptomap_dyn_10 extended permit ip 172.16.20.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list outside_cryptomap_dyn_10 extended permit ip 10.10.20.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list dmz2nonat extended permit ip 10.10.20.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list dmz2nonat extended permit ip 10.10.20.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list dmz1_in extended permit ip any any
access-list dmz1_in extended permit ip any 10.10.20.0 255.255.255.0
access-list dmz1_in extended permit tcp any host 10.10.20.30
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
access-list splittunnel standard permit 192.168.100.0 255.255.255.0
access-list splittunnel standard permit 10.10.20.0 255.255.255.0
access-list splittunnel standard permit 172.16.20.0 255.255.255.0
pager lines 24
logging enable
logging buffered emergencies
logging asdm debugging
logging from-address pix525syslog@mydomain.com
logging recipient-address pixerror@mydomain.com level errors
logging facility 16
no logging message 710003
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip local pool vpnpool 192.168.150.1-192.168.150.51
no failover
monitor-interface outside
monitor-interface inside
monitor-interface intf2
monitor-interface intf3
icmp permit any outside
icmp permit any inside
icmp permit any intf2
icmp permit any intf3
asdm image flash:/asdm-501.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (intf2) 1 interface
global (intf3) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (intf2) 0 access-list dmz1nonat
nat (intf3) 0 access-list dmz2nonat
static (intf3,outside) XXX.XXX.XXX.14 dmz2-web netmask 255.255.255.255 dns
static (inside,intf3) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (intf3,intf2) 10.10.20.0 10.10.20.0 netmask 255.255.255.0
static (inside,intf2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (intf2,outside) XXX.XXX.XXX.2 dmz1-mail netmask 255.255.255.255 dns
static (intf3,outside) XXX.XXX.XXX.7 dmz2-webold netmask 255.255.255.255 dns
static (inside,outside) XXX.XXX.XXX.5 192.168.1.5 netmask 255.255.255.255
static (inside,outside) XXX.XXX.XXX.12 inside-axiscam netmask 255.255.255.255 dns
static (inside,outside) XXX.XXX.XXX.9 192.168.1.60 netmask 255.255.255.255 dns
access-group outside_in in interface outside
access-group inside_access_in in interface inside
access-group dmz1_in in interface intf2
access-group dmz2_in in interface intf3
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1 1
timeout xlate 3:00:00
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy DfltGrpPolicy attributes
 banner none
 wins-server value inside-ramad1 inside-ramad2
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage enable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 ip-phone-bypass enable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.150.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
no snmp-server enable traps all
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 match address outside_cryptomap_dyn_10
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 match address 101
crypto map mymap 10 set peer XXX.XXX.XXX.196
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set nat-t-disable
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.150.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet 172.16.20.0 255.255.255.0 intf2
telnet 10.10.20.0 255.255.255.0 intf3
telnet timeout 60
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.150.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.100-192.168.1.224 inside
dhcpd dns inside-ramad1 inside-ramad2
dhcpd wins inside-ramad1 inside-ramad2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive retry 5
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes
 address-pool vpnpool
 authentication-server-group none
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 5
tunnel-group XXX.XXX.XXX.196 type ipsec-l2l
tunnel-group XXX.XXX.XXX.196 ipsec-attributes
 pre-shared-key *
tunnel-group myvpn type ipsec-ra
tunnel-group myvpn general-attributes
 address-pool vpnpool
 authentication-server-group none
 authorization-server-group LOCAL
tunnel-group myvpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
ntp server XXX.XXX.XXX.68 source outside
smtp-server 172.16.20.20 172.16.20.21
management-access inside
: end
0
Comment
Question by:ronayers
  • 3
  • 2
5 Comments
 

Author Comment

by:ronayers
ID: 17821040
Ok, looking back over this, I realize that I don't need several of the access lists...

access-list dmz2_in extended permit tcp any host dmz1-tempmail
access-list dmz2_in extended permit tcp any host dmz1-mail
access-list dmz2_in extended permit tcp any host dmz1-mysql
access-list dmz2_in extended permit tcp any host dmz1-sql
access-list dmz2_in extended permit ip any 172.16.20.0 255.255.255.0
access-list dmz1_in extended permit ip any 10.10.20.0 255.255.255.0
access-list dmz1_in extended permit tcp any host 10.10.20.30


so all of that junk has been removed, however the problem still remains...
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 17821148
Don't know much about version 7 but do you not need a NAT to match the global for the dmz interfaces other than the nat 0 (nonat) ?
0
 

Author Comment

by:ronayers
ID: 17821242
well, I'm not sure... But just before I refreshed this page, I did a nat (intf3) 1 0.0.0.0 0.0.0.0 and BOOM i get out.. soo, i can't figure out how come everything on dmz1 was able to get out without a nat (intf2) 1 0.0.0.0 0.0.0.0. Can anyone explain that to me? Makes no sense....
0
 

Author Comment

by:ronayers
ID: 17821306
Ok... I just answered my own question.... The boxes on DMZ1 were able to surf because they were assigned an external IP, so they used that route to get out.. If I had a box on DMZ1 without an external IP then it would not be able to get out. I've applied nat 1 to both the intf2 and intf3, everything works as it should now. Keith, you got it right, you get the points, thanks man... I realize that it is bad practice to allow all traffic to both dmz1 and dmz2, I had them set that way for debugging, I'll fix that...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17821316
Thank you :)
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now