jmcrae72
asked on
DMZ can access Internet or inside but not both
i hate to ask for help but i have spent many hours working on this - so here we go.
i have configured a dmz hanging off my pix 515e with a net address of 10.10.5.0 255.255.255 and an inside net address of 172.16.1.0 255.255.255.0.
the inside net works fine and has been for years - the dmz is new.
my issue is i can either ping just a public ip or my inside network but not both. i have tried so many different configs my head is spinning.
thanks in advancce.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 DMZ1 security10
enable password 8V encrypted
passwd zc encrypted
hostname PIX
domain-name xnetwork
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outbound deny tcp any 1.2.0.0 255.255.0.0 eq www
access-list outbound deny tcp any any eq 4662
access-list outbound permit ip any any
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit tcp any host 1.2.3.34 eq https
access-list 100 permit tcp any host 1.2.3.17 eq https
access-list 100 permit tcp any host 1.2.3.35 eq https
access-list 100 permit tcp any host 1.2.3.24 eq pop3
access-list 100 permit tcp any host 1.2.3.24 eq smtp
access-list 100 permit tcp any host 1.2.3.24 eq www
access-list 100 permit tcp any host 1.2.3.24 eq 995
access-list 100 permit tcp any host 1.2.3.150 eq smtp
access-list 100 permit tcp any host 1.2.3.151 eq smtp
access-list ACL_DMZ permit tcp any 172.16.0.0 255.255.0.0
access-list ACL_DMZ permit tcp any 10.10.0.0 255.255.0.0
access-list ACL_DMZ permit icmp any any
access-list ACL_DMZ permit ip any any
pager lines 24
logging on
logging trap errors
logging host inside 172.16.1.100 format emblem
icmp permit any echo outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu DMZ1 1500
ip address outside 1.2.3.4 255.255.255.0
ip address inside 172.16.1.2 255.255.0.0
no ip address intf2
no ip address intf3
no ip address intf4
ip address DMZ1 10.10.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address DMZ1
arp timeout 14400
global (outside) 1 interface
global (DMZ1) 1 10.10.5.10-10.10.5.25
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 1 10.10.5.0 255.255.255.0 0 0
static (inside,outside) tcp 1.2.3.34 https 172.16.1.134 https netmask 255.25
5.255.255 0 0
static (inside,outside) tcp 1.2.3.17 https 172.16.1.217 https netmask 255.25
5.255.255 0 0
static (inside,outside) tcp 1.2.3.35 https 172.16.1.135 https netmask 255.25
5.255.255 0 0
static (inside,outside) 1.2.3.24 172.16.1.24 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.71 172.19.1.212 netmask 255.255.255.255 0 0
static (inside,DMZ1) 172.16.1.0 172.16.1.0 netmask 255.255.255.255 0 0
access-group 100 in interface outside
access-group outbound in interface inside
access-group ACL_DMZ in interface DMZ1
route outside 0.0.0.0 0.0.0.0 6.x.x.1 1
route inside 10.0.0.0 255.255.0.0 172.16.1.1 1
route inside 10.10.11.0 255.255.255.0 172.16.1.1 1
route inside 10.10.131.0 255.255.255.0 172.16.1.1 1
route inside 10.10.135.0 255.255.255.0 172.16.1.1 1
route inside 10.10.136.0 255.255.255.0 172.16.1.1 1
route inside 10.10.137.0 255.255.255.0 172.16.1.1 1
route inside 10.10.138.0 255.255.255.0 172.16.1.1 1
route inside 10.10.139.0 255.255.255.0 172.16.1.1 1
route inside 10.10.140.0 255.255.255.0 172.16.1.1 1
route inside 10.10.141.0 255.255.255.0 172.16.1.1 1
route inside 10.10.142.0 255.255.255.0 172.16.1.1 1
route inside 10.10.143.0 255.255.255.0 172.16.1.1 1
route inside 10.10.144.0 255.255.255.0 172.16.1.1 1
route inside 10.10.145.0 255.255.255.0 172.16.1.1 1
route inside 10.10.146.0 255.255.255.0 172.16.1.1 1
route inside 10.10.147.0 255.255.255.0 172.16.1.1 1
route inside 10.10.148.0 255.255.255.0 172.16.1.1 1
route inside 10.10.149.0 255.255.255.0 172.16.1.1 1
route inside 10.10.150.0 255.255.255.0 172.16.1.1 1
route inside 10.10.151.0 255.255.255.0 172.16.1.1 1
route inside 10.10.152.0 255.255.255.0 172.16.1.1 1
route inside 10.10.153.0 255.255.255.0 172.16.1.1 1
route inside 10.10.154.0 255.255.255.0 172.16.1.1 1
route inside 10.10.155.0 255.255.255.0 172.16.1.1 1
route inside 10.10.156.0 255.255.255.0 172.16.1.1 1
route inside 10.10.157.0 255.255.255.0 172.16.1.1 1
route inside 10.10.158.0 255.255.255.0 172.16.1.1 1
route inside 10.10.159.0 255.255.255.0 172.16.1.1 1
route inside 10.10.160.0 255.255.255.0 172.16.1.1 1
route inside 10.10.161.0 255.255.255.0 172.16.1.1 1
route inside 10.10.162.0 255.255.255.0 172.16.1.1 1
route inside 10.10.163.0 255.255.255.0 172.16.1.1 1
route inside 10.10.164.0 255.255.255.0 172.16.1.1 1
route inside 1.2.3.0 255.255.255.0 172.16.1.1 1
route inside 172.17.0.0 255.255.0.0 172.16.1.1 1
route inside 172.19.0.0 255.255.0.0 172.16.1.1 1
route inside 172.20.0.0 255.255.0.0 172.16.1.1 1
route inside 172.21.0.0 255.255.0.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 1:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication telnet console LOCAL
ntp authenticate
ntp server 1.6.3.194 source outside prefer
http server enable
http 172.16.0.0 255.255.0.0 inside
snmp-server host inside 172.16.1.15
no snmp-server location
no snmp-server contact
snmp-server community md0530
snmp-server enable traps
floodguard enable
sysopt connection tcpmss 0
telnet 172.16.0.0 255.255.0.0 inside
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 60
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
username password dfg encrypted privilege 15
username password tl encrypted privilege 15
username password htL encrypted privilege 15
terminal width 300
Cryptochecksum:dd428fcf119
: end
PIX#
i have configured a dmz hanging off my pix 515e with a net address of 10.10.5.0 255.255.255 and an inside net address of 172.16.1.0 255.255.255.0.
the inside net works fine and has been for years - the dmz is new.
my issue is i can either ping just a public ip or my inside network but not both. i have tried so many different configs my head is spinning.
thanks in advancce.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 DMZ1 security10
enable password 8V encrypted
passwd zc encrypted
hostname PIX
domain-name xnetwork
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outbound deny tcp any 1.2.0.0 255.255.0.0 eq www
access-list outbound deny tcp any any eq 4662
access-list outbound permit ip any any
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit tcp any host 1.2.3.34 eq https
access-list 100 permit tcp any host 1.2.3.17 eq https
access-list 100 permit tcp any host 1.2.3.35 eq https
access-list 100 permit tcp any host 1.2.3.24 eq pop3
access-list 100 permit tcp any host 1.2.3.24 eq smtp
access-list 100 permit tcp any host 1.2.3.24 eq www
access-list 100 permit tcp any host 1.2.3.24 eq 995
access-list 100 permit tcp any host 1.2.3.150 eq smtp
access-list 100 permit tcp any host 1.2.3.151 eq smtp
access-list ACL_DMZ permit tcp any 172.16.0.0 255.255.0.0
access-list ACL_DMZ permit tcp any 10.10.0.0 255.255.0.0
access-list ACL_DMZ permit icmp any any
access-list ACL_DMZ permit ip any any
pager lines 24
logging on
logging trap errors
logging host inside 172.16.1.100 format emblem
icmp permit any echo outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu DMZ1 1500
ip address outside 1.2.3.4 255.255.255.0
ip address inside 172.16.1.2 255.255.0.0
no ip address intf2
no ip address intf3
no ip address intf4
ip address DMZ1 10.10.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address DMZ1
arp timeout 14400
global (outside) 1 interface
global (DMZ1) 1 10.10.5.10-10.10.5.25
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 1 10.10.5.0 255.255.255.0 0 0
static (inside,outside) tcp 1.2.3.34 https 172.16.1.134 https netmask 255.25
5.255.255 0 0
static (inside,outside) tcp 1.2.3.17 https 172.16.1.217 https netmask 255.25
5.255.255 0 0
static (inside,outside) tcp 1.2.3.35 https 172.16.1.135 https netmask 255.25
5.255.255 0 0
static (inside,outside) 1.2.3.24 172.16.1.24 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.71 172.19.1.212 netmask 255.255.255.255 0 0
static (inside,DMZ1) 172.16.1.0 172.16.1.0 netmask 255.255.255.255 0 0
access-group 100 in interface outside
access-group outbound in interface inside
access-group ACL_DMZ in interface DMZ1
route outside 0.0.0.0 0.0.0.0 6.x.x.1 1
route inside 10.0.0.0 255.255.0.0 172.16.1.1 1
route inside 10.10.11.0 255.255.255.0 172.16.1.1 1
route inside 10.10.131.0 255.255.255.0 172.16.1.1 1
route inside 10.10.135.0 255.255.255.0 172.16.1.1 1
route inside 10.10.136.0 255.255.255.0 172.16.1.1 1
route inside 10.10.137.0 255.255.255.0 172.16.1.1 1
route inside 10.10.138.0 255.255.255.0 172.16.1.1 1
route inside 10.10.139.0 255.255.255.0 172.16.1.1 1
route inside 10.10.140.0 255.255.255.0 172.16.1.1 1
route inside 10.10.141.0 255.255.255.0 172.16.1.1 1
route inside 10.10.142.0 255.255.255.0 172.16.1.1 1
route inside 10.10.143.0 255.255.255.0 172.16.1.1 1
route inside 10.10.144.0 255.255.255.0 172.16.1.1 1
route inside 10.10.145.0 255.255.255.0 172.16.1.1 1
