Hi,
Here's the scenario, I have a PIX 515 with the following zones
Outside security 0 trust security 50 management security 70
outside and trust have public ips and management has private, my only problem is that the management zone cannot access the trust zone. I looked at all the scenarios in cisco but i could not find an example with 2 public and one private, any suggestions?
I did a debug packet src and dst to an ip in the trust zone and I don't see any packets arriving from the management zone.
PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto shutdown interface ethernet2 auto interface ethernet3 auto interface ethernet3 vlan10 logical nameif ethernet0 outside security0 nameif ethernet1 dmz security10 nameif ethernet2 trust security50 nameif ethernet3 trunk security70 nameif vlan10 management security70 enable password ******** passwd ****** hostname frwll domain-name ******* fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.0.50 my_pc name X.X.X.35 nas name X.X.X.36 ap1234 name X.X.X.30 my_pc_public name X.X.X.22 warp_public access-list vpn-ACL permit ip 192.168.0.0 255.255.255.0 10.100.50.0
255.255.255.0 access-list vpn-ACL permit ip 192.168.50.0 255.255.255.0 10.100.50.0 255.255.255.0 access-list outbound_management remark Vlan10 access-list outbound_management permit ip host my_pc any access-list outbound_management permit ip host 192.168.0.253 any access-list outbound_management remark ------------- access-list outbound_management remark CallcenterACL access-list outbound_management permit ip 192.168.1.0 255.255.255.0 any access-list outbound_management permit ip 192.168.240.0 255.255.255.0 any access-list outbound_management remark ------------- access-list outbound_management permit ip X.X.X.32 255.255.255.224 any access-list outbound_management permit ip any X.X.X.32 255.255.255.224 access-list inbound_acl remark Global access-list inbound_acl permit icmp any any access-list inbound_acl remark ------------- access-list inbound_acl remark trust access-list inbound_acl permit tcp any host nas eq ftp access-list inbound_acl permit tcp any host nas eq 445 access-list inbound_acl permit udp any host nas eq 445 access-list inbound_acl permit tcp any host nas eq netbios-ssn access-list inbound_acl permit udp any host nas eq 139 access-list inbound_acl permit tcp any host nas eq www access-list inbound_acl permit tcp any host nas eq 3202 access-list inbound_acl permit udp any host nas eq 3202 access-list inbound_acl permit tcp any host ap1234 eq www access-list inbound_acl permit tcp any host ap1234 eq ftp access-list inbound_acl permit tcp any host ap1234 eq 8080 access-list inbound_acl permit udp any host ap1234 eq snmp access-list inbound_acl permit tcp any host ap1234 eq 3389 access-list inbound_acl remark ------------- access-list inbound_acl remark Vlan10 access-list inbound_acl permit tcp any host my_pc_public eq www access-list inbound_acl permit tcp any host warp_public eq www access-list inbound_acl permit tcp any host warp_public eq https access-list inbound_acl permit tcp any host warp_public eq 3306 access-list inbound_acl permit tcp any host warp_public eq ssh access-list inbound_acl remark ------------- access-list outbound_trust remark trust access-list outbound_trust permit ip X.X.X.32 255.255.255.224 any access-list outbound_trust permit ip 192.168.0.0 255.255.255.0 any access-list outbound_trust permit ip any 192.168.0.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu dmz 1500 mtu trust 1500 mtu trunk 1500 ip address outside X.X.X.6 255.255.255.224 no ip address dmz ip address trust X.X.X.33 255.255.255.224 no ip address trunk ip address management 192.168.0.40 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnippool 10.100.50.1-10.100.50.254 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address dmz no failover ip address trust no failover ip address trunk no failover ip address management pdm history enable arp timeout 14400 global (outside) 50 X.X.X.7 global (outside) 10 X.X.X.8 nat (management) 0 access-list vpn-ACL nat (management) 10 192.168.0.0 255.255.255.0 0 0 nat (management) 50 192.168.1.0 255.255.255.0 0 0 nat (management) 50 192.168.240.0 255.255.255.0 0 0 static (trust,outside) X.X.X.32 X.X.X.32 netmask 255.255.255.224 0 0 access-group inbound_acl in interface outside access-group outbound_trust in interface trust access-group outbound_management in interface management route outside 0.0.0.0 0.0.0.0 X.X.X.1 1 route management 192.168.1.0 255.255.255.0 192.168.0.252 1 route management 192.168.10.0 255.255.255.0 192.168.0.252 1 route management 192.168.50.0 255.255.255.0 192.168.0.252 1 route management 192.168.240.0 255.255.255.0 192.168.0.252 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec : end frwll#