?
Solved

515e DMZ 2003 Web servers

Posted on 2006-12-01
3
Medium Priority
?
295 Views
Last Modified: 2010-04-10
I have constructed a DMZ on my Cisco Pix 515e.  I cant seem to connect my Domain from a web server and media server I put on the DMZ.  

DMZ Address 172.17.10.1
Web Server- 172.17.10.5, 26.x.x.125
Media Server- 172.17.10.6

Outside Int 26.x.x.122
Inside Int- 172.16.41.137
DNS server IPs- 172.16.10.10, 172.16.10.11

mkh-pix# show run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 auto shutdown
interface ethernet3 10baset
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 dmz security50
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password Yn8Esq3NcXIHL35v encrypted
passwd XLcDKg3X8eBKlimL encrypted
hostname mkh-pix
fixup protocol dns maximum-length 1536
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit tcp any host 26.x.x.124 eq smtp

access-list acl_out permit tcp any host 26.x.x.125 eq www
access-list acl_out permit tcp interface outside eq www any
access-list acl_out permit tcp any host 26.x.x.125 eq https
access-list acl_out permit udp host 172.17.10.5 any eq domain
access-list acl_out permit udp host 172.17.10.6 any eq domain
access-list acl_dmz permit tcp host 26.x.x.125 eq pcanywhere-data any eq pcan
ywhere-data
access-list acl_dmz permit tcp host 26.x.x.125 eq https any eq https
access-list acl_dmz permit tcp host 26.x.x.125 eq telnet any eq telnet
access-list acl_dmz permit icmp any any
access-list acl_dmz permit ip host 172.17.10.0 172.16.0.0 255.255.0.0
access-list acl_dmz permit udp host 172.17.10.5 any eq domain
access-list acl_dmz permit tcp host 172.17.10.5 any eq www
access-list acl_dmz permit tcp host 172.17.10.6 any eq www
access-list acl_dmz permit tcp host 172.17.10.5 eq www any
access-list acl_dmz permit tcp host 172.17.10.5 any eq https
access-list acl_dmz permit tcp host 172.17.10.5 eq https any
access-list acl_dmz permit tcp host 172.17.10.6 eq www any
access-list acl_dmz permit udp host 172.17.10.6 any eq domain
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu dmz 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 26.x.x.122 255.255.255.248
ip address inside 172.16.41.137 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
ip address dmz 172.17.10.1 255.255.0.0
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address dmz
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 26.x.x.124 172.16.10.14 netmask 255.255.255.255 0 0
static (inside,outside) 26.x.x.125 172.17.10.5 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 24.97.107.121 1
route inside 172.22.176.0 255.255.255.224 172.16.41.138 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 172.16.10.18 timeout 20 protocol TCP ve
rsion 4
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
snmp-server host inside 172.16.10.17 poll
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer 68.x.x.30
crypto map outside_map 100 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 68.x.x.30 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 172.16.41.134 255.255.255.255 inside
telnet 172.16.41.138 255.255.255.255 inside
telnet 172.16.41.129 255.255.255.255 inside
telnet 172.16.41.200 255.255.255.255 inside
telnet 172.22.176.0 255.255.255.224 inside
telnet 172.16.41.83 255.255.255.255 inside
telnet 172.16.10.10 255.255.255.255 inside
telnet 172.16.10.17 255.255.255.255 inside
telnet 172.16.10.17 255.255.255.255 intf2
telnet 172.16.10.17 255.255.255.255 dmz
telnet 172.16.10.17 255.255.255.255 intf4
telnet 172.16.10.17 255.255.255.255 intf5
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:879fb291697661dae72d60990f6e3cb9
: end
mkh-pix#

I cant even join the web server to the domain. Any ideas for making this connection possible would be greatly appreciated.  Thanks
Jaybirdjets

0
Comment
Question by:JaybirdJets
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
Freya28 earned 2000 total points
ID: 18056349
the 2 networks should not be able to see eachother.  on teh web box in the dmz, add a persistent route in the command prompt for the 172.16.41 .x network.

route add -p 172.16.41.0 mask 255.255.255.0 172.17.10.1
0
 

Author Comment

by:JaybirdJets
ID: 18058057
I tried to add the persistent route on the web server but I still wasnt able to join it to my domain.


0
 

Author Comment

by:JaybirdJets
ID: 18071131
Thanks
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This program is used to assist in finding and resolving common problems with wireless connections.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question