Help! DMZ on Pix515

I have set up a Pix 515 and internet works fine, but I have a problem with the DMZ. I have a range of addresses, like webserver ( and ftp ( and some other stuff.

I can't reach anything on the DMZ from the outside. I desperately altered some of the access lists late last night, so there may be some weird things there now. Note that I changed usernames/passwords/addresses before publishing this config.

If someone could take a look at my config and point me in the right direction (not to mention tell me exactly what's wrong) I would be very grateful.

PIX Version 7.2(1)19 ! hostname hhfw01 domain-name noname enable password K4EjjEJEwpFjlPTE encrypted names dns-guard ! interface Ethernet0 nameif outside security-level 0 pppoe client vpdn group nonamevpn ip address pppoe setroute ! interface Ethernet1 nameif inside security-level 100 ip address ! interface Ethernet2 speed 100 duplex full nameif dmz security-level 97 ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name hatlehols same-security-traffic permit intra-interface access-list inside_access_out extended permit ip any any access-list inside_access_out extended permit tcp interface outside access-list inside_access_in extended permit ip any any inactive access-list outside_access_in extended permit ip any any inactive access-list outside_access_in extended permit tcp any interface dmz access-list outside_access_in extended permit ip any interface dmz access-list outside_access_in extended permit icmp any interface dmz echo-reply access-list hh_splitTunnelAcl standard permit access-list outside_cryptomap extended permit ip any access-list dmz_access_in extended permit ip any any access-list dmz_access_in extended permit tcp any any access-list dmz_access_out extended permit ip any any pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip local pool clients mask asdm image flash:/asdm no asdm history enable arp timeout 14400 nat-control global (outside) 101 interface nat (inside) 101 access-group outside_access_in in interface outside access-group inside_access_in in interface inside access-group inside_access_out out interface inside access-group dmz_access_in in interface dmz access-group dmz_access_out out interface dmz timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius group-policy hh internal group-policy hh attributes dns-server value vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value hh_splitTunnelAcl default-domain value HATLEHOLS username admin password FOGca/gfTrozRbXj encrypted privilege 0 username admin attributes vpn-group-policy hh http server enable http inside no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps snmp authentication linkup linkdown coldstart no sysopt connection permit-vpn crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp identity hostname crypto isakmp enable outside crypto isakmp nat-traversal 20 tunnel-group hh type ipsec-ra tunnel-group hh general-attributes address-pool clients default-group-policy hh tunnel-group hh ipsec-attributes pre-shared-key * telnet timeout 5 ssh timeout 5 ssh version 1 console timeout 0 vpdn group hatlehols request dialout pppoe vpdn group hatlehols localname vpdn group hatlehols ppp authentication pap vpdn username password ********* dhcpd dns dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd update dns ! dhcpd address inside dhcpd enable inside ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp !


Reply to
Loading thread data ...

i believe you are missing a static entry, something like:

static (dmz,outside) netmask 0 0

Reply to

Thanks a lot, I was of course missing static routes to the DMZ.


mak skrev:

Reply to
bg Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.