route inside 10.10.146.0 255.255.255.0 172.16.1.1 1
route inside 10.10.147.0 255.255.255.0 172.16.1.1 1
route inside 10.10.148.0 255.255.255.0 172.16.1.1 1
route inside 10.10.149.0 255.255.255.0 172.16.1.1 1
route inside 10.10.150.0 255.255.255.0 172.16.1.1 1
route inside 10.10.151.0 255.255.255.0 172.16.1.1 1
route inside 10.10.152.0 255.255.255.0 172.16.1.1 1
route inside 10.10.153.0 255.255.255.0 172.16.1.1 1
route inside 10.10.154.0 255.255.255.0 172.16.1.1 1
route inside 10.10.155.0 255.255.255.0 172.16.1.1 1
route inside 10.10.156.0 255.255.255.0 172.16.1.1 1
route inside 10.10.157.0 255.255.255.0 172.16.1.1 1
route inside 10.10.158.0 255.255.255.0 172.16.1.1 1
route inside 10.10.159.0 255.255.255.0 172.16.1.1 1
route inside 10.10.160.0 255.255.255.0 172.16.1.1 1
route inside 10.10.161.0 255.255.255.0 172.16.1.1 1
route inside 10.10.162.0 255.255.255.0 172.16.1.1 1
route inside 10.10.163.0 255.255.255.0 172.16.1.1 1
route inside 10.10.164.0 255.255.255.0 172.16.1.1 1
route inside 1.2.3.0 255.255.255.0 172.16.1.1 1
route inside 172.17.0.0 255.255.0.0 172.16.1.1 1
route inside 172.19.0.0 255.255.0.0 172.16.1.1 1
route inside 172.20.0.0 255.255.0.0 172.16.1.1 1
route inside 172.21.0.0 255.255.0.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 1:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication telnet console LOCAL
ntp authenticate
ntp server 1.6.3.194 source outside prefer
http server enable
http 172.16.0.0 255.255.0.0 inside
snmp-server host inside 172.16.1.15
no snmp-server location
no snmp-server contact
snmp-server community md0530
snmp-server enable traps
floodguard enable
sysopt connection tcpmss 0
telnet 172.16.0.0 255.255.0.0 inside
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 60
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
username password dfg encrypted privilege 15
username password tl encrypted privilege 15
username password htL encrypted privilege 15
terminal width 300
Cryptochecksum:dd428fcf119
: end
PIX#
i don't see an error in your configuration that denies you this traffic.... it should be something else.... may be routing. what are you trying to ping???
ASKER
if i remove this command then i loose rdp access to the server in the dmz.
\\-- you don't need a global for the DMZ if you already have the above static
global (DMZ1) 1 10.10.5.10-10.10.5.25 <== remove this if you want
You don't have any other conflicting static routes to 10.10.5.0
I'm assuming that the default gateway for all hosts sitting in the DMZ is the PIX's interface 10.10.5.1 ? yes
i can either ping just a public ip or my inside network but not both
What entries are you changing to get one or the other? cant get into inside network now no matter what entry.
\\-- you don't need a global for the DMZ if you already have the above static
global (DMZ1) 1 10.10.5.10-10.10.5.25 <== remove this if you want
You don't have any other conflicting static routes to 10.10.5.0
I'm assuming that the default gateway for all hosts sitting in the DMZ is the PIX's interface 10.10.5.1 ? yes
i can either ping just a public ip or my inside network but not both
What entries are you changing to get one or the other? cant get into inside network now no matter what entry.
ASKER
i don't see an error in your configuration that denies you this traffic.... it should be something else.... may be routing. what are you trying to ping???
i am trying to ping any device on the inside interface of the pix.
i am trying to ping any device on the inside interface of the pix.
ASKER
anyone?
ASKER
a pix reboot fixed my issue.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
\\-- allow anything from lower to higher (DMZ out) - nothing is being blocked
access-list ACL_DMZ permit ip any any
access-group ACL_DMZ in interface DMZ1
\\-- don't NAT between inside and DMZ. DMZ hosts address internal hosts by private IP
static (inside,DMZ1) 172.16.1.0 172.16.1.0 netmask 255.255.255.255 0 0
\\-- you don't need a global for the DMZ if you already have the above static
global (DMZ1) 1 10.10.5.10-10.10.5.25 <== remove this if you want
\\-- Nat DMZ hosts going out the outside with Global (1)
nat (DMZ1) 1 10.10.5.0 255.255.255.0 0 0
You don't have any other conflicting static routes to 10.10.5.0
I'm assuming that the default gateway for all hosts sitting in the DMZ is the PIX's interface 10.10.5.1 ?
>i can either ping just a public ip or my inside network but not both
What entries are you changing to get one or the other?