Question about Cisco PIX Firewall 506

1 Answer

Ploblems with dmz-outside (webpage). pix

Hi:

Having problems trying to publish a webpage, the webserver 10.10.0.2 (on dmz), has the 1.1.1.170 (internet address).

can anyone help me?
[b]
the configuration:[/b]

enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 131.15.3.10 RRC-PC
name 1.1.1.173 FTPSERVER-INTERNETADDRESS
name 1.1.1.170 WEBSERVER1-INTERNETADDRESS
name 1.1.1.171 WEBSERVER2-INTERNETADDRESS
name 10.10.0.2 WEBSERVER-IP-DMZ
!
interface Ethernet0
nameif OUTSIDE
security-level 0
ip address 1.1.1.172 255.255.255.248
!
interface Ethernet4
nameif DMZ
security-level 0
ip address 10.10.0.1 255.255.255.0
!
interface Ethernet5
nameif INSIDE
security-level 100
ip address 131.15.254.254 255.255.0.0
!
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq www
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
access-list DMZ_access_in extended permit tcp 10.10.0.0 255.255.255.0 131.15.0.0 255.255.0.0
access-list INSIDE_access_in extended permit ip host RRC-PC any
access-list INSIDE_access_in extended permit tcp 131.15.0.0 255.255.0.0 10.10.0.0 255.255.255.0
access-list OUTSIDE_access_in extended permit tcp any any
access-list OUTSIDE_access_in extended permit tcp any host WEBSERVER1-INTERNETADDRESS object-group DM_INLINE_TCP_1
access-list OUTSIDE_access_in extended permit tcp any host WEBSERVER2-INTERNETADDRESS object-group DM_INLINE_TCP_2
access-list OUTSIDE_access_in extended permit tcp any host FTPSERVER-INTERNETADDRESS eq ftp
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu DMZ 1500
mtu INSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
asdm location RRC-PC 255.255.255.255 INSIDE
asdm location WEBSERVER1-INTERNETADDRESS 255.255.255.255 INSIDE
asdm location WEBSERVER2-INTERNETADDRESS 255.255.255.255 INSIDE
asdm location FTPSERVER-INTERNETADDRESS 255.255.255.255 INSIDE
asdm location WEBSERVER-IP-DMZ 255.255.255.255 INSIDE
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 WEBSERVER1-INTERNETADDRESS netmask 255.255.255.0
global (OUTSIDE) 101 interface
static (DMZ,OUTSIDE) tcp WEBSERVER1-INTERNETADDRESS www WEBSERVER-IP-DMZ www netmask 255.255.255.255
static (DMZ,INSIDE) 10.10.0.0 10.10.0.0 netmask 255.255.255.0
static (INSIDE,DMZ) 131.15.0.0 131.15.0.0 netmask 255.255.0.0
access-group OUTSIDE_access_in in interface OUTSIDE
access-group DMZ_access_in in interface DMZ
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http RRC-PC 255.255.255.255 INSIDE
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet RRC-PC 255.255.255.255 INSIDE
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:286b6b78a87b9591a6fae5c725a414ed
: end

Posted by on

1 Answer

  • Level 1:

    An expert who has achieved level 1.

  • Contributor
  • 2 Answers

Remove this line:

static (DMZ,INSIDE) 10.10.0.0 10.10.0.0 netmask 255.255.255.0

You don't need a translation going from a lower security level to a higher one. You will also need a nat line for the dmz so that pc's on the dmz will be translated outbound. The only connection that will work on the dmz is the webserver when he's sending traffic outbound with a source port of 80. Something like:

nat (DMZ) 101 10.10.0.0 255.255.255.0

Other than that, it looks like it should be working. You've got permission, a route, and a translation. Maybe "clear local-host 10.10.0.2" to get rid of any bad xlates and try again. Check debg level syslogs, run packet captures, "clear asp drop" then "show asp drop" after an attempt?

Posted on Apr 10, 2009

1 Suggested Answer

6ya6ya
  • 2 Answers

SOURCE: I have freestanding Series 8 dishwasher. Lately during the filling cycle water hammer is occurring. How can this be resolved

Hi,
a 6ya expert can help you resolve that issue over the phone in a minute or two.
best thing about this new service is that you are never placed on hold and get to talk to real repairmen in the US.
the service is completely free and covers almost anything you can think of (from cars to computers, handyman, and even drones).
click here to download the app (for users in the US for now) and get all the help you need.
goodluck!

