access to DMZ
I'm trying to allow access from the inside network to the DMZ temporarily. Below are my three interfaces.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
ip address outside 65.12.13.14 255.255.255.0
ip address inside 10.4.1.1 255.255.255.0
ip address intf2 192.1.1.1 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 10.4.4.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.4.4.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 10.4.5.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.4.5.0 255.255.255.0
access-list nonat1 permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.1.200.0 255.255.254.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list nonat1 permit ip 192.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list intf2_out deny ip any 10.4.2.0 255.255.255.0
access-list intf2_out permit ip any any
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
ip address outside 65.12.13.14 255.255.255.0
ip address inside 10.4.1.1 255.255.255.0
ip address intf2 192.1.1.1 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 10.4.4.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.4.4.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 10.4.5.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.4.5.0 255.255.255.0
access-list nonat1 permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.1.200.0 255.255.254.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list nonat1 permit ip 192.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list intf2_out deny ip any 10.4.2.0 255.255.255.0
access-list intf2_out permit ip any any
Last Comment
ASKER
I tried the access list and still no access into the dmz from the inside network. Here is my nat config if that helps.
global (outside) 1 interface
global (intf2) 1 interface
nat (inside) 0 access-list nonat1
nat (inside) 1 10.4.1.0 255.255.255.0 0 0
nat (inside) 1 10.4.2.0 255.255.255.0 0 0
nat (intf2) 0 access-list nonat2
nat (intf2) 1 192.1.1.0 255.255.255.0 0 0
global (outside) 1 interface
global (intf2) 1 interface
nat (inside) 0 access-list nonat1
nat (inside) 1 10.4.1.0 255.255.255.0 0 0
nat (inside) 1 10.4.2.0 255.255.255.0 0 0
nat (intf2) 0 access-list nonat2
nat (intf2) 1 192.1.1.0 255.255.255.0 0 0
try removing this line :
global (intf2) 1 interface
Kurt
global (intf2) 1 interface
Kurt
Remove
global (intf2) 1 interface
Also, temporarily, try removing the intf2 access-list
no access-list intf2_out deny ip any 10.4.2.0 255.255.255.0
no access-list intf2_out permit ip any any
If this does not work, post your full config.
global (intf2) 1 interface
Also, temporarily, try removing the intf2 access-list
no access-list intf2_out deny ip any 10.4.2.0 255.255.255.0
no access-list intf2_out permit ip any any
If this does not work, post your full config.
ASKER
firehawk# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password mMyyqT5R6ad39k93 encrypted
passwd mMyyqT5R6ad39k93 encrypted
hostname firehawk
domain-name davey.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 10.4.1.104 Garcia
name 10.4.2.0 DRG
name 192.1.1.2 cicada
name 10.4.1.0 davey_institute
name 10.4.1.2 dante
name 192.1.1.5 RowKeeper
name 10.4.1.19 OutlookWebInside
name 192.1.1.4 ITREE
name 10.4.1.7 geo_version2
object-group service PolycomVideo tcp-udp
description Ports for Polycom Video Conference
port-object range 3230 3235
port-object eq 1720
port-object eq 1503
port-object eq 389
access-list acl_out permit tcp any host 65.123.115.227 eq ftp
access-list acl_out permit tcp any host 65.123.115.230 eq www
access-list acl_out permit tcp any host 65.123.115.230 eq ftp
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 65.123.115.228 eq www
access-list acl_out permit tcp any host 65.123.115.228 eq ftp
access-list acl_out permit tcp any host 65.123.115.228 eq https
access-list acl_out permit udp any host 65.123.115.231 eq domain
access-list acl_out permit tcp any host 65.123.115.231 eq domain
access-list acl_out permit tcp any host 65.123.115.231 eq www
