?
Solved

PIX 515 DMZ issues

Posted on 2010-01-09
2
Medium Priority
?
586 Views
Last Modified: 2012-05-08
I am having issues having a server on my 515's DMZ contact the internet through the DMZ. Right now the devices external nic's IP is 63.81.44.2 on the DMZ. I have run out of idea's on how to make this translate through. I have tried static routes and have tried the route command. Tried removing a route command that seemed incorrect but said that it is not allowed to delete directly connected routes. Any suggestions?




PIX Version 6.3(4)



interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

hostname sher-pet-fw

clock timezone PST -8

clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list vpnusers permit ip 10.71.100.0 255.255.255.0 10.71.99.0 255.255.255.0

access-list vpnusers permit ip 10.10.10.0 255.255.255.0 10.71.99.0 255.255.255.0

access-list vpnusers permit ip 63.80.192.0 255.255.255.0 10.71.99.0 255.255.255.0

access-list vpnusers permit ip 10.10.20.0 255.255.252.0 10.71.99.0 255.255.255.0

access-list acl_dmz remark SQL Slammer Mitigation next two lines

access-list acl_dmz deny udp any any eq 1433

access-list acl_dmz deny udp any any eq 1434

access-list acl_dmz deny tcp any any eq 1433

access-list acl_dmz deny tcp any any eq 1434

access-list acl_dmz deny udp any eq 1433 any

access-list acl_dmz deny udp any eq 1434 any

access-list acl_dmz deny tcp any eq 1433 any

access-list acl_dmz deny tcp any eq 1434 any

access-list acl_dmz permit icmp any any

access-list acl_dmz permit ip 63.80.192.0 255.255.255.0 any

access-list acl_dmz permit ip 63.81.44.0 255.255.255.224 any

access-list acl_out permit esp any any

access-list acl_out remark SQL Slammer Mitigation next four lines

access-list acl_out deny udp any any eq 1433

access-list acl_out deny udp any any eq 1434

access-list acl_out deny tcp any any eq 1433

access-list acl_out deny tcp any any eq 1434

access-list acl_out deny tcp any host 63.80.192.21 eq www

access-list acl_out deny tcp any host 63.81.44.2 eq 9488

access-list acl_out deny tcp any host 63.81.44.2 lt 1024

access-list acl_out deny udp any host 63.81.44.2 lt 1024

access-list acl_out permit ip any 63.80.192.0 255.255.255.0

access-list acl_out permit ip any 63.81.44.0 255.255.255.224

access-list acl_out permit udp any any eq ntp

access-list acl_out permit icmp any any

access-list acl_out permit tcp 65.119.39.192 255.255.255.224 host 67.59.196.149 eq smtp

access-list acl_out permit tcp 64.84.16.160 255.255.255.240 host 67.59.196.149 eq smtp

access-list acl_out permit tcp host 63.163.61.3 host 67.59.196.152 eq pcanywhere-data

access-list acl_out permit udp host 63.163.61.3 host 67.59.196.152 eq pcanywhere-status

access-list acl_out permit tcp host 24.73.214.242 host 67.59.196.152 eq pcanywhere-data

access-list acl_out permit udp host 24.73.214.242 host 67.59.196.152 eq pcanywhere-status

access-list acl_out permit tcp host 63.163.61.3 host 67.59.196.153 eq pcanywhere-data

access-list acl_out permit udp host 63.163.61.3 host 67.59.196.153 eq pcanywhere-status

access-list acl_out permit tcp host 70.108.252.150 host 67.59.196.153 eq pcanywhere-data

access-list acl_out permit udp host 70.108.252.150 host 67.59.196.153 eq pcanywhere-status

access-list acl_out permit tcp host 67.93.208.114 host 67.59.196.154 eq 3389

access-list acl_out permit ip host 67.93.208.114 host 67.59.196.154

access-list acl_out permit ip host 67.93.208.116 host 67.59.196.154

access-list acl_out permit tcp host 12.15.184.18 host 67.59.196.155 eq 3389

access-list acl_out permit tcp 65.91.53.0 255.255.255.0 host 67.59.196.149 eq smtp

access-list acl_out permit tcp 208.42.176.112 255.255.255.240 host 67.59.196.149 eq smtp

access-list acl_out permit tcp 208.80.200.0 255.255.248.0 host 67.59.196.149 eq smtp

