1. Home
  2. Cisco Systems
  3. PIX DMZ Setup?

PIX DMZ Setup?

I have tried every combination I can think of but I cannot get this to work... I'm trying to setup a server on a PIX 515 DMZ interface and allow it to talk freely to the Internet going outbound while allowing only inbound port 3389 traffic?

Here's what I have at this time for the dmz interface >>

nameif ethernet2 dmz security50

ip address dmz 172.16.128.1 255.255.255.0

static (dmz,outside) tcp 12.166.12.33 3389 172.16.128.11 3389 netmask

255.255.255.255 0 0

access-list dmz-in permit tcp any host 12.166.12.33 eq 3389

access-group dmz-in in interface outside

Reply to
David
Loading thread data ...

David wrote: [CUT]

I can not verify it but try

access-list dmz-in permit tcp any host 172.16.128.11 eq 3389

Let us know.

Alex.

Reply to
AM

255.255.255.255 0 0

The above should handle incoming traffic to port 3389, if 12.166.12.33 is not the IP address of the outside interface. Outgoing traffic needs additional lines, for example

global (outside) 1 12.166.12.33 nat (dmz) 1 172.16.128.0 255.255.255.0

Because outgoing traffic goes from a higher security interface to a lower security interface there is no need for an access-list. However it is a good habit to always have one so you might want to add lines

access-list dmz-out permit ip host 172.16.128.11 any access-group dmz-out in interface dmz

Reply to
Jyri Korhonen

Guys,

I've tried everything including various nat / global entries.

Here's my current config (IP's and passwords altered for security reasons),

Here's the server we want inbound 3389 access to via the DMZ interface

static (dmz,outside) tcp fsc-web 3389 172.16.128.11 3389 netmask

255.255.255.255 0 0

Does anything look wrong? >>

PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full interface ethernet3 auto interface ethernet4 auto shutdown interface ethernet5 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 intf5 security10 enable password *************** passwd ************** hostname At-Pix domain-name ********.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 12.166.12.163 email name 12.166.12.164 VPN name 12.166.12.175 Boardroom-CAM name 12.166.12.176 Training-Room-CAM name 192.168.200.10 Atlanta-TS2 name 12.166.12.167 lawweb-ext name 192.168.200.31 lawweb-int name 12.166.12.168 fsc-web access-list inbound01 permit icmp any any echo-reply access-list inbound01 permit icmp any any time-exceeded access-list inbound01 permit icmp any any unreachable access-list inbound01 permit tcp any host email eq smtp access-list inbound01 permit tcp any host VPN eq pptp access-list inbound01 permit tcp any host Boardroom-CAM eq www access-list inbound01 permit tcp any host Training-Room-CAM eq www access-list inbound01 permit tcp any host email eq https access-list inbound01 permit tcp any host email eq www access-list inbound01 permit tcp any host VPN eq 3389 access-list inbound01 permit tcp any host Atlanta-TS2 eq 3389 access-list inbound01 permit gre any host VPN access-list inbound01 permit tcp any host fsc-web eq 3389 access-list pixtosw permit ip 192.168.170.0 255.255.255.0 192.168.100.0

255.255.255.0 access-list dmz-in permit tcp any host fsc-web eq 3389 pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside 12.166.12.162 255.255.255.224 ip address inside 192.168.200.34 255.255.255.0 ip address dmz 172.16.128.1 255.255.255.0 ip address intf3 192.168.251.1 255.255.255.0 ip address intf4 192.168.252.1 255.255.255.0 ip address intf5 192.168.253.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address dmz failover ip address intf3 192.168.251.2 failover ip address intf4 192.168.252.2 failover ip address intf5 192.168.253.2 failover link intf5 pdm location 192.168.200.0 255.255.255.0 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface global (outside) 10 fsc-web nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 10 172.16.128.0 255.255.255.0 0 0 static (inside,outside) tcp VPN 3389 Atlanta-TS2 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp VPN pptp 192.168.200.13 pptp netmask 255.255.255.255 0 0 static (dmz,outside) tcp fsc-web 3389 172.16.128.11 3389 netmask 255.255.255.255 0 0 static (inside,outside) Boardroom-CAM 192.168.170.31 netmask 255.255.255.255 0 0 static (inside,outside) Training-Room-CAM 192.168.170.32 netmask 255.255.255.255 0 0 static (inside,outside) email 192.168.200.12 netmask 255.255.255.255 0 0 static (inside,outside) lawweb-ext lawweb-int netmask 255.255.255.255 0 0 static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 0 0 access-group dmz-in in interface outside access-group inbound01 in interface dmz route outside 0.0.0.0 0.0.0.0 12.166.12.161 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL http server enable http xxxxxxxxxxxxxxx outside http 192.168.200.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community ******* no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strongsha esp-3des esp-sha-hmac crypto map tosonicwall 20 ipsec-isakmp crypto map tosonicwall 20 match address pixtosw crypto map tosonicwall 20 set peer 12.26.280.198 crypto map tosonicwall 20 set transform-set strongsha crypto map tosonicwall interface outside isakmp enable outside isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 28800 telnet 192.168.200.0 255.255.255.0 inside telnet timeout 20 ssh ********** 255.255.255.255 outside ssh ********** 255.255.255.255 outside ssh timeout 60 console timeout 0 username ****** password ***** encrypted privilege 15 username ****** password ***** encrypted privilege 2 terminal width 80 Cryptochecksum:*********** : end
Reply to
David

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.