Posted on Jan 02, 2017

Add Your Answer

Uploading: 0%

my-video-file.mp4

Complete. Click "Add" to insert your video. Add

×

Loading...
Loading...

Related Questions:

1 Answer

I have configured Cisco ASA Firewall and I have given ICMP Inspect also But I cant able to ping the PC Kept in the DMZ from the Outside interface


HI,


· Please check the whether the security level for DMZ and outside interface, If DMZ is high security level. Please do the NAT configuration
· If it's having the same security level. Please issue the command "same-security-traffic permit inter-interface "in the global config mode.

Mar 01, 2011 | Cisco ASA 5505 Firewall

1 Answer

I have configured Cisco ASA Firewall and I have given ICMP Inspect also But I cant able to ping the PC Kept in the DMZ from the Outside interface


HI,


  • · Please check the whether the security level for DMZ and outside interface, If DMZ is high security level. Please do the NAT configuration
  • · If it's having the same security level. Please issue the command "same-security-traffic permit inter-interface "in the global config mode.

Mar 01, 2011 | Computers & Internet

2 Answers

Replacing a PIX 515E with an ASA 5510


Best way to migrate is to take the configuration of the old PIX and TFTP it to a PC or other server for safe keeping.

Then boot up the ASA in a lab environment and TFTP the configuration to the new unit and reboot. There will be some commands that don't translate correctly, but you can compare the configurations to each other to make sure all the access lists and NAT statements get transferred across.

Keep in mind that the PIX and the ASA name their interfaces differently, so there may be errors when you transfer the configuration. You can edit the configuration offline with something like Notepad and change the names of the interfaces to have it work.

Good luck!

Jan 29, 2010 | Cisco ASA 5510 Firewall

1 Answer

How to configure MAC access list at PIX 515


The PIX is a layer 3 device, I cant say that I have ever tried to filter a mac address. I'm pretty sure you cant

Jan 02, 2010 | Cisco PIX 515E Firewall

2 Answers

Pix 515 E allow few websites only.


Do the nslookup for the three websites and write an access list to permit the traffic only to the said website ip addresses

Eg.

1. go to dos prompt

2. type "nslookup"

3. type "www.rediff.com

Note : You will get the ip address of the websites

4. Create an object group for these websites

5. Add ip addresses of the websites

6. create an access-control list element to permit the traffic from your circle office to this object group for port tcp 80 and 443

You are done

Mar 09, 2009 | Cisco PIX 515E Firewall

1 Answer

Portforwarding: Incoming connections on port 80 not possible


try using DMZ plus mode to open all ports to be accessible for that particular application, or specify the application name with the corresponding port on the 2wire modems firewall settings

Nov 22, 2008 | 2wire Wireless-G 802.11g ADSL Gateway

1 Answer

Repeated hard disk failure and slow internal webserver


Hi,

I have a simular problem with my DS207+. My second (sic!) volume failed especially when copying a lot.
But as I was using RAID1, I just repaired it and lived with it for the next months.
But now I want to have "Basic" drives.

I found this:
http://www.synology.com/enu/forum/viewtopic.php?f=7&t=8284&p=44638

I will try and get hold of those cables.

If your third disk is failing again, it seems like a cable issue as well.

regards,
Markus

Oct 21, 2008 | Synology Disk Station DS207+ (DS207PLUS)...

1 Answer

Can't access webpage outside of my USR5461


Did you get this resolved. I have the same problem, I get the router's login page when I try to access from outside.

Aug 05, 2008 | U.S. Robotics USRobotics USR5461 Wireless...

Not finding what you are looking for?
Cisco PIX Firewall 506 Logo

605 people viewed this question

Ask a Question

Usually answered in minutes!

Top Cisco Computers & Internet Experts

Prashant M
Prashant M

Level 3 Expert

2260 Answers

brian soufane

Level 3 Expert

693 Answers

Les Dickinson
Les Dickinson

Level 3 Expert

18385 Answers

Are you a Cisco Computer and Internet Expert? Answer questions, earn points and help others

Answer questions

Manuals & User Guides

Loading...