access-list acl_out permit tcp any host 67.59.196.148 eq 6320

access-list acl_out permit tcp any host 67.59.196.148 eq 2368

access-list acl_out permit tcp any host 67.59.196.148 eq 61002

access-list acl_out permit udp any host 67.59.196.148 eq 61031

access-list acl_out permit tcp any host 67.59.196.156 eq 3389

access-list acl_out permit tcp any host 67.59.196.149 eq www

access-list acl_out permit tcp any host 67.59.196.149 eq https

access-list acl_out permit tcp any host 67.59.196.149 eq pop3

access-list acl_out permit tcp any host 67.59.196.149 eq imap4

access-list acl_out permit tcp any host 67.59.196.157 eq www

access-list acl_out permit tcp any host 67.59.196.157 eq smtp

access-list acl_out permit tcp any host 67.59.196.157 eq 8080

access-list acl_out permit ip host 65.206.219.137 host 67.59.196.150

access-list acl_out permit ip host 65.206.219.137 host 67.59.196.151

access-list nonat permit ip host 10.71.100.70 10.70.99.0 255.255.255.0

access-list nonat permit ip host 10.10.20.32 10.70.99.0 255.255.255.0

access-list nonat permit ip 10.71.100.0 255.255.255.0 10.71.99.0 255.255.255.0

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.71.99.0 255.255.255.0

access-list nonat permit ip 63.80.192.0 255.255.255.0 10.71.99.0 255.255.255.0

access-list nonat permit ip host 10.71.100.100 10.70.98.0 255.255.255.0

access-list nonat permit ip 10.71.100.0 255.255.255.0 10.70.97.0 255.255.255.0

access-list nonat permit ip host 10.10.20.28 10.70.99.0 255.255.255.0

access-list nonat permit ip host 10.10.20.22 10.70.99.0 255.255.255.0

access-list nonat permit ip host 10.10.20.23 10.70.99.0 255.255.255.0

access-list nonat permit ip host 10.71.100.51 10.70.99.0 255.255.255.0

access-list nonat permit ip 10.10.20.0 255.255.252.0 10.71.99.0 255.255.255.0

access-list nonat permit ip host 10.71.100.2 10.70.98.0 255.255.255.0

access-list percipia-vpn permit ip host 10.71.100.70 10.70.99.0 255.255.255.0

access-list percipia-vpn permit ip host 10.10.20.32 10.70.99.0 255.255.255.0

access-list percipia-vpn permit ip host 10.10.20.28 10.70.99.0 255.255.255.0

access-list percipia-vpn permit ip host 10.10.20.22 10.70.99.0 255.255.255.0

access-list percipia-vpn permit ip host 10.10.20.23 10.70.99.0 255.255.255.0

access-list percipia-vpn permit ip host 10.71.100.51 10.70.99.0 255.255.255.0

access-list vpnowa permit tcp host 10.71.100.10 eq www 10.70.97.0 255.255.255.0

access-list microsvpn permit ip host 10.71.100.100 10.70.98.0 255.255.255.0

access-list microsvpn permit ip host 10.71.100.2 10.70.98.0 255.255.255.0

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside 67.59.196.147 255.255.255.224

ip address inside 10.10.10.2 255.255.255.0

ip address DMZ 63.81.44.1 255.255.255.224

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 63.80.148.62

global (outside) 1 67.59.196.158

global (DMZ) 1 63.81.44.30

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 67.59.196.150 10.71.100.178 netmask 255.255.255.255 0 0

static (inside,outside) 67.59.196.148 10.71.100.203 netmask 255.255.255.255 0 0

static (inside,outside) 67.59.196.152 10.71.100.70 netmask 255.255.255.255 0 0

static (inside,outside) 67.59.196.149 10.71.100.10 netmask 255.255.255.255 0 0

static (inside,outside) 67.59.196.153 10.71.100.100 netmask 255.255.255.255 0 0

static (inside,outside) 67.59.196.154 10.10.20.25 netmask 255.255.255.255 0 0

static (inside,outside) 67.59.196.155 10.71.100.14 netmask 255.255.255.255 0 0

static (inside,outside) 67.59.196.156 10.71.100.77 netmask 255.255.255.255 0 0

static (inside,outside) 67.59.196.157 10.71.100.55 netmask 255.255.255.255 0 0

static (inside,outside) 67.59.196.151 10.71.100.180 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_dmz in interface DMZ

route outside 0.0.0.0 0.0.0.0 67.59.196.145 1

route inside 10.10.20.0 255.255.252.0 10.10.10.1 1

route inside 10.71.100.0 255.255.255.0 10.10.10.1 1

route DMZ 63.80.192.0 255.255.255.0 63.81.44.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

ntp server 198.72.72.10 source outside

http server enable

snmp-server host outside 64.142.3.71

no snmp-server location

no snmp-server contact

snmp-server community sher

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set spset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set spset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption 3des

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

isakmp policy 6 authentication pre-share

isakmp policy 6 encryption 3des

isakmp policy 6 hash md5

isakmp policy 6 group 2

isakmp policy 6 lifetime 86400

telnet 10.71.99.0 255.255.255.0 outside

telnet 10.71.100.0 255.255.255.0 inside

telnet 10.10.10.0 255.255.255.0 inside

telnet 67.59.196.147 255.255.255.255 inside

telnet 67.59.196.147 255.255.255.255 DMZ

telnet timeout 5

ssh 64.142.3.64 255.255.255.192 outside

ssh timeout 30

console timeout 0

terminal width 80

Cryptochecksum:4fc3430a596611950dcf777bedc67de1
0
Comment
Question by:skorpfox
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 1000 total points
ID: 26284308
This command is the problem:

nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0

Simply remove that statement, and your Internet access should work.
0
 

Author Closing Comment

by:skorpfox
ID: 31675068
On top of that being the issue the server that was on the DMZ that we were testing with ended up being faulty as well. Problem solved, thanks!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month11 days, 13 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question