We help IT Professionals succeed at work.
Get Started

Setup DMZ access on Pix 515

jplagens
jplagens asked
on
621 Views
Last Modified: 2012-05-09
I'm trying to setup a DMZ on a Pix 515.  Currently the LAN subnet is 192.168.250.X and the DMZ subnet is 172.16.250.x.  There will only be one server in the DMZ and I've assigned it 172.16.250.25.

Any help is appreciated.  Thanks.




PIX Version 7.1(2)
!
hostname PIX515e
domain-name .com
enable password encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address x.xx.xxx.210 255.255.255.240
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.250.2 255.255.255.0
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 172.16.250.1 255.255.255.0
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name .com
object-group service 3COMTCP tcp
 port-object range 1040 1044
 port-object eq www
 port-object range sip 5065
object-group service 3COMUDP udp
 port-object range 2093 2096
 port-object range sip 5065
access-list acl_out extended permit icmp any any echo
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit tcp any host x.xx.xxx.215 object-group 3COMTCP
access-list acl_out extended permit udp any host x.xx.xxx.215 object-group 3COMUDP
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq pop3
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq www
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq https
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 6001
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 6002
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 6004
access-list acl_out extended permit tcp 64.18.0.0 255.255.240.0 host x.xx.xxx.212 eq smtp
access-list acl_out extended permit tcp any host x.xx.xxx.210 eq 3389
access-list acl_out extended permit tcp any eq pptp host x.xx.xxx.212 eq pptp
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 3101
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 8019
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 56719
access-list acl_out extended permit tcp any host x.xx.xxx.212 range 55333 55337
access-list acl_out extended permit tcp any host x.xx.xxx.214 eq ftp
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list nonat extended permit ip 172.16.250.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 102 extended permit ip 192.168.250.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list dmz extended permit ip 192.168.250.0 255.255.255.0 172.16.250.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpnpool 192.168.251.51-192.168.251.100
no failover
asdm image flash:/asdm-512.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 3 x.xx.xxx.215
global (outside) 2 x.xx.xxx.212
global (outside) 4 x.xx.xxx.214
nat (inside) 0 access-list nonat
nat (inside) 2 192.168.250.11 255.255.255.255
nat (inside) 3 192.168.250.49 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 4 172.16.250.25 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 pop3 192.168.250.11 pop3 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 www 192.168.250.11 www netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 https 192.168.250.11 https netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6001 192.168.250.11 6001 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6002 192.168.250.11 6002 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6004 192.168.250.11 6004 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 3389 192.168.250.10 3389 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 smtp 192.168.250.11 smtp netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 pptp 192.168.250.10 pptp netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 3101 192.168.250.10 3101 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 8019 192.168.250.10 8019 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 56719 192.168.250.10 56719 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55333 192.168.250.10 55333 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55334 192.168.250.10 55334 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55335 192.168.250.10 55335 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55336 192.168.250.10 55336 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55337 192.168.250.10 55337 netmask 255.255.255.255
static (inside,outside) x.xx.xxx.215 192.168.250.49 netmask 255.255.255.255
static (dmz,outside) x.xx.xxx.214 172.16.250.25 netmask 255.255.255.255
access-group acl_out in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 x.xx.xxx.209 1
route inside 192.168.0.0 255.255.255.0 192.168.250.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy LLC internal
group-policy LLC attributes
 wins-server value 192.168.250.10
 dns-server value 112392.168.250.10
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value nonat
http server enable
http 192.168.250.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.250.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 192.168.250.200-192.168.250.254 inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
  inspect h323 h225
  inspect h323 ras
  inspect skinny
!
service-policy global_policy global
: end
Comment
Watch Question
Top Expert 2010
Commented:
This problem has been solved!
Unlock 2 Answers and 10 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE