Solved

Cisco Pix 506E and DMZ help!

Posted on 2009-05-14
18
889 Views
Last Modified: 2012-05-07
Hi

I canot get my dmz to see my Cisco Pix 506e, I have followed all info on the web I can find and I dont seem to be able to figure it. i think its the switch, the switch I have is a Zyxel ES-5128, it support Vlans and I have setup a vlan2 of untagged ports. My pix config is below, many thanks.
dhts-pix1-uk1(config)# show config
: Saved
: Written by enable_15 at 21:08:41.824 UTC Thu May 14 2009
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname dhts-pix1-uk1
domain-name dhts.co.uk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host 83.166.x.x eq www
access-list 101 permit tcp any host 83.166.x.x eq https
access-list 101 permit tcp any host 83.166.x.x eq 3389
access-list 101 permit tcp any host 83.166.x.x eq pptp
access-list 101 permit tcp any host 83.166.x.x eq 3085
access-list 101 permit tcp any host 83.166.x.x eq www
access-list 101 permit tcp any host 83.166.x.x eq https
access-list 101 permit tcp any host 83.166.x.x eq smtp
access-list 101 permit tcp any host 83.166.x.x eq www
access-list 101 permit tcp any host 83.166.x.x eq https
access-list 101 permit tcp any host 83.166.x.x eq https
access-list 101 permit tcp any host 83.166.x.x eq www
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any echo-reply
access-list 101 permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list 901 permit tcp any host 164.38.x.x eq domain
access-list 901 permit tcp any host 164.38.x.x eq www
access-list 901 permit tcp any host 164.38.x.x eq https
access-list 901 permit tcp any host 164.38.x.x eq 9001
access-list 901 permit tcp any host 164.38.x.x eq 9002
access-list 901 permit tcp any host 164.38.x.x eq 9003
access-list 901 permit icmp any any echo-reply
access-list 901 permit icmp any any unreachable
access-list 901 permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 83.166.x.x 255.255.x.x
ip address inside 10.10.0.1 255.255.0.0
ip address dmz 10.20.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 10.10.0.0 255.255.0.0 0 0
nat (dmz) 1 10.20.0.0 255.255.0.0 0 0
static (inside,outside) 83.166.x.x 10.10.10.1 netmask 255.255.255.255 0 0
static (inside,outside) 83.166.x.x 10.10.20.2 netmask 255.255.255.255 0 0
static (inside,outside) 83.166.x.x 10.10.30.1 netmask 255.255.255.255 0 0
static (inside,outside) 83.166.x.x 10.10.40.1 netmask 255.255.255.255 0 0
static (inside,outside) 83.166.x.x 10.10.50.2 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 83.166.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.10.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:5fc8626dbe283d716f9aa4f1c14534da

Thanks

Dan
0
Comment
Question by:DHTS
  • 10
  • 6
  • 2
18 Comments
 
LVL 3

Expert Comment

by:FWeston
ID: 24389952
If you're using vlans, don't you need a trunk port with subinterfaces on the pix?
0
 
LVL 3

Expert Comment

by:FWeston
ID: 24389960
See the following example:

interface Ethernet1
 nameif trunk
 no ip address
!
interface Ethernet1.1
 vlan 2
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Ethernet1.2
 vlan 3
 nameif dmz
 security-level 50
 ip address 10.1.2.1 255.255.255.0
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24391430
On the switch, make sure the port that connects to the PIX ethernet1 interface is tagging VLAN2 packets.
0
 
LVL 1

Author Comment

by:DHTS
ID: 24405577
Thanks, ive created a Vlan on the switch and tagged the all ports. but it still doesnt allow the pix to ping the two web servers (and visa versa). does the dmz need to be assigned public ips rather than local (i.e. 10.20.x.x, 83.166.x.x)?

There is an option for trunks on the switch, does this need to be enabled?

Ive attached some screen shots of the switch web interface.

Many thanks

Dan
0
 
LVL 1

Author Comment

by:DHTS
ID: 24405598
Sorry missing attachments.

Dan

switch1.jpg
switch2.jpg
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24408561
The Trunking refers to port aggregation (etherchannel) I believe so that isn't the issue.  Private addressing is fine for the Dmz.  So the DMZ servers can't ping 10.20.0.1?

It's gotta be the switch config as the PIX config is fine.  The web servers are assigned to VLAN2 on the switch, right?
0
 
LVL 1

Author Comment

by:DHTS
ID: 24409526
Hi, that's what I'm thinking its the switch.
I've created the the vlan2 and tagged all ports, vlan1 (default) has all ports untagged.pix is in port 24 and the two web servers are in port 18 and 19. The web servers can ping each other but not the pix 10.20.0.1.
Thanks
Dan
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24411042
Okay, so just to confirm.  Ports 18 and 19 for the web servers should be assigned to VLAN2 and should be untagged ports.  Port 24 (PIX) should be tagging VLAN2 packets.
0
 
LVL 1

Author Comment

by:DHTS
ID: 24411919
Still nothing!

ive changed the tags as below image, do i need to do anything with vlan1? or do you think i need a 515pix or an asa firewall do you think?

Thanks

Dan

switch3.jpg
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24412016
Shouldn't the PIX's port (24) show up in the VLAN2 list with a "tag egress packet" indicator?

The 506E works fine with that configuration, it's something not set right on the switch.
0
 
LVL 1

Author Comment

by:DHTS
ID: 24412035
sorry my fault, the pix was in 26.

thanks
dan
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24412046
Okay, can you remove 18 and 19 (the web servers) from VLAN1?
0
 
LVL 1

Author Comment

by:DHTS
ID: 24416390
Hi, Still no joy :(

You can only make vlan1 ports tagged or untagged, ive changed these as per screen shot. Also found this text in the online manual:

"Member Ports  All the ports participating in the VLAN are listed here. The ports show up in two different colors:
(Orange) When the packet leaves this member port, the VLAN tag is added.
(Turquoise) When the packet leaves this member port, the VLAN tag is removed. "

Thanks for your help in this!

switch5.jpg
0
 
LVL 1

Author Comment

by:DHTS
ID: 24416512
Found this page in the switch, auto ARP...

switch6.jpg
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24420760
How come ports 18 and 19 don't show link in the picture?  The Web servers are in 18 and 19, right? or are you moving them around when testing?  Have support on this switch by chance?  The PIX config is fine, I have a working PIX with the exact same config but using a Cisco switch to trunk to the PIX.

0
 
LVL 1

Author Comment

by:DHTS
ID: 24451330
Hi, sorry havent repsonded the servers are in our data centre rack miles away! we have corrected the patching to 17 and 18 (servers) and 26 (pix).

I have tried
tagging ports 17 and 18 and untagging 26
untagging ports 17 and 18 and tagging 26
tagging 17,18 and 26
untagging 17,18 and 26

and still nothing!!! nightmare I think I may just use a second pix :(

many thanks

Dan

(screen shot attached)


switch7.bmp
0
 
LVL 1

Author Comment

by:DHTS
ID: 24466009
its working!

there was a PVID setting for each port. I changed the web server ports to PVID 2 and it all works now.

Thanks JFrederick29 for your help would not been able to have sorted it.

Thanks

Dan
0
 
LVL 1

Author Closing Comment

by:DHTS
ID: 31581682
Thanks JFrederick29 for your help I would not been able to have sorted it without it.

Thanks

Dan
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now