Solved

DMZ can access Internet or inside but not both

Posted on 2006-10-30
8
247 Views
Last Modified: 2011-04-14
i hate to ask for help but i have spent many hours working on this - so here we go.
i have configured a dmz hanging off my pix 515e with a net address of 10.10.5.0 255.255.255 and an inside net address of 172.16.1.0 255.255.255.0.
the inside net works fine and has been for years - the dmz is new.
my issue is i can either ping just a public ip or my inside network but not both. i have tried so many different configs my head is spinning.

thanks in advancce.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 DMZ1 security10
enable password 8V encrypted
passwd zc encrypted
hostname PIX
domain-name xnetwork
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outbound deny tcp any 1.2.0.0 255.255.0.0 eq www
access-list outbound deny tcp any any eq 4662
access-list outbound permit ip any any
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit tcp any host 1.2.3.34 eq https
access-list 100 permit tcp any host 1.2.3.17 eq https
access-list 100 permit tcp any host 1.2.3.35 eq https
access-list 100 permit tcp any host 1.2.3.24 eq pop3
access-list 100 permit tcp any host 1.2.3.24 eq smtp
access-list 100 permit tcp any host 1.2.3.24 eq www
access-list 100 permit tcp any host 1.2.3.24 eq 995
access-list 100 permit tcp any host 1.2.3.150 eq smtp
access-list 100 permit tcp any host 1.2.3.151 eq smtp
access-list ACL_DMZ permit tcp any 172.16.0.0 255.255.0.0
access-list ACL_DMZ permit tcp any 10.10.0.0 255.255.0.0
access-list ACL_DMZ permit icmp any any
access-list ACL_DMZ permit ip any any
pager lines 24
logging on
logging trap errors
logging host inside 172.16.1.100 format emblem
icmp permit any echo outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu DMZ1 1500
ip address outside 1.2.3.4 255.255.255.0
ip address inside 172.16.1.2 255.255.0.0
no ip address intf2
no ip address intf3
no ip address intf4
ip address DMZ1 10.10.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address DMZ1
arp timeout 14400
global (outside) 1 interface
global (DMZ1) 1 10.10.5.10-10.10.5.25
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 1 10.10.5.0 255.255.255.0 0 0
static (inside,outside) tcp 1.2.3.34 https 172.16.1.134 https netmask 255.25
5.255.255 0 0
static (inside,outside) tcp 1.2.3.17 https 172.16.1.217 https netmask 255.25
5.255.255 0 0
static (inside,outside) tcp 1.2.3.35 https 172.16.1.135 https netmask 255.25
5.255.255 0 0
static (inside,outside) 1.2.3.24 172.16.1.24 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.71 172.19.1.212 netmask 255.255.255.255 0 0
static (inside,DMZ1) 172.16.1.0 172.16.1.0 netmask 255.255.255.255 0 0
access-group 100 in interface outside
access-group outbound in interface inside
access-group ACL_DMZ in interface DMZ1
route outside 0.0.0.0 0.0.0.0 6.x.x.1 1
route inside 10.0.0.0 255.255.0.0 172.16.1.1 1
route inside 10.10.11.0 255.255.255.0 172.16.1.1 1
route inside 10.10.131.0 255.255.255.0 172.16.1.1 1
route inside 10.10.135.0 255.255.255.0 172.16.1.1 1
route inside 10.10.136.0 255.255.255.0 172.16.1.1 1
route inside 10.10.137.0 255.255.255.0 172.16.1.1 1
route inside 10.10.138.0 255.255.255.0 172.16.1.1 1
route inside 10.10.139.0 255.255.255.0 172.16.1.1 1
route inside 10.10.140.0 255.255.255.0 172.16.1.1 1
route inside 10.10.141.0 255.255.255.0 172.16.1.1 1
route inside 10.10.142.0 255.255.255.0 172.16.1.1 1
route inside 10.10.143.0 255.255.255.0 172.16.1.1 1
route inside 10.10.144.0 255.255.255.0 172.16.1.1 1
route inside 10.10.145.0 255.255.255.0 172.16.1.1 1
route inside 10.10.146.0 255.255.255.0 172.16.1.1 1
route inside 10.10.147.0 255.255.255.0 172.16.1.1 1
route inside 10.10.148.0 255.255.255.0 172.16.1.1 1
route inside 10.10.149.0 255.255.255.0 172.16.1.1 1
route inside 10.10.150.0 255.255.255.0 172.16.1.1 1
route inside 10.10.151.0 255.255.255.0 172.16.1.1 1
route inside 10.10.152.0 255.255.255.0 172.16.1.1 1
route inside 10.10.153.0 255.255.255.0 172.16.1.1 1
route inside 10.10.154.0 255.255.255.0 172.16.1.1 1
route inside 10.10.155.0 255.255.255.0 172.16.1.1 1
route inside 10.10.156.0 255.255.255.0 172.16.1.1 1
route inside 10.10.157.0 255.255.255.0 172.16.1.1 1
route inside 10.10.158.0 255.255.255.0 172.16.1.1 1
route inside 10.10.159.0 255.255.255.0 172.16.1.1 1
route inside 10.10.160.0 255.255.255.0 172.16.1.1 1
route inside 10.10.161.0 255.255.255.0 172.16.1.1 1
route inside 10.10.162.0 255.255.255.0 172.16.1.1 1
route inside 10.10.163.0 255.255.255.0 172.16.1.1 1
route inside 10.10.164.0 255.255.255.0 172.16.1.1 1
route inside 1.2.3.0 255.255.255.0 172.16.1.1 1
route inside 172.17.0.0 255.255.0.0 172.16.1.1 1
route inside 172.19.0.0 255.255.0.0 172.16.1.1 1
route inside 172.20.0.0 255.255.0.0 172.16.1.1 1
route inside 172.21.0.0 255.255.0.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 1:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication telnet console LOCAL
ntp authenticate
ntp server 1.6.3.194 source outside prefer
http server enable
http 172.16.0.0 255.255.0.0 inside
snmp-server host inside 172.16.1.15
no snmp-server location
no snmp-server contact
snmp-server community md0530
snmp-server enable traps
floodguard enable
sysopt connection tcpmss 0
telnet 172.16.0.0 255.255.0.0 inside
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 60
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
username  password dfg encrypted privilege 15
username  password tl encrypted privilege 15
username  password htL encrypted privilege 15
terminal width 300
Cryptochecksum:dd428fcf11988887e3ac5194c4ced188
: end
PIX#
0
Comment
Question by:jmcrae72
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17838673
Given the following from your config, you should not be having this issue:

\\-- allow anything from lower to higher (DMZ out) - nothing is being blocked
access-list ACL_DMZ permit ip any any
access-group ACL_DMZ in interface DMZ1

\\-- don't NAT between inside and DMZ. DMZ hosts address internal hosts by private IP
static (inside,DMZ1) 172.16.1.0 172.16.1.0 netmask 255.255.255.255 0 0

\\-- you don't need a global for the DMZ if you already have the above static
global (DMZ1) 1 10.10.5.10-10.10.5.25  <== remove this if you want

\\-- Nat DMZ hosts going out the outside with Global (1)
nat (DMZ1) 1 10.10.5.0 255.255.255.0 0 0

You don't have any other conflicting static routes to 10.10.5.0
I'm assuming that the default gateway for all hosts sitting in the DMZ is the PIX's interface 10.10.5.1 ?

>i can either ping just a public ip or my inside network but not both
What entries are you changing to get one or the other?



0
 
LVL 3

Expert Comment

by:mahe2000
ID: 17842549
i don't see an error in your configuration that denies you this traffic.... it should be something else.... may be routing. what are you trying to ping???
0
 

Author Comment

by:jmcrae72
ID: 17843303
if i remove this command then i loose rdp access to the server in the dmz.

\\-- you don't need a global for the DMZ if you already have the above static
global (DMZ1) 1 10.10.5.10-10.10.5.25  <== remove this if you want

You don't have any other conflicting static routes to 10.10.5.0
I'm assuming that the default gateway for all hosts sitting in the DMZ is the PIX's interface 10.10.5.1 ?   yes

i can either ping just a public ip or my inside network but not both
What entries are you changing to get one or the other?  cant get into inside network now no matter what entry.



0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:jmcrae72
ID: 17844184
i don't see an error in your configuration that denies you this traffic.... it should be something else.... may be routing. what are you trying to ping???


i am trying to ping any device on the inside interface of the pix.
0
 

Author Comment

by:jmcrae72
ID: 17845925
anyone?
0
 

Author Comment

by:jmcrae72
ID: 17846783
a pix reboot fixed my issue.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 18042196
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now