access-list acl_out permit tcp any host 65.123.115.232 eq www
access-list acl_out permit tcp any any object-group PolycomVideo
access-list acl_out permit udp any any object-group PolycomVideo
access-list acl_out permit tcp any host 65.123.115.232 eq ftp
access-list acl_out permit tcp any host 65.123.115.228 eq 3389
access-list local_lanForWestern permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForWestern permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForWestern permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForWestern permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 10.4.4.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.4.4.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 10.4.5.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.4.5.0 255.255.255.0
access-list nonat1 permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list nonat2 permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lan permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lan permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lan permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lan permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list intf2_out deny ip any 10.4.1.0 255.255.255.0
access-list intf2_out deny ip any 10.4.2.0 255.255.255.0
access-list intf2_out permit ip any any
access-list daveyUAI_splitTunnelAcl permit ip 10.4.1.0 255.255.255.0 any
access-list daveyUAI_splitTunnelAcl permit ip 10.4.2.0 255.255.255.0 any
access-list daveyUAI_splitTunnelAcl permit ip 192.1.1.0 255.255.255.0 any
pager lines 24
logging trap debugging
logging history debugging
logging host inside 10.4.2.59 17/3001
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 65.123.115.226 255.255.255.0
ip address inside 10.4.1.1 255.255.255.0
ip address intf2 192.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.16.1.1-172.16.1.254
pdm location 10.4.1.2 255.255.255.255 inside
pdm location 10.4.1.104 255.255.255.255 inside
pdm location 24.164.100.0 255.255.255.0 outside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 10.4.2.0 255.255.255.0 inside
pdm location 10.4.2.59 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.1.1.2 255.255.255.255 intf2
pdm location 192.1.1.4 255.255.255.255 intf2
pdm location 10.4.1.19 255.255.255.255 inside
pdm location 192.1.1.5 255.255.255.255 intf2
pdm location 10.4.2.110 255.255.255.255 inside
pdm location 10.4.2.0 255.255.255.0 intf2
pdm location 10.10.10.0 255.255.255.0 outside
pdm location 10.4.4.0 255.255.255.0 outside
pdm location 10.4.5.0 255.255.255.0 outside
pdm location 10.4.1.91 255.255.255.255 inside
pdm location 10.4.1.7 255.255.255.255 inside
pdm location 10.4.1.84 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (intf2) 1 interface
nat (inside) 0 access-list nonat1
nat (inside) 1 10.4.1.0 255.255.255.0 0 0
nat (inside) 1 10.4.2.0 255.255.255.0 0 0
nat (intf2) 0 access-list nonat2
nat (intf2) 1 192.1.1.0 255.255.255.0 0 0
static (intf2,outside) 65.123.115.227 192.1.1.2 netmask 255.255.255.255 0 0
static (intf2,outside) 65.123.115.230 192.1.1.4 netmask 255.255.255.255 0 0
static (inside,intf2) 10.4.2.0 10.4.2.0 netmask 255.255.255.0 0 0
static (inside,intf2) 10.4.1.0 10.4.1.0 netmask 255.255.255.0 0 0
static (intf2,outside) 65.123.115.228 192.1.1.5 netmask 255.255.255.255 0 0
static (intf2,inside) 65.123.115.227 192.1.1.2 netmask 255.255.255.255 0 0
static (intf2,inside) 65.123.115.230 192.1.1.4 netmask 255.255.255.255 0 0
static (intf2,inside) 65.123.115.228 192.1.1.5 netmask 255.255.255.255 0 0
static (inside,outside) 65.123.115.231 10.4.1.19 dns netmask 255.255.255.255 0 0
static (inside,outside) 65.123.115.232 10.4.1.7 dns netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group intf2_out in interface intf2
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 65.123.115.225 1
route inside 10.1.200.0 255.255.254.0 10.4.1.5 1
route inside 10.4.2.0 255.255.255.0 10.4.1.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.4.1.104 255.255.255.255 inside
http 10.4.2.59 255.255.255.255 inside
http 10.4.2.110 255.255.255.255 inside
http 10.4.1.91 255.255.255.255 inside
http 10.4.1.84 255.255.255.255 inside
http 10.4.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup davey address-pool ippool
vpngroup davey dns-server 10.4.1.10 10.4.1.8
vpngroup davey wins-server 10.4.1.8
vpngroup davey default-domain davey_institute.local
vpngroup davey split-tunnel local_lan
vpngroup davey idle-time 1800
vpngroup davey password ********
vpngroup daveyWestern address-pool ippool
vpngroup daveyWestern dns-server 10.4.1.10 10.4.1.8
vpngroup daveyWestern wins-server 10.4.1.8
vpngroup daveyWestern default-domain davey_institute.local
vpngroup daveyWestern split-tunnel local_lanForWestern
vpngroup daveyWestern idle-time 1800
vpngroup daveyWestern password ********
vpngroup daveyEastern address-pool ippool
vpngroup daveyEastern dns-server 10.4.1.10 10.4.1.8
vpngroup daveyEastern wins-server 10.4.1.8
vpngroup daveyEastern default-domain davey_institute.local
vpngroup daveyEastern split-tunnel local_lanForEastern
vpngroup daveyEastern idle-time 1800
vpngroup daveyEastern password ********
vpngroup daveyLivermore address-pool ippool
vpngroup daveyLivermore dns-server 10.4.1.10 10.4.1.8
vpngroup daveyLivermore wins-server 10.4.1.8
vpngroup daveyLivermore default-domain davey_institute.local
vpngroup daveyLivermore split-tunnel local_lanForLivermore
vpngroup daveyLivermore idle-time 1800
vpngroup daveyLivermore password ********
vpngroup daveyKent address-pool ippool
vpngroup daveyKent dns-server 10.4.1.10 10.4.1.8
vpngroup daveyKent wins-server 10.4.1.8
vpngroup daveyKent default-domain davey_institute.local
vpngroup daveyKent split-tunnel local_lanForKent
vpngroup daveyKent idle-time 1800
vpngroup daveyKent password ********
vpngroup daveyUAI address-pool ippool
vpngroup daveyUAI dns-server 10.4.1.10 10.4.1.8
vpngroup daveyUAI wins-server 10.4.1.8
vpngroup daveyUAI default-domain davey_institute.local
vpngroup daveyUAI split-tunnel daveyUAI_splitTunnelAcl
vpngroup daveyUAI idle-time 1800
vpngroup daveyUAI password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:83eda6439aa
: end
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password mMyyqT5R6ad39k93 encrypted
passwd mMyyqT5R6ad39k93 encrypted
hostname firehawk
domain-name davey.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 10.4.1.104 Garcia
name 10.4.2.0 DRG
name 192.1.1.2 cicada
name 10.4.1.0 davey_institute
name 10.4.1.2 dante
name 192.1.1.5 RowKeeper
name 10.4.1.19 OutlookWebInside
name 192.1.1.4 ITREE
name 10.4.1.7 geo_version2
object-group service PolycomVideo tcp-udp
description Ports for Polycom Video Conference
port-object range 3230 3235
port-object eq 1720
port-object eq 1503
port-object eq 389
access-list acl_out permit tcp any host 65.123.115.227 eq ftp
access-list acl_out permit tcp any host 65.123.115.230 eq www
access-list acl_out permit tcp any host 65.123.115.230 eq ftp
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 65.123.115.228 eq www
access-list acl_out permit tcp any host 65.123.115.228 eq ftp
access-list acl_out permit tcp any host 65.123.115.228 eq https
access-list acl_out permit udp any host 65.123.115.231 eq domain
access-list acl_out permit tcp any host 65.123.115.231 eq domain
access-list acl_out permit tcp any host 65.123.115.231 eq www
access-list acl_out permit tcp any host 65.123.115.232 eq www
access-list acl_out permit tcp any any object-group PolycomVideo
access-list acl_out permit udp any any object-group PolycomVideo
access-list acl_out permit tcp any host 65.123.115.232 eq ftp
access-list acl_out permit tcp any host 65.123.115.228 eq 3389
access-list local_lanForWestern permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForWestern permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForWestern permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForWestern permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 10.4.4.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.4.4.0 255.255.255.0
access-list nonat1 permit ip 10.4.2.0 255.255.255.0 10.4.5.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.4.5.0 255.255.255.0
access-list nonat1 permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list nonat2 permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lan permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lan permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lan permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lan permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list intf2_out deny ip any 10.4.1.0 255.255.255.0
access-list intf2_out deny ip any 10.4.2.0 255.255.255.0
access-list intf2_out permit ip any any
access-list daveyUAI_splitTunnelAcl permit ip 10.4.1.0 255.255.255.0 any
access-list daveyUAI_splitTunnelAcl permit ip 10.4.2.0 255.255.255.0 any
access-list daveyUAI_splitTunnelAcl permit ip 192.1.1.0 255.255.255.0 any
pager lines 24
logging trap debugging
logging history debugging
logging host inside 10.4.2.59 17/3001
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 65.123.115.226 255.255.255.0
ip address inside 10.4.1.1 255.255.255.0
ip address intf2 192.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.16.1.1-172.16.1.254
pdm location 10.4.1.2 255.255.255.255 inside
pdm location 10.4.1.104 255.255.255.255 inside
pdm location 24.164.100.0 255.255.255.0 outside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 10.4.2.0 255.255.255.0 inside
pdm location 10.4.2.59 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.1.1.2 255.255.255.255 intf2
pdm location 192.1.1.4 255.255.255.255 intf2
pdm location 10.4.1.19 255.255.255.255 inside
pdm location 192.1.1.5 255.255.255.255 intf2
pdm location 10.4.2.110 255.255.255.255 inside
pdm location 10.4.2.0 255.255.255.0 intf2
pdm location 10.10.10.0 255.255.255.0 outside
pdm location 10.4.4.0 255.255.255.0 outside
pdm location 10.4.5.0 255.255.255.0 outside
pdm location 10.4.1.91 255.255.255.255 inside
pdm location 10.4.1.7 255.255.255.255 inside
pdm location 10.4.1.84 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (intf2) 1 interface
nat (inside) 0 access-list nonat1
nat (inside) 1 10.4.1.0 255.255.255.0 0 0
nat (inside) 1 10.4.2.0 255.255.255.0 0 0
nat (intf2) 0 access-list nonat2
nat (intf2) 1 192.1.1.0 255.255.255.0 0 0
static (intf2,outside) 65.123.115.227 192.1.1.2 netmask 255.255.255.255 0 0
static (intf2,outside) 65.123.115.230 192.1.1.4 netmask 255.255.255.255 0 0
static (inside,intf2) 10.4.2.0 10.4.2.0 netmask 255.255.255.0 0 0
static (inside,intf2) 10.4.1.0 10.4.1.0 netmask 255.255.255.0 0 0
static (intf2,outside) 65.123.115.228 192.1.1.5 netmask 255.255.255.255 0 0
static (intf2,inside) 65.123.115.227 192.1.1.2 netmask 255.255.255.255 0 0
static (intf2,inside) 65.123.115.230 192.1.1.4 netmask 255.255.255.255 0 0
static (intf2,inside) 65.123.115.228 192.1.1.5 netmask 255.255.255.255 0 0
static (inside,outside) 65.123.115.231 10.4.1.19 dns netmask 255.255.255.255 0 0
static (inside,outside) 65.123.115.232 10.4.1.7 dns netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group intf2_out in interface intf2
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 65.123.115.225 1
route inside 10.1.200.0 255.255.254.0 10.4.1.5 1
route inside 10.4.2.0 255.255.255.0 10.4.1.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.4.1.104 255.255.255.255 inside
http 10.4.2.59 255.255.255.255 inside
http 10.4.2.110 255.255.255.255 inside
http 10.4.1.91 255.255.255.255 inside
http 10.4.1.84 255.255.255.255 inside
http 10.4.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup davey address-pool ippool
vpngroup davey dns-server 10.4.1.10 10.4.1.8
vpngroup davey wins-server 10.4.1.8
vpngroup davey default-domain davey_institute.local
vpngroup davey split-tunnel local_lan
vpngroup davey idle-time 1800
vpngroup davey password ********
vpngroup daveyWestern address-pool ippool
vpngroup daveyWestern dns-server 10.4.1.10 10.4.1.8
vpngroup daveyWestern wins-server 10.4.1.8
vpngroup daveyWestern default-domain davey_institute.local
vpngroup daveyWestern split-tunnel local_lanForWestern
vpngroup daveyWestern idle-time 1800
vpngroup daveyWestern password ********
vpngroup daveyEastern address-pool ippool
vpngroup daveyEastern dns-server 10.4.1.10 10.4.1.8
vpngroup daveyEastern wins-server 10.4.1.8
vpngroup daveyEastern default-domain davey_institute.local
vpngroup daveyEastern split-tunnel local_lanForEastern
vpngroup daveyEastern idle-time 1800
vpngroup daveyEastern password ********
vpngroup daveyLivermore address-pool ippool
vpngroup daveyLivermore dns-server 10.4.1.10 10.4.1.8
vpngroup daveyLivermore wins-server 10.4.1.8
vpngroup daveyLivermore default-domain davey_institute.local
vpngroup daveyLivermore split-tunnel local_lanForLivermore
vpngroup daveyLivermore idle-time 1800
vpngroup daveyLivermore password ********
vpngroup daveyKent address-pool ippool
vpngroup daveyKent dns-server 10.4.1.10 10.4.1.8
vpngroup daveyKent wins-server 10.4.1.8
vpngroup daveyKent default-domain davey_institute.local
vpngroup daveyKent split-tunnel local_lanForKent
vpngroup daveyKent idle-time 1800
vpngroup daveyKent password ********
vpngroup daveyUAI address-pool ippool
vpngroup daveyUAI dns-server 10.4.1.10 10.4.1.8
vpngroup daveyUAI wins-server 10.4.1.8
vpngroup daveyUAI default-domain davey_institute.local
vpngroup daveyUAI split-tunnel daveyUAI_splitTunnelAcl
vpngroup daveyUAI idle-time 1800
vpngroup daveyUAI password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:83eda6439aa
: end
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I removed the global statement and the access-list. Still no success.
With the access list and nat staement removed and the pix should allow the traffic.
try clearing the translation table since you did modify the NAT settings.
clear xlate
try clearing the translation table since you did modify the NAT settings.
clear xlate
ASKER
still nothing. We are trying to ping 192.1.1.5 in the DMZ from our private network 10..4.1.0/24. Here is the updated config.
: Saved
: Written by enable_15 at 21:55:52.725 EDT Sat Jul 19 2008
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password mMyyqT5R6ad39k93 encrypted
passwd mMyyqT5R6ad39k93 encrypted
hostname firehawk
domain-name davey.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 10.4.1.104 Garcia
name 192.1.1.2 cicada
name 10.4.1.0 davey_institute
name 10.4.1.2 dante
name 192.1.1.5 RowKeeper
name 10.4.1.19 OutlookWebInside
name 192.1.1.4 ITREE
name 10.4.1.7 geo_version2
object-group service PolycomVideo tcp-udp
description Ports for Polycom Video Conference
port-object range 3230 3235
port-object eq 1720
port-object eq 1503
port-object eq 389
access-list acl_out permit tcp any host 65.123.115.227 eq ftp
access-list acl_out permit tcp any host 65.123.115.230 eq www
access-list acl_out permit tcp any host 65.123.115.230 eq ftp
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 65.123.115.228 eq www
access-list acl_out permit tcp any host 65.123.115.228 eq ftp
access-list acl_out permit tcp any host 65.123.115.228 eq https
access-list acl_out permit udp any host 65.123.115.231 eq domain
access-list acl_out permit tcp any host 65.123.115.231 eq domain
access-list acl_out permit tcp any host 65.123.115.231 eq www
access-list acl_out permit tcp any host 65.123.115.232 eq www
access-list acl_out permit tcp any any object-group PolycomVideo
access-list acl_out permit udp any any object-group PolycomVideo
access-list acl_out permit tcp any host 65.123.115.232 eq ftp
access-list acl_out permit tcp any host 65.123.115.228 eq 3389
access-list local_lanForWestern permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForWestern permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForWestern permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForWestern permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.4.4.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.4.5.0 255.255.255.0
access-list nonat1 permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.1.200.0 255.255.254.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list nonat1 permit ip 192.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list nonat2 permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat2 permit ip 192.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list local_lan permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lan permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lan permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lan permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 10.80.31.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list daveyUAI_splitTunnelAcl permit ip 10.4.1.0 255.255.255.0 any
access-list daveyUAI_splitTunnelAcl permit ip 192.1.1.0 255.255.255.0 any
pager lines 24
logging trap debugging
logging history debugging
logging host inside 10.4.2.59 17/3001
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 65.123.115.226 255.255.255.0
ip address inside 10.4.1.1 255.255.255.0
ip address intf2 192.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.16.1.1-172.16.1.254
pdm location 10.4.1.2 255.255.255.255 inside
pdm location 10.4.1.104 255.255.255.255 inside
pdm location 24.164.100.0 255.255.255.0 outside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 10.4.2.59 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.1.1.2 255.255.255.255 intf2
pdm location 192.1.1.4 255.255.255.255 intf2
pdm location 10.4.1.19 255.255.255.255 inside
pdm location 192.1.1.5 255.255.255.255 intf2
pdm location 10.4.2.110 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.0 outside
pdm location 10.4.4.0 255.255.255.0 outside
pdm location 10.4.5.0 255.255.255.0 outside
pdm location 10.4.1.91 255.255.255.255 inside
pdm location 10.4.1.7 255.255.255.255 inside
pdm location 10.4.1.84 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat1
nat (inside) 1 10.4.1.0 255.255.255.0 0 0
nat (intf2) 0 access-list nonat2
nat (intf2) 1 192.1.1.0 255.255.255.0 0 0
static (intf2,outside) 65.123.115.227 192.1.1.2 netmask 255.255.255.255 0 0
static (intf2,outside) 65.123.115.230 192.1.1.4 netmask 255.255.255.255 0 0
static (inside,intf2) 10.4.1.0 10.4.1.0 netmask 255.255.255.0 0 0
static (intf2,outside) 65.123.115.228 192.1.1.5 netmask 255.255.255.255 0 0
static (intf2,inside) 65.123.115.227 192.1.1.2 netmask 255.255.255.255 0 0
static (intf2,inside) 65.123.115.230 192.1.1.4 netmask 255.255.255.255 0 0
static (intf2,inside) 65.123.115.228 192.1.1.5 netmask 255.255.255.255 0 0
static (inside,outside) 65.123.115.231 10.4.1.19 dns netmask 255.255.255.255 0 0
static (inside,outside) 65.123.115.232 10.4.1.7 dns netmask 255.255.255.255 0 0
static (intf2,inside) 10.4.1.8 192.1.1.5 netmask 255.255.255.255 0 0
static (inside,intf2) 192.1.1.5 10.4.1.8 netmask 255.255.255.255 0 0
static (inside,intf2) 192.1.1.0 192.1.1.0 netmask 255.255.255.0 0 0
access-group acl_out in interface outside
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 65.123.115.225 1
route inside 10.1.3.0 255.255.255.0 10.4.1.15 1
route inside 10.1.200.0 255.255.254.0 10.4.1.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.4.1.104 255.255.255.255 inside
http 10.4.1.91 255.255.255.255 inside
http 10.4.1.84 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 10.1.3.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:1a346bbff53
: end
: Saved
: Written by enable_15 at 21:55:52.725 EDT Sat Jul 19 2008
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password mMyyqT5R6ad39k93 encrypted
passwd mMyyqT5R6ad39k93 encrypted
hostname firehawk
domain-name davey.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 10.4.1.104 Garcia
name 192.1.1.2 cicada
name 10.4.1.0 davey_institute
name 10.4.1.2 dante
name 192.1.1.5 RowKeeper
name 10.4.1.19 OutlookWebInside
name 192.1.1.4 ITREE
name 10.4.1.7 geo_version2
object-group service PolycomVideo tcp-udp
description Ports for Polycom Video Conference
