Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 983
  • Last Modified:

Cisco Pix 506E and DMZ help!

Hi

I canot get my dmz to see my Cisco Pix 506e, I have followed all info on the web I can find and I dont seem to be able to figure it. i think its the switch, the switch I have is a Zyxel ES-5128, it support Vlans and I have setup a vlan2 of untagged ports. My pix config is below, many thanks.
dhts-pix1-uk1(config)# show config
: Saved
: Written by enable_15 at 21:08:41.824 UTC Thu May 14 2009
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname dhts-pix1-uk1
domain-name dhts.co.uk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host 83.166.x.x eq www
access-list 101 permit tcp any host 83.166.x.x eq https
access-list 101 permit tcp any host 83.166.x.x eq 3389
access-list 101 permit tcp any host 83.166.x.x eq pptp
access-list 101 permit tcp any host 83.166.x.x eq 3085
access-list 101 permit tcp any host 83.166.x.x eq www
access-list 101 permit tcp any host 83.166.x.x eq https
access-list 101 permit tcp any host 83.166.x.x eq smtp
access-list 101 permit tcp any host 83.166.x.x eq www
access-list 101 permit tcp any host 83.166.x.x eq https
access-list 101 permit tcp any host 83.166.x.x eq https
access-list 101 permit tcp any host 83.166.x.x eq www
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any echo-reply
access-list 101 permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list 901 permit tcp any host 164.38.x.x eq domain
access-list 901 permit tcp any host 164.38.x.x eq www
access-list 901 permit tcp any host 164.38.x.x eq https
access-list 901 permit tcp any host 164.38.x.x eq 9001
access-list 901 permit tcp any host 164.38.x.x eq 9002
access-list 901 permit tcp any host 164.38.x.x eq 9003
access-list 901 permit icmp any any echo-reply
access-list 901 permit icmp any any unreachable
access-list 901 permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 83.166.x.x 255.255.x.x
ip address inside 10.10.0.1 255.255.0.0
ip address dmz 10.20.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 10.10.0.0 255.255.0.0 0 0
nat (dmz) 1 10.20.0.0 255.255.0.0 0 0
static (inside,outside) 83.166.x.x 10.10.10.1 netmask 255.255.255.255 0 0
static (inside,outside) 83.166.x.x 10.10.20.2 netmask 255.255.255.255 0 0
static (inside,outside) 83.166.x.x 10.10.30.1 netmask 255.255.255.255 0 0
static (inside,outside) 83.166.x.x 10.10.40.1 netmask 255.255.255.255 0 0
static (inside,outside) 83.166.x.x 10.10.50.2 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 83.166.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.10.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:5fc8626dbe283d716f9aa4f1c14534da

Thanks

Dan
0
DHTS
Asked:
DHTS
  • 10
  • 6
  • 2
1 Solution
 
FWestonCommented:
If you're using vlans, don't you need a trunk port with subinterfaces on the pix?
0
 
FWestonCommented:
See the following example:

interface Ethernet1
 nameif trunk
 no ip address
!
interface Ethernet1.1
 vlan 2
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Ethernet1.2
 vlan 3
 nameif dmz
 security-level 50
 ip address 10.1.2.1 255.255.255.0
0
 
JFrederick29Commented:
On the switch, make sure the port that connects to the PIX ethernet1 interface is tagging VLAN2 packets.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
DHTSAuthor Commented:
Thanks, ive created a Vlan on the switch and tagged the all ports. but it still doesnt allow the pix to ping the two web servers (and visa versa). does the dmz need to be assigned public ips rather than local (i.e. 10.20.x.x, 83.166.x.x)?

There is an option for trunks on the switch, does this need to be enabled?

Ive attached some screen shots of the switch web interface.

Many thanks

Dan
0
 
DHTSAuthor Commented:
Sorry missing attachments.

Dan

switch1.jpg
switch2.jpg
0
 
JFrederick29Commented:
The Trunking refers to port aggregation (etherchannel) I believe so that isn't the issue.  Private addressing is fine for the Dmz.  So the DMZ servers can't ping 10.20.0.1?

It's gotta be the switch config as the PIX config is fine.  The web servers are assigned to VLAN2 on the switch, right?
0
 
DHTSAuthor Commented:
Hi, that's what I'm thinking its the switch.
I've created the the vlan2 and tagged all ports, vlan1 (default) has all ports untagged.pix is in port 24 and the two web servers are in port 18 and 19. The web servers can ping each other but not the pix 10.20.0.1.
Thanks
Dan
0
 
JFrederick29Commented:
Okay, so just to confirm.  Ports 18 and 19 for the web servers should be assigned to VLAN2 and should be untagged ports.  Port 24 (PIX) should be tagging VLAN2 packets.
0
 
DHTSAuthor Commented:
Still nothing!

ive changed the tags as below image, do i need to do anything with vlan1? or do you think i need a 515pix or an asa firewall do you think?

Thanks

Dan

switch3.jpg
0
 
JFrederick29Commented:
Shouldn't the PIX's port (24) show up in the VLAN2 list with a "tag egress packet" indicator?

The 506E works fine with that configuration, it's something not set right on the switch.
0
 
DHTSAuthor Commented:
sorry my fault, the pix was in 26.

thanks
dan
0
 
JFrederick29Commented:
Okay, can you remove 18 and 19 (the web servers) from VLAN1?
0
 
DHTSAuthor Commented:
Hi, Still no joy :(

You can only make vlan1 ports tagged or untagged, ive changed these as per screen shot. Also found this text in the online manual:

"Member Ports  All the ports participating in the VLAN are listed here. The ports show up in two different colors:
(Orange) When the packet leaves this member port, the VLAN tag is added.
(Turquoise) When the packet leaves this member port, the VLAN tag is removed. "

Thanks for your help in this!

switch5.jpg
0
 
DHTSAuthor Commented:
Found this page in the switch, auto ARP...

switch6.jpg
0
 
JFrederick29Commented:
How come ports 18 and 19 don't show link in the picture?  The Web servers are in 18 and 19, right? or are you moving them around when testing?  Have support on this switch by chance?  The PIX config is fine, I have a working PIX with the exact same config but using a Cisco switch to trunk to the PIX.

0
 
DHTSAuthor Commented:
Hi, sorry havent repsonded the servers are in our data centre rack miles away! we have corrected the patching to 17 and 18 (servers) and 26 (pix).

I have tried
tagging ports 17 and 18 and untagging 26
untagging ports 17 and 18 and tagging 26
tagging 17,18 and 26
untagging 17,18 and 26

and still nothing!!! nightmare I think I may just use a second pix :(

many thanks

Dan

(screen shot attached)


switch7.bmp
0
 
DHTSAuthor Commented:
its working!

there was a PVID setting for each port. I changed the web server ports to PVID 2 and it all works now.

Thanks JFrederick29 for your help would not been able to have sorted it.

Thanks

Dan
0
 
DHTSAuthor Commented:
Thanks JFrederick29 for your help I would not been able to have sorted it without it.

Thanks

Dan
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 10
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now