Question about Cisco PIX Firewall 506

1 Answer

Ploblems with dmz-outside (webpage). pix

Hi:

Having problems trying to publish a webpage, the webserver 10.10.0.2 (on dmz), has the 1.1.1.170 (internet address).

can anyone help me?
[b]
the configuration:[/b]

enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 131.15.3.10 RRC-PC
name 1.1.1.173 FTPSERVER-INTERNETADDRESS
name 1.1.1.170 WEBSERVER1-INTERNETADDRESS
name 1.1.1.171 WEBSERVER2-INTERNETADDRESS
name 10.10.0.2 WEBSERVER-IP-DMZ
!
interface Ethernet0
nameif OUTSIDE
security-level 0
ip address 1.1.1.172 255.255.255.248
!
interface Ethernet4
nameif DMZ
security-level 0
ip address 10.10.0.1 255.255.255.0
!
interface Ethernet5
nameif INSIDE
security-level 100
ip address 131.15.254.254 255.255.0.0
!
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq www
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
access-list DMZ_access_in extended permit tcp 10.10.0.0 255.255.255.0 131.15.0.0 255.255.0.0
access-list INSIDE_access_in extended permit ip host RRC-PC any
access-list INSIDE_access_in extended permit tcp 131.15.0.0 255.255.0.0 10.10.0.0 255.255.255.0
access-list OUTSIDE_access_in extended permit tcp any any
access-list OUTSIDE_access_in extended permit tcp any host WEBSERVER1-INTERNETADDRESS object-group DM_INLINE_TCP_1
access-list OUTSIDE_access_in extended permit tcp any host WEBSERVER2-INTERNETADDRESS object-group DM_INLINE_TCP_2
access-list OUTSIDE_access_in extended permit tcp any host FTPSERVER-INTERNETADDRESS eq ftp
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu DMZ 1500
mtu INSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
asdm location RRC-PC 255.255.255.255 INSIDE
asdm location WEBSERVER1-INTERNETADDRESS 255.255.255.255 INSIDE
asdm location WEBSERVER2-INTERNETADDRESS 255.255.255.255 INSIDE
asdm location FTPSERVER-INTERNETADDRESS 255.255.255.255 INSIDE
asdm location WEBSERVER-IP-DMZ 255.255.255.255 INSIDE
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 WEBSERVER1-INTERNETADDRESS netmask 255.255.255.0
global (OUTSIDE) 101 interface
static (DMZ,OUTSIDE) tcp WEBSERVER1-INTERNETADDRESS www WEBSERVER-IP-DMZ www netmask 255.255.255.255
static (DMZ,INSIDE) 10.10.0.0 10.10.0.0 netmask 255.255.255.0
static (INSIDE,DMZ) 131.15.0.0 131.15.0.0 netmask 255.255.0.0
access-group OUTSIDE_access_in in interface OUTSIDE
access-group DMZ_access_in in interface DMZ
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http RRC-PC 255.255.255.255 INSIDE
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet RRC-PC 255.255.255.255 INSIDE
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:286b6b78a87b9591a6fae5c725a414ed
: end

Posted by on

1 Answer

  • Level 1:

    An expert who has achieved level 1.

  • Contributor
  • 2 Answers

Remove this line:

static (DMZ,INSIDE) 10.10.0.0 10.10.0.0 netmask 255.255.255.0

You don't need a translation going from a lower security level to a higher one. You will also need a nat line for the dmz so that pc's on the dmz will be translated outbound. The only connection that will work on the dmz is the webserver when he's sending traffic outbound with a source port of 80. Something like:

nat (DMZ) 101 10.10.0.0 255.255.255.0

Other than that, it looks like it should be working. You've got permission, a route, and a translation. Maybe "clear local-host 10.10.0.2" to get rid of any bad xlates and try again. Check debg level syslogs, run packet captures, "clear asp drop" then "show asp drop" after an attempt?

Posted on Apr 10, 2009

Add Your Answer

Uploading: 0%

my-video-file.mp4

Complete. Click "Add" to insert your video. Add

×

Loading...
Loading...

Related Questions:

1 Answer

I have configured Cisco ASA Firewall and I have given ICMP Inspect also But I cant able to ping the PC Kept in the DMZ from the Outside interface


HI,


· Please check the whether the security level for DMZ and outside interface, If DMZ is high security level. Please do the NAT configuration
· If it's having the same security level. Please issue the command "same-security-traffic permit inter-interface "in the global config mode.

Mar 01, 2011 | Cisco ASA 5505 Firewall

2 Answers

Replacing a PIX 515E with an ASA 5510


Best way to migrate is to take the configuration of the old PIX and TFTP it to a PC or other server for safe keeping.

Then boot up the ASA in a lab environment and TFTP the configuration to the new unit and reboot. There will be some commands that don't translate correctly, but you can compare the configurations to each other to make sure all the access lists and NAT statements get transferred across.

Keep in mind that the PIX and the ASA name their interfaces differently, so there may be errors when you transfer the configuration. You can edit the configuration offline with something like Notepad and change the names of the interfaces to have it work.

Good luck!

Jan 29, 2010 | Cisco ASA 5510 Firewall

1 Answer

How to configure MAC access list at PIX 515


The PIX is a layer 3 device, I cant say that I have ever tried to filter a mac address. I'm pretty sure you cant

Jan 02, 2010 | Cisco PIX 515E Firewall

1 Answer

I want to block an outside IP-address and some sites on PIX 515E


Assuming you are running the latest version.
Short answer:
# access-list acl-outside line 1 deny ip IPYOUWANTTOBLOCK 255.255.255.255 any # write memory
The link below contains a longer helpful explanation: http://www.velocityreviews.com/forums/t35733-how-to-block-external-ip-address-on-pix-515e.html
I hope this helps.

Nov 09, 2009 | Cisco PIX 515E Firewall

1 Answer

Cisco pix 515 workstations cant get outside pix can


You have to create a route statement to allow workstations to get online.

Below is the command:
route interface_name ip_address netmask gateway_ip

Example:
route outside 0.0.0.0 0.0.0.0 200.200.200.1
or
route outside 0 0 200.200.200.1

When there is already a route statement but still cannot get online, check the DNS settings.

Oct 08, 2009 | Cisco PIX 515E Firewall

2 Answers

Pix 515 E allow few websites only.


Do the nslookup for the three websites and write an access list to permit the traffic only to the said website ip addresses

Eg.

1. go to dos prompt

2. type "nslookup"

3. type "www.rediff.com

Note : You will get the ip address of the websites

4. Create an object group for these websites

5. Add ip addresses of the websites

6. create an access-control list element to permit the traffic from your circle office to this object group for port tcp 80 and 443

You are done

Mar 09, 2009 | Cisco PIX 515E Firewall

1 Answer

Pix 515E inside to outside translation problem


Dear Kiran,

What is the name assigned for isp 1 as well as isp2.

for your reference kindly find the sample configuration......
ISP 1:
interface ethernet 0 100 full
nameif outside security-lvl 0
ip address outside 203.193.129.132 255.255.255.240.
nat (inisde) 1 (local network)
global (outside) 1 203.193.129.133
route outside 0 0 203.193.129.129.1.

regards,
mani.S

Mar 09, 2009 | Cisco PIX 515E Firewall

1 Answer

ASA-5505 IOS 8.0(4)


Check for an IP conflict. How are you assigning the IP address on the workstations? If one of them happened to have the same ip address as the ip on the vlan1 on the ASA for example, you would have that exact issue.

Let me know how things go.

Dec 25, 2008 | Cisco ASA 5505 Firewall

1 Answer

How do I set up a VPN connection with PIX 501?


No worries. Just give it a try then let us know should you get any problems or follow-up questions.

Oct 15, 2008 | Cisco PIX 501 Firewall

1 Answer

Cannot Access Internet from the DMZ


If there is proper policy in place then there wont be any issue.

if at all you need to access your DMZ from internet you need to configure VIP or MIP on the firewall and also a policy needs to be written to permit the traffic.

If you need more help you shall contact me.

Oct 10, 2008 | Juniper Networks SECURE SERVICES GATEWAY...

Not finding what you are looking for?
Cisco PIX Firewall 506 Logo

603 people viewed this question

Ask a Question

Usually answered in minutes!

Top Cisco Network Security & Firewall Devices Experts

Mark Taylor
Mark Taylor

Level 3 Expert

728 Answers

Candy

Level 2 Expert

82 Answers

Huseyin Huseyin
Huseyin Huseyin

Level 3 Expert

3462 Answers

Are you a Cisco Network Security and Firewall Device Expert? Answer questions, earn points and help others

Answer questions

Manuals & User Guides

Loading...