Allow printing traffic from DMZ(Lower Security interface) to inside network on PIX 515E

Hello, I setup a PIX 515E firewall with three interface: inside (192.168.35.5), outside and DMZ (172.30.50.20). There is a application server with public ip address on remote site connect to PIX DMZ interface. The computer of inside network should telnet to the remote server in DMZ, and remote server will send printing job back to the printers in inside network. I have put access-list to permit tcp traffic on port 515 (LPD) and 9100 on DMZ interface.

The computers can telnet to remote server without problem. but when user request printing, remote server can not send the printing job back to the printers of inside network.

PIX 515E shows: %PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/729 dst inside:192.168.1.158/515 %PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/721 dst inside:192.168.1.50/515 %PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/726 dst inside:192.168.1.25/515 %PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/727 dst inside:192.168.1.39/515 %PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/60585 dst inside:192.168.1.114/9100

(Note: If I replace the PIX firewall by a router, configured network routing, no NAT on it, everything working fine).

A part of PIX 515 configuration is following:

PIX Version 6.1(3) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security10

access-list 110 permit tcp 209.120.100.0 255.255.255.0 range 721 731

192.168.1.0 255.255.255.0 eq lpd access-list 110 permit tcp 209.120.100.0 255.255.255.0 192.168.1.0 255.255.255.0 eq telnet access-list 110 permit tcp 209.120.100.0 255.255.255.0 range 721 731 192.168.1.0 255.255.255.0 eq 9100

ip address inside 192.168.35.5 255.255.255.0 ip address dmz 172.30.50.20 255.255.255.248

nat (inside) 0 192.168.1.0 255.255.255.0 0 0 nat (intf2) 0 209.120.100.0 255.255.255.0 0 0

access-group 110 in interface dmz

route dmz 209.120.100.0 255.255.255.0 172.30.50.17 1 route inside 192.168.1.0 255.255.255.0 192.168.35.10 1

I look at the traffic log on PIX firewall, the access-list doesn't seem to be applied to DMZ interface, because when I show access-list, the hitcount is 0.

Is it something wrong in my configuration? Your help will be appreciated. Thank you. JY

Reply to
jywu1
Loading thread data ...

You will also need a static

Wil my 3¢

Reply to
Wil

Just noticed that you have a nat0 on each interface... PIX isn't a router, AFAIK you will always need to nat a lower to a higher.

Try this:

! This allows basic Internet usage global (outside) 1 interface nat (inside) 1 0 0 nat (dmz) 1 0 0

! This creates a nat from the dmz to the inside static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

happy hunting!

Wil my 3¢

Reply to
Wil

Thank you, Wil, I'll try "static (inside,dmz) 192.168.1.0 192.168.1.0 netmask

255.255.255.0"

Kenny

Wil Wrote:

Reply to
jywu1

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.