Solved

515e DMZ 2003 Web servers

Posted on 2006-12-01
3
243 Views
Last Modified: 2010-04-10
I have constructed a DMZ on my Cisco Pix 515e.  I cant seem to connect my Domain from a web server and media server I put on the DMZ.  

DMZ Address 172.17.10.1
Web Server- 172.17.10.5, 26.x.x.125
Media Server- 172.17.10.6

Outside Int 26.x.x.122
Inside Int- 172.16.41.137
DNS server IPs- 172.16.10.10, 172.16.10.11

mkh-pix# show run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 auto shutdown
interface ethernet3 10baset
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 dmz security50
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password Yn8Esq3NcXIHL35v encrypted
passwd XLcDKg3X8eBKlimL encrypted
hostname mkh-pix
fixup protocol dns maximum-length 1536
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit tcp any host 26.x.x.124 eq smtp

access-list acl_out permit tcp any host 26.x.x.125 eq www
access-list acl_out permit tcp interface outside eq www any
access-list acl_out permit tcp any host 26.x.x.125 eq https
access-list acl_out permit udp host 172.17.10.5 any eq domain
access-list acl_out permit udp host 172.17.10.6 any eq domain
access-list acl_dmz permit tcp host 26.x.x.125 eq pcanywhere-data any eq pcan
ywhere-data
access-list acl_dmz permit tcp host 26.x.x.125 eq https any eq https
access-list acl_dmz permit tcp host 26.x.x.125 eq telnet any eq telnet
access-list acl_dmz permit icmp any any
access-list acl_dmz permit ip host 172.17.10.0 172.16.0.0 255.255.0.0
access-list acl_dmz permit udp host 172.17.10.5 any eq domain
access-list acl_dmz permit tcp host 172.17.10.5 any eq www
access-list acl_dmz permit tcp host 172.17.10.6 any eq www
access-list acl_dmz permit tcp host 172.17.10.5 eq www any
access-list acl_dmz permit tcp host 172.17.10.5 any eq https
access-list acl_dmz permit tcp host 172.17.10.5 eq https any
access-list acl_dmz permit tcp host 172.17.10.6 eq www any
access-list acl_dmz permit udp host 172.17.10.6 any eq domain
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu dmz 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 26.x.x.122 255.255.255.248
ip address inside 172.16.41.137 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
ip address dmz 172.17.10.1 255.255.0.0
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address dmz
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 26.x.x.124 172.16.10.14 netmask 255.255.255.255 0 0
static (inside,outside) 26.x.x.125 172.17.10.5 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 24.97.107.121 1
route inside 172.22.176.0 255.255.255.224 172.16.41.138 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 172.16.10.18 timeout 20 protocol TCP ve
rsion 4
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
snmp-server host inside 172.16.10.17 poll
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer 68.x.x.30
crypto map outside_map 100 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 68.x.x.30 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 172.16.41.134 255.255.255.255 inside
telnet 172.16.41.138 255.255.255.255 inside
telnet 172.16.41.129 255.255.255.255 inside
telnet 172.16.41.200 255.255.255.255 inside
telnet 172.22.176.0 255.255.255.224 inside
telnet 172.16.41.83 255.255.255.255 inside
telnet 172.16.10.10 255.255.255.255 inside
telnet 172.16.10.17 255.255.255.255 inside
telnet 172.16.10.17 255.255.255.255 intf2
telnet 172.16.10.17 255.255.255.255 dmz
telnet 172.16.10.17 255.255.255.255 intf4
telnet 172.16.10.17 255.255.255.255 intf5
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:879fb291697661dae72d60990f6e3cb9
: end
mkh-pix#

I cant even join the web server to the domain. Any ideas for making this connection possible would be greatly appreciated.  Thanks
Jaybirdjets

0
Comment
Question by:JaybirdJets
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
Freya28 earned 500 total points
ID: 18056349
the 2 networks should not be able to see eachother.  on teh web box in the dmz, add a persistent route in the command prompt for the 172.16.41 .x network.

route add -p 172.16.41.0 mask 255.255.255.0 172.17.10.1
0
 

Author Comment

by:JaybirdJets
ID: 18058057
I tried to add the persistent route on the web server but I still wasnt able to join it to my domain.


0
 

Author Comment

by:JaybirdJets
ID: 18071131
Thanks
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now