port-object range 3230 3235
port-object eq 1720
port-object eq 1503
port-object eq 389
access-list acl_out permit tcp any host 65.123.115.227 eq ftp
access-list acl_out permit tcp any host 65.123.115.230 eq www
access-list acl_out permit tcp any host 65.123.115.230 eq ftp
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 65.123.115.228 eq www
access-list acl_out permit tcp any host 65.123.115.228 eq ftp
access-list acl_out permit tcp any host 65.123.115.228 eq https
access-list acl_out permit udp any host 65.123.115.231 eq domain
access-list acl_out permit tcp any host 65.123.115.231 eq domain
access-list acl_out permit tcp any host 65.123.115.231 eq www
access-list acl_out permit tcp any host 65.123.115.232 eq www
access-list acl_out permit tcp any any object-group PolycomVideo
access-list acl_out permit udp any any object-group PolycomVideo
access-list acl_out permit tcp any host 65.123.115.232 eq ftp
access-list acl_out permit tcp any host 65.123.115.228 eq 3389
access-list local_lanForWestern permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForWestern permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForWestern permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForWestern permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.4.4.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.4.5.0 255.255.255.0
access-list nonat1 permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.1.200.0 255.255.254.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list nonat1 permit ip 10.4.1.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list nonat1 permit ip 192.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list nonat2 permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat2 permit ip 192.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list local_lan permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lan permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lan permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lan permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForEastern permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForLivermore permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 10.4.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 10.4.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 192.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 10.1.200.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list local_lanForKent permit ip 10.80.31.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list daveyUAI_splitTunnelAcl permit ip 10.4.1.0 255.255.255.0 any
access-list daveyUAI_splitTunnelAcl permit ip 192.1.1.0 255.255.255.0 any
pager lines 24
logging trap debugging
logging history debugging
logging host inside 10.4.2.59 17/3001
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 65.123.115.226 255.255.255.0
ip address inside 10.4.1.1 255.255.255.0
ip address intf2 192.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.16.1.1-172.16.1.254
pdm location 10.4.1.2 255.255.255.255 inside
pdm location 10.4.1.104 255.255.255.255 inside
pdm location 24.164.100.0 255.255.255.0 outside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 10.4.2.59 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.1.1.2 255.255.255.255 intf2
pdm location 192.1.1.4 255.255.255.255 intf2
pdm location 10.4.1.19 255.255.255.255 inside
pdm location 192.1.1.5 255.255.255.255 intf2
pdm location 10.4.2.110 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.0 outside
pdm location 10.4.4.0 255.255.255.0 outside
pdm location 10.4.5.0 255.255.255.0 outside
pdm location 10.4.1.91 255.255.255.255 inside
pdm location 10.4.1.7 255.255.255.255 inside
pdm location 10.4.1.84 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat1
nat (inside) 1 10.4.1.0 255.255.255.0 0 0
nat (intf2) 0 access-list nonat2
nat (intf2) 1 192.1.1.0 255.255.255.0 0 0
static (intf2,outside) 65.123.115.227 192.1.1.2 netmask 255.255.255.255 0 0
