Help with PIX515E config

hi all,

I've been unlucky with my previous posts in this newsgroup, this time I hope to receive answers from you experts; thanks in advance for help.

I'll try to explain the situation as clearly as I can, sorry for the bad english.

I have a PIX515E serving (mostly) three networks: outside, inside and DMZ. I can access the Internet (outside) using a box in the inside network. I can access the DMZ from the Internet. I can access DMZ directly from the inside interface. I need to access DMZ from the inside as if the request was coming from the Internet (using the mapped public address).

Actual configuration of the PIX follows:

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security4 enable password $$$$$$$$$$$ encrypted passwd $$$$$$$$$$ encrypted hostname pix domain-name clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name AS01 name AS02 name SM01 name WebServer object-group service WebServer tcp port-object eq www port-object eq https object-group service VPN-ACCESS tcp port-object eq ssh port-object eq 6974 access-list outside_access_in permit tcp any host A.A.A.219 object-group WebServer log access-list 110 permit ip access-list 110 permit ip access-list outside_cryptomap_dyn_20 permit ip any access-list DMZ_access_in permit tcp host AS01 log access-list DMZ_access_in permit tcp host AS02 log access-list DMZ_access_in permit tcp eq 5900 access-list DMZ_access_in permit tcp host eq sqlnet log access-list DMZ_access_in permit tcp host eq ssh log access-list DMZ_access_in permit udp host eq domain log pager lines 24 logging on logging timestamp logging trap notifications logging facility 21 logging host inside SM01 format emblem mtu outside 1500 mtu inside 1500 mtu DMZ 1500 ip address outside A.A.A.218 ip address inside ip address DMZ ip audit info action alarm ip audit attack action alarm ip local pool pptp-pool ip local pool cisco-pool no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address DMZ pdm location DMZ pdm location SM01 inside pdm location WebServer DMZ pdm location inside pdm location AS01 inside pdm location AS02 inside pdm location DMZ pdm location outside pdm location inside pdm location DMZ pdm location inside pdm location inside pdm history enable arp timeout 14400 global (outside) 1 interface global (DMZ) 1 nat (inside) 0 access-list 110 nat (inside) 1 0 0 static (DMZ,outside) A.A.A.219 WebServer netmask 0 0 static (inside,DMZ) netmask 0 0 access-group outside_access_in in interface outside access-group DMZ_access_in in interface DMZ route outside A.A.A.217 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server LOCAL protocol local aaa authentication ssh console LOCAL http server enable http inside snmp-server host inside SM01 snmp-server location XXXXXXXXXXXXXXX snmp-server contact XXXXXXXXXXX snmp-server community XXXXXXXXXXXX no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup CISCO-VPN address-pool cisco-pool vpngroup CISCO-VPN dns-server IP.IP.IP.IP vpngroup CISCO-VPN idle-time 1800 vpngroup CISCO-VPN password ******** telnet timeout 5 ssh outside ssh outside ssh inside ssh timeout 10 console timeout 0 vpdn group VPN-TEST accept dialin pptp vpdn group VPN-TEST ppp authentication pap vpdn group VPN-TEST ppp authentication chap vpdn group VPN-TEST ppp authentication mschap vpdn group VPN-TEST ppp encryption mppe 40 vpdn group VPN-TEST client configuration address local pptp-pool vpdn group VPN-TEST client configuration dns IP.IP.IP.IP vpdn group VPN-TEST pptp echo 60 vpdn group VPN-TEST client authentication local vpdn username xxxxxxxx password ******** vpdn enable outside dhcpd address inside dhcpd dns IP.IP.IP.IP dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside username xxxxxxxx password $$$$$$$$$$$ encrypted privilege 15 terminal width 80
Reply to
Loading thread data ...

Probably try to enter the following commands in the config mode.

access-list 110 line 1 permit ip A.A.A.219 no static (inside,DMZ) netmask 0 0 static (DMZ,inside) A.A.A.219 WebServer netmask 0 0 clear xlate

ba =E0=B9=80=E0=B8=82=E0=B8=B5=E0=B8=A2=E0=B8=99:

Reply to


thank you very much for the answer, just the new static did the trick.


Reply to
mfoolb Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.