1. Home
  2. Cisco Systems
  3. Help with PIX515E config

Help with PIX515E config

hi all,

I've been unlucky with my previous posts in this newsgroup, this time I hope to receive answers from you experts; thanks in advance for help.

I'll try to explain the situation as clearly as I can, sorry for the bad english.

I have a PIX515E serving (mostly) three networks: outside, inside and DMZ. I can access the Internet (outside) using a box in the inside network. I can access the DMZ from the Internet. I can access DMZ directly from the inside interface. I need to access DMZ from the inside as if the request was coming from the Internet (using the mapped public address).

Actual configuration of the PIX follows:

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security4 enable password $$$$$$$$$$$ encrypted passwd $$$$$$$$$$ encrypted hostname pix domain-name domain.com clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.128.10 AS01 name 192.168.128.11 AS02 name 192.168.128.13 SM01 name 31.31.31.25 WebServer object-group service WebServer tcp port-object eq www port-object eq https object-group service VPN-ACCESS tcp port-object eq ssh port-object eq 6974 access-list outside_access_in permit tcp any host A.A.A.219 object-group WebServer log access-list 110 permit ip 192.168.128.0 255.255.255.0 192.168.129.0

255.255.255.0 access-list 110 permit ip 192.168.128.0 255.255.255.0 192.168.130.0 255.255.255.0 access-list outside_cryptomap_dyn_20 permit ip any 192.168.130.0 255.255.255.0 access-list DMZ_access_in permit tcp 31.31.31.0 255.255.255.0 host AS01 log access-list DMZ_access_in permit tcp 31.31.31.0 255.255.255.0 host AS02 log access-list DMZ_access_in permit tcp 192.168.128.0 255.255.255.0 31.31.31.0 255.255.255.0 eq 5900 access-list DMZ_access_in permit tcp 31.31.31.0 255.255.255.0 host 192.168.128.90 eq sqlnet log access-list DMZ_access_in permit tcp 31.31.31.0 255.255.255.0 host 192.168.128.30 eq ssh log access-list DMZ_access_in permit udp 31.31.31.0 255.255.255.0 host 151.99.125.2 eq domain log pager lines 24 logging on logging timestamp logging trap notifications logging facility 21 logging host inside SM01 format emblem mtu outside 1500 mtu inside 1500 mtu DMZ 1500 ip address outside A.A.A.218 255.255.255.248 ip address inside 192.168.128.1 255.255.255.0 ip address DMZ 31.31.31.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool pptp-pool 192.168.129.1-192.168.129.100 ip local pool cisco-pool 192.168.130.1-192.168.130.254 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address DMZ pdm location 31.31.31.20 255.255.255.255 DMZ pdm location SM01 255.255.255.255 inside pdm location WebServer 255.255.255.255 DMZ pdm location 192.168.128.0 255.255.255.255 inside pdm location AS01 255.255.255.255 inside pdm location AS02 255.255.255.255 inside pdm location 31.31.31.22 255.255.255.255 DMZ pdm location 192.168.129.0 255.255.255.0 outside pdm location 31.31.31.0 255.255.255.0 inside pdm location 192.168.128.0 255.255.255.0 DMZ pdm location 192.168.128.30 255.255.255.255 inside pdm location 192.168.128.90 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 1 interface global (DMZ) 1 31.31.31.5-31.31.31.19 nat (inside) 0 access-list 110 nat (inside) 1 192.168.128.0 255.255.255.0 0 0 static (DMZ,outside) A.A.A.219 WebServer netmask 255.255.255.255 0 0 static (inside,DMZ) 192.168.128.0 192.168.128.0 netmask 255.255.255.0 0 0 access-group outside_access_in in interface outside access-group DMZ_access_in in interface DMZ route outside 0.0.0.0 0.0.0.0 A.A.A.217 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server LOCAL protocol local aaa authentication ssh console LOCAL http server enable http 192.168.128.0 255.255.255.0 inside snmp-server host inside SM01 snmp-server location XXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXX snmp-server community XXXXXXXXXXXX no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup CISCO-VPN address-pool cisco-pool vpngroup CISCO-VPN dns-server IP.IP.IP.IP vpngroup CISCO-VPN idle-time 1800 vpngroup CISCO-VPN password ******** telnet timeout 5 ssh 192.168.130.0 255.255.255.0 outside ssh 192.168.129.0 255.255.255.0 outside ssh 192.168.128.0 255.255.255.0 inside ssh timeout 10 console timeout 0 vpdn group VPN-TEST accept dialin pptp vpdn group VPN-TEST ppp authentication pap vpdn group VPN-TEST ppp authentication chap vpdn group VPN-TEST ppp authentication mschap vpdn group VPN-TEST ppp encryption mppe 40 vpdn group VPN-TEST client configuration address local pptp-pool vpdn group VPN-TEST client configuration dns IP.IP.IP.IP vpdn group VPN-TEST pptp echo 60 vpdn group VPN-TEST client authentication local vpdn username xxxxxxxx password ******** vpdn enable outside dhcpd address 192.168.128.120-192.168.128.130 inside dhcpd dns IP.IP.IP.IP dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside username xxxxxxxx password $$$$$$$$$$$ encrypted privilege 15 terminal width 80
Reply to
mfoolb
Loading thread data ...

Probably try to enter the following commands in the config mode.

access-list 110 line 1 permit ip 192.168.128.0 255.255.255.0 A.A.A.219

255.255.255.255 no static (inside,DMZ) 192.168.128.0 192.168.128.0 netmask 255.255.255.0 0 0 static (DMZ,inside) A.A.A.219 WebServer netmask 255.255.255.255 0 0 clear xlate

ba

snipped-for-privacy@gmail.com =E0=B9=80=E0=B8=82=E0=B8=B5=E0=B8=A2=E0=B8=99:

Reply to
bajung

Hi,

thank you very much for the answer, just the new static did the trick.

Ciao.

Reply to
mfoolb

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.