Link to home
Create AccountLog in
Avatar of ITProfessional120
ITProfessional120Flag for United States of America

asked on

Cisco PIX 515e WAN to DMZ traffic not reaching DMZ please help.

For some reason my WAN to DMZ web traffic will not reach my DMZ I am unsure of what the problem is with my Cisco 515e config. Lan to DMZ traffic works well and LAN to WAN, but WAN to DMZ is not working. attached is my config any help would be greatful Thanks ahead of time!
Avatar of MikeKane
Flag of United States of America image

Lets address the obvious one 1st:  

 conduit permit icmp any any

You should not mix conduits with access-lists.   Have a look here for a reference:
Avatar of ITProfessional120


I will make change and post results.
Well I am still having the same issue none of the machines on the DMZ are able to get out into the internet and traffic destined to the DMZ from the outside interface cannot reach the DMZ machines. I can access the servers on the DMZ from the LAN no issues and the LAN traffic works fine reaching the outside. is there anything else you can identify as a potential issue that might be blocking WAN clients from accessing the DMZ.

I removed conduit permit icmp any any
Run a SHOW VER on your PIX...  lets have a look at the license.
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

Voss-Taylor-515e up 1 min 31 secs

Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0018.bac6.9bac, irq 10
1: ethernet1: address is 0018.bac6.9bad, irq 11
2: ethernet2: address is 000e.0cb1.56ac, irq 11
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Disabled
Maximum Physical Interfaces: 3
Maximum Interfaces:          5
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number: 810330763 (0x304caa8b)
Running Activation Key:********
Configuration has not been modified since last system restart.
Everything looks in place...   You have a statics from dmx to outside, you have the ACL's built

When you try to hit on a browser, what do you see on the pix?   Run a SHOW XLATE and see if that is being static'd correctly to the DMZ IP of

Setup logging to see if any packets are dropped or if there are other errors:

the address seems to be translating correctly I did enable loggin and found out that icmp was being blocked both from the dmz to the wan and from the wan to the dmz. So now it seems I am ble to communicate with outside world from dmz but from the wan to the dmz the traffic doesnt seem to be coming in. Is there something else I can check?
What traffic is being blocked from the WAN to the DMZ?   WWW port 80?   ICMP pings?  

If anything is blocked because of a firewall config, the syslog will tell you and provide an error code/message....   If you see a message, post it here for review.     IF there is no error message, you can turn on "debug" logging and try the traffic again...  the debug mode will show all the builds and teardowns for each session.   We can see if the firewall is buiding a tunnel for the traffic and letting it pass...   if it is (no errors) then the firewall can be eliminated and something else must be the issue.
when I check the debug logging from my cli I do not see any traffic www or icmp coming into the DMZ from the WAN.
Then, how are you testing from the WAN...  what system are you using, what IP does it have?  What address are you trying to hit?   The ASA should be able to ping the IP of your WAN test system.

I am helping a friend I am remoted to his internal machine and am able to ssh into the pix from there everything seems to be working his
LAN to DMZ traffic his
WAN to LAN traffic
and now his DMZ to WAN traffic.

the issue is that the traffic coming from the public internet is not hitting his DMZ

                                                                                                  interface DMZ[]
{cloud}---[ISP managed router]-----[PIX 515e]-----------|
                                                                                                  interface LAN[]

he has some web servers on the DMZ that have natted public ip addresses that after rebooting his equipment will not allow traffic originating from the WAN to the DMZ I suspect he might have lost a config that may of been running in the running config and not have been stored to the memory of the device.

I am able to ssh from his internal lan to the webserver on the DMZ and I have confirmed that the machine is able to get out from the DMZ to the outside interface of the PIX and out to the internet. I was able to get that portion working by checking the >show logging command and saw that one of the access control lists was denying DMZ to outside traffic specifically (icmp), but I am unable to see traffic destined to the external ip of which is translated into a private ip that belongs in his DMZ (now the question that I raise is that maybe something needs to be done on the managed router to make sure that is mapped to the ip of which is translated to by the PIX . I hope this is making some sense I just want to guide him in the right direction.
as I am reading more on the pix. so there is a router on the edge of the network which plugs into the PIX it seems though that the outside ip of the webserver is not hitting the dmz possibly because there is no reference in the config of the pix that maps external ip assigned to the web server to the internal ip of the web server ( on the dmz would it help if I added these entries to the config....

 static (dmz,outside)
 access-list acl_outside permit tcp any eq 80
Avatar of MikeKane
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
thank you.