We help IT Professionals succeed at work.
Get Started
Setup DMZ access on Pix 515
I'm trying to setup a DMZ on a Pix 515. Currently the LAN subnet is 192.168.250.X and the DMZ subnet is 172.16.250.x. There will only be one server in the DMZ and I've assigned it 172.16.250.25.
Any help is appreciated. Thanks.
PIX Version 7.1(2)
!
hostname PIX515e
domain-name .com
enable password encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address x.xx.xxx.210 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.250.2 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 172.16.250.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name .com
object-group service 3COMTCP tcp
port-object range 1040 1044
port-object eq www
port-object range sip 5065
object-group service 3COMUDP udp
port-object range 2093 2096
port-object range sip 5065
access-list acl_out extended permit icmp any any echo
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit tcp any host x.xx.xxx.215 object-group 3COMTCP
access-list acl_out extended permit udp any host x.xx.xxx.215 object-group 3COMUDP
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq pop3
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq www
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq https
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 6001
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 6002
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 6004
access-list acl_out extended permit tcp 64.18.0.0 255.255.240.0 host x.xx.xxx.212 eq smtp
access-list acl_out extended permit tcp any host x.xx.xxx.210 eq 3389
access-list acl_out extended permit tcp any eq pptp host x.xx.xxx.212 eq pptp
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 3101
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 8019
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 56719
access-list acl_out extended permit tcp any host x.xx.xxx.212 range 55333 55337
access-list acl_out extended permit tcp any host x.xx.xxx.214 eq ftp
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list nonat extended permit ip 172.16.250.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 102 extended permit ip 192.168.250.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list dmz extended permit ip 192.168.250.0 255.255.255.0 172.16.250.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpnpool 192.168.251.51-192.168.251
no failover
asdm image flash:/asdm-512.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 3 x.xx.xxx.215
global (outside) 2 x.xx.xxx.212
global (outside) 4 x.xx.xxx.214
nat (inside) 0 access-list nonat
nat (inside) 2 192.168.250.11 255.255.255.255
nat (inside) 3 192.168.250.49 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 4 172.16.250.25 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 pop3 192.168.250.11 pop3 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 www 192.168.250.11 www netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 https 192.168.250.11 https netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6001 192.168.250.11 6001 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6002 192.168.250.11 6002 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6004 192.168.250.11 6004 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 3389 192.168.250.10 3389 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 smtp 192.168.250.11 smtp netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 pptp 192.168.250.10 pptp netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 3101 192.168.250.10 3101 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 8019 192.168.250.10 8019 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 56719 192.168.250.10 56719 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55333 192.168.250.10 55333 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55334 192.168.250.10 55334 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55335 192.168.250.10 55335 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55336 192.168.250.10 55336 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55337 192.168.250.10 55337 netmask 255.255.255.255
static (inside,outside) x.xx.xxx.215 192.168.250.49 netmask 255.255.255.255
static (dmz,outside) x.xx.xxx.214 172.16.250.25 netmask 255.255.255.255
access-group acl_out in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 x.xx.xxx.209 1
route inside 192.168.0.0 255.255.255.0 192.168.250.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy LLC internal
group-policy LLC attributes
wins-server value 192.168.250.10
dns-server value 112392.168.250.10
vpn-idle-timeout 1440
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nonat
http server enable
http 192.168.250.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.250.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 192.168.250.200-192.168.25
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
inspect h323 h225
inspect h323 ras
inspect skinny
!
service-policy global_policy global
: end
Any help is appreciated. Thanks.
PIX Version 7.1(2)
!
hostname PIX515e
domain-name .com
enable password encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address x.xx.xxx.210 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.250.2 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 172.16.250.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name .com
object-group service 3COMTCP tcp
port-object range 1040 1044
port-object eq www
port-object range sip 5065
object-group service 3COMUDP udp
port-object range 2093 2096
port-object range sip 5065
access-list acl_out extended permit icmp any any echo
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit tcp any host x.xx.xxx.215 object-group 3COMTCP
access-list acl_out extended permit udp any host x.xx.xxx.215 object-group 3COMUDP
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq pop3
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq www
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq https
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 6001
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 6002
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 6004
access-list acl_out extended permit tcp 64.18.0.0 255.255.240.0 host x.xx.xxx.212 eq smtp
access-list acl_out extended permit tcp any host x.xx.xxx.210 eq 3389
access-list acl_out extended permit tcp any eq pptp host x.xx.xxx.212 eq pptp
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 3101
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 8019
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 56719
access-list acl_out extended permit tcp any host x.xx.xxx.212 range 55333 55337
access-list acl_out extended permit tcp any host x.xx.xxx.214 eq ftp
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list nonat extended permit ip 172.16.250.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 102 extended permit ip 192.168.250.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list dmz extended permit ip 192.168.250.0 255.255.255.0 172.16.250.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpnpool 192.168.251.51-192.168.251
no failover
asdm image flash:/asdm-512.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 3 x.xx.xxx.215
global (outside) 2 x.xx.xxx.212
global (outside) 4 x.xx.xxx.214
nat (inside) 0 access-list nonat
nat (inside) 2 192.168.250.11 255.255.255.255
nat (inside) 3 192.168.250.49 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 4 172.16.250.25 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 pop3 192.168.250.11 pop3 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 www 192.168.250.11 www netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 https 192.168.250.11 https netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6001 192.168.250.11 6001 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6002 192.168.250.11 6002 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6004 192.168.250.11 6004 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 3389 192.168.250.10 3389 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 smtp 192.168.250.11 smtp netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 pptp 192.168.250.10 pptp netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 3101 192.168.250.10 3101 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 8019 192.168.250.10 8019 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 56719 192.168.250.10 56719 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55333 192.168.250.10 55333 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55334 192.168.250.10 55334 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55335 192.168.250.10 55335 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55336 192.168.250.10 55336 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55337 192.168.250.10 55337 netmask 255.255.255.255
static (inside,outside) x.xx.xxx.215 192.168.250.49 netmask 255.255.255.255
static (dmz,outside) x.xx.xxx.214 172.16.250.25 netmask 255.255.255.255
access-group acl_out in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 x.xx.xxx.209 1
route inside 192.168.0.0 255.255.255.0 192.168.250.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy LLC internal
group-policy LLC attributes
wins-server value 192.168.250.10
dns-server value 112392.168.250.10
vpn-idle-timeout 1440
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nonat
http server enable
http 192.168.250.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.250.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 192.168.250.200-192.168.25
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
inspect h323 h225
inspect h323 ras
inspect skinny
!
service-policy global_policy global
: end
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE