Allow printing traffic from DMZ(Lower Security interface) to inside network on PIX 515E

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hello,
I setup a PIX 515E firewall with three interface: inside
(192.168.35.5), outside and DMZ (172.30.50.20).
There is a application server with public ip address on remote site
connect to PIX DMZ interface.
The computer of inside network should telnet to the remote server in
DMZ, and remote server will send printing job back to the printers in
inside network.
I have put access-list to permit tcp traffic on port 515 (LPD) and 9100
on DMZ interface.

The computers can telnet to remote server without problem. but when
user request printing, remote server can not send the printing job back
to the printers of inside network.

PIX 515E shows:
%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/729 dst
inside:192.168.1.158/515
%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/721 dst
inside:192.168.1.50/515
%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/726 dst
inside:192.168.1.25/515
%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/727 dst
inside:192.168.1.39/515
%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/60585 dst
inside:192.168.1.114/9100

(Note: If I replace the PIX firewall by a router, configured network
routing, no NAT on it, everything working fine).

A part of PIX 515 configuration is following:

PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10

access-list 110 permit tcp 209.120.100.0 255.255.255.0 range 721 731
192.168.1.0 255.255.255.0 eq lpd
access-list 110 permit tcp 209.120.100.0 255.255.255.0 192.168.1.0
255.255.255.0 eq telnet
access-list 110 permit tcp 209.120.100.0 255.255.255.0 range 721 731
192.168.1.0 255.255.255.0 eq 9100

ip address inside 192.168.35.5 255.255.255.0
ip address dmz 172.30.50.20 255.255.255.248

nat (inside) 0 192.168.1.0 255.255.255.0 0 0
nat (intf2) 0 209.120.100.0 255.255.255.0 0 0

access-group 110 in interface dmz

route dmz 209.120.100.0 255.255.255.0 172.30.50.17 1
route inside 192.168.1.0 255.255.255.0 192.168.35.10 1

I look at the traffic log on PIX firewall, the access-list doesn't seem
to be applied to DMZ interface, because when I show access-list, the
hitcount is 0.

Is it something wrong in my configuration?
Your help will be appreciated.
Thank you.
JY


Re: Allow printing traffic from DMZ(Lower Security interface) to inside network on PIX 515E
You will also need a static

Wil
my 3

Re: Allow printing traffic from DMZ(Lower Security interface) to inside network on PIX 515E
Just noticed that you have a nat0 on each interface... PIX isn't a
router, AFAIK you will always need to nat a lower to a higher.

Try this:

! This allows basic Internet usage
global (outside) 1 interface
nat (inside) 1 0 0
nat (dmz) 1 0 0

! This creates a nat from the dmz to the inside
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

happy hunting!

Wil
my 3

Re: Allow printing traffic from DMZ(Lower Security interface) to inside network on PIX 515E
Thank you, Wil,
I'll try "static (inside,dmz) 192.168.1.0 192.168.1.0 netmask
255.255.255.0"

Kenny

Wil Wrote:
Quoted text here. Click to load it


Allow printing traffic from DMZ(Lower Security interface) to inside network on PIX 515E
http://echkelon.blogspot.com/



Site Timeline