static (intf2,outside) 65.123.115.230 192.1.1.4 netmask 255.255.255.255 0 0
static (inside,intf2) 10.4.1.0 10.4.1.0 netmask 255.255.255.0 0 0
static (intf2,outside) 65.123.115.228 192.1.1.5 netmask 255.255.255.255 0 0
static (intf2,inside) 65.123.115.227 192.1.1.2 netmask 255.255.255.255 0 0
static (intf2,inside) 65.123.115.230 192.1.1.4 netmask 255.255.255.255 0 0
static (intf2,inside) 65.123.115.228 192.1.1.5 netmask 255.255.255.255 0 0
static (inside,outside) 65.123.115.231 10.4.1.19 dns netmask 255.255.255.255 0 0
static (inside,outside) 65.123.115.232 10.4.1.7 dns netmask 255.255.255.255 0 0
static (intf2,inside) 10.4.1.8 192.1.1.5 netmask 255.255.255.255 0 0
static (inside,intf2) 192.1.1.5 10.4.1.8 netmask 255.255.255.255 0 0
static (inside,intf2) 192.1.1.0 192.1.1.0 netmask 255.255.255.0 0 0
access-group acl_out in interface outside
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 65.123.115.225 1
route inside 10.1.3.0 255.255.255.0 10.4.1.15 1
route inside 10.1.200.0 255.255.254.0 10.4.1.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.4.1.104 255.255.255.255 inside
http 10.4.1.91 255.255.255.255 inside
http 10.4.1.84 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 10.1.3.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:1a346bbff53
: end
Ok lets try this,
remove the two subnets from your nat0 ACL's
no access-list nonat1 permit ip 10.4.1.0 255.255.255.0 192.1.1.0 255.255.255.0
no access-list nonat1 permit ip 192.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
no access-list nonat2 permit ip 192.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
Disable NAT between them via a static mapping:
static (inside,intf2) 10.4.1.0 255.255.255.0 10.4.1.0 255.255.255.0
remove the two subnets from your nat0 ACL's
no access-list nonat1 permit ip 10.4.1.0 255.255.255.0 192.1.1.0 255.255.255.0
no access-list nonat1 permit ip 192.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
no access-list nonat2 permit ip 192.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
Disable NAT between them via a static mapping:
static (inside,intf2) 10.4.1.0 255.255.255.0 10.4.1.0 255.255.255.0
ASKER
still no go. when we ping from 10.4.1.8 to 192.1.1.5 we still get a request times out.
Make sure that the only static between intf2 and the inside interface is the one that raptorjb007 said, so remove any of the other statics :
no static (intf2,inside) 10.4.1.8 192.1.1.5 netmask 255.255.255.255 0 0
no static (inside,intf2) 192.1.1.5 10.4.1.8 netmask 255.255.255.255 0 0
no static (inside,intf2) 192.1.1.0 192.1.1.0 netmask 255.255.255.0 0 0
no static (intf2,inside) 65.123.115.227 192.1.1.2 netmask 255.255.255.255 0 0
no static (intf2,inside) 65.123.115.230 192.1.1.4 netmask 255.255.255.255 0 0
no static (intf2,inside) 65.123.115.228 192.1.1.5 netmask 255.255.255.255 0 0
no nat (intf2) 0 access-list nonat2
So the only nat you have in place is this one :
static (inside,intf2) 10.4.1.0 255.255.255.0 10.4.1.0 255.255.255.0
if that does not work, once more post the complete config
no static (intf2,inside) 10.4.1.8 192.1.1.5 netmask 255.255.255.255 0 0
no static (inside,intf2) 192.1.1.5 10.4.1.8 netmask 255.255.255.255 0 0
no static (inside,intf2) 192.1.1.0 192.1.1.0 netmask 255.255.255.0 0 0
no static (intf2,inside) 65.123.115.227 192.1.1.2 netmask 255.255.255.255 0 0
no static (intf2,inside) 65.123.115.230 192.1.1.4 netmask 255.255.255.255 0 0
no static (intf2,inside) 65.123.115.228 192.1.1.5 netmask 255.255.255.255 0 0
no nat (intf2) 0 access-list nonat2
So the only nat you have in place is this one :
static (inside,intf2) 10.4.1.0 255.255.255.0 10.4.1.0 255.255.255.0
if that does not work, once more post the complete config
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
You may want to try the following command
no nat-control
Else, you will need an access list to allow the inside network access the dmz network.
access-list inf2_in permit ip 10.4.1.0 255.255.255.0 192.1.1.0 255.255.255.0
access-group intf2 in interface intf2