Avatar of ITProfessional120
ITProfessional120
Flag for United States of America asked on

Cisco PIX 515e WAN to DMZ traffic not reaching DMZ please help.

For some reason my WAN to DMZ web traffic will not reach my DMZ I am unsure of what the problem is with my Cisco 515e config. Lan to DMZ traffic works well and LAN to WAN, but WAN to DMZ is not working. attached is my config any help would be greatful Thanks ahead of time!
PIX.TXT
Networking ProtocolsHardware FirewallsCisco

Avatar of undefined
Last Comment
ITProfessional120

8/22/2022 - Mon
MikeKane

Lets address the obvious one 1st:  

 conduit permit icmp any any


You should not mix conduits with access-lists.   Have a look here for a reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
ITProfessional120

ASKER
I will make change and post results.
ITProfessional120

ASKER
Well I am still having the same issue none of the machines on the DMZ are able to get out into the internet and traffic destined to the DMZ from the outside interface cannot reach the DMZ machines. I can access the servers on the DMZ from the LAN no issues and the LAN traffic works fine reaching the outside. is there anything else you can identify as a potential issue that might be blocking WAN clients from accessing the DMZ.


I removed conduit permit icmp any any
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
MikeKane

Run a SHOW VER on your PIX...  lets have a look at the license.
ITProfessional120

ASKER
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

Voss-Taylor-515e up 1 min 31 secs

Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0018.bac6.9bac, irq 10
1: ethernet1: address is 0018.bac6.9bad, irq 11
2: ethernet2: address is 000e.0cb1.56ac, irq 11
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Disabled
Maximum Physical Interfaces: 3
Maximum Interfaces:          5
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number: 810330763 (0x304caa8b)
Running Activation Key:********
Configuration has not been modified since last system restart.
MikeKane

Everything looks in place...   You have a statics from dmx to outside, you have the ACL's built

When you try to hit 10.1.5.91 on a browser, what do you see on the pix?   Run a SHOW XLATE and see if that 10.1.5.91 is being static'd correctly to the DMZ IP of 10.1.4.91?

Setup logging to see if any packets are dropped or if there are other errors:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml


⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ITProfessional120

ASKER
the address seems to be translating correctly I did enable loggin and found out that icmp was being blocked both from the dmz to the wan and from the wan to the dmz. So now it seems I am ble to communicate with outside world from dmz but from the wan to the dmz the traffic doesnt seem to be coming in. Is there something else I can check?
MikeKane

What traffic is being blocked from the WAN to the DMZ?   WWW port 80?   ICMP pings?  

If anything is blocked because of a firewall config, the syslog will tell you and provide an error code/message....   If you see a message, post it here for review.     IF there is no error message, you can turn on "debug" logging and try the traffic again...  the debug mode will show all the builds and teardowns for each session.   We can see if the firewall is buiding a tunnel for the traffic and letting it pass...   if it is (no errors) then the firewall can be eliminated and something else must be the issue.
ITProfessional120

ASKER
when I check the debug logging from my cli I do not see any traffic www or icmp coming into the DMZ from the WAN.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
MikeKane

Then, how are you testing from the WAN...  what system are you using, what IP does it have?  What address are you trying to hit?   The ASA should be able to ping the IP of your WAN test system.


ITProfessional120

ASKER
I am helping a friend I am remoted to his internal machine and am able to ssh into the pix from there everything seems to be working his
LAN to DMZ traffic his
WAN to LAN traffic
and now his DMZ to WAN traffic.

the issue is that the traffic coming from the public internet is not hitting his DMZ

                                                                                                  interface DMZ[10.1.4.0]
{cloud}---[ISP managed router]-----[PIX 515e 10.1.5.0]-----------|
                                                                                                  interface LAN[10.1.2.0]

he has some web servers on the DMZ that have natted public ip addresses that after rebooting his equipment will not allow traffic originating from the WAN to the DMZ I suspect he might have lost a config that may of been running in the running config and not have been stored to the memory of the device.

I am able to ssh from his internal lan to the webserver on the DMZ and I have confirmed that the machine is able to get out from the DMZ to the outside interface of the PIX and out to the internet. I was able to get that portion working by checking the >show logging command and saw that one of the access control lists was denying DMZ to outside traffic specifically (icmp), but I am unable to see traffic destined to the external ip of 216.89.127.50 which is translated into a private ip that belongs in his DMZ (now the question that I raise is that maybe something needs to be done on the managed router to make sure that 216.89.127.50 is mapped to the ip of 10.1.5.91 which is translated to 10.1.4.91 by the PIX . I hope this is making some sense I just want to guide him in the right direction.
ITProfessional120

ASKER
as I am reading more on the pix. so there is a router on the edge of the network which plugs into the PIX it seems though that the outside ip of the webserver is not hitting the dmz possibly because there is no reference in the config of the pix that maps 216.89.127.50 external ip assigned to the web server to the internal ip of the web server (10.1.4.91) on the dmz would it help if I added these entries to the config....

 static (dmz,outside) 216.89.127.50 10.1.4.91
 access-list acl_outside permit tcp any 216.89.127.50 eq 80
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
MikeKane

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
ITProfessional120

ASKER
thank you.