I have a weird problem with a pix 515 currently has devices attached to the inside, outside and one of the DMZ interfaces.
The 515 has an unrestricted license and we have a 28 bit public address range.
The devices in the DMZ use the internal DNS to resolve names which then forward to the outside world if needed. This works. For example, if I open a command prompt on one of the DMZ (Windows 2003) servers and ping
However, the devices in the DMZ can not talk to the outside world directly and I can't for the life of me see why!
I'm sure I'm missing something here as I am still fairly new to this. I know the config below is loose but when I get it working I will tighten it up again!
TIA
Dave nameif ethernet0 public security0
nameif ethernet1 inside security100
nameif ethernet2 ring2-dmz2 security75
nameif ethernet3 ring3-dmz1 security50
nameif ethernet4 ring4-mediasvrs security25
nameif ethernet5 ring5-testdr security10
enable password 61ulD3QJoosPuqiR encrypted
hostname pix1
domain-name mynetwork.net
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.9.2.0 dmz2
name 10.9.3.0 dmz1
name 10.9.5.0 testdr
name 10.9.1.0 ring1
name 10.9.3.1 svr-iis2
name x.x.x.154 svr-iis2-ext
name 10.9.1.2 sql1
name 10.9.3.2 svr-iis3
name x.x.x.153 svr-iis3-ext
name 10.9.4.0 mediazone
name 10.9.3.130 svr-wms2
name x.x.x.152 svr-wms2-ext
access-list ring3 permit tcp dmz1 255.255.255.252 ring1 255.255.255.252 eq domain
access-list ring3 permit udp dmz1 255.255.255.252 ring1 255.255.255.252 eq domain
access-list ring3 permit tcp dmz1 255.255.255.252 ring1 255.255.255.252 eq
88access-list ring3 permit udp dmz1 255.255.255.252 ring1 255.255.255.252 eq
88access-list ring3 permit tcp dmz1 255.255.255.252 ring1 255.255.255.252 eq
135access-list ring3 permit udp dmz1 255.255.255.252 ring1 255.255.255.252 eq ntp
access-list ring3 permit udp dmz1 255.255.255.252 ring1 255.255.255.252 eq netbios-ns
access-list ring3 permit tcp dmz1 255.255.255.252 ring1 255.255.255.252 eq netbios-ssn
access-list ring3 permit tcp dmz1 255.255.255.252 ring1 255.255.255.252 eq ldap
access-list ring3 permit udp dmz1 255.255.255.252 ring1 255.255.255.252 eq
389access-list ring3 permit tcp dmz1 255.255.255.252 ring1 255.255.255.252 eq
445access-list ring3 permit tcp dmz1 255.255.255.252 ring1 255.255.255.252 eq
3268access-list ring3 permit tcp dmz1 255.255.255.252 ring1 255.255.255.252 eq
1024access-list ring3 permit tcp host sql1 host sql1 eq 1433
access-list ring3 permit tcp host svr-iis3 host sql1 eq 8530
access-list public-access permit tcp any host svr-iis3-ext eq www
access-list public-access permit tcp any host svr-iis3-ext eq https
access-list public-access permit tcp any host svr-wms2-ext eq www
no pager
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
mtu public 1500
mtu inside 1500
mtu ring2-dmz2 1500
mtu ring3-dmz1 1500
mtu ring4-mediasvrs 1500
mtu ring5-testdr 1500
ip address public x.x.x.158 255.255.255.240
ip address inside 10.9.1.254 255.255.255.0
ip address ring2-dmz2 10.9.2.254 255.255.255.0
ip address ring3-dmz1 10.9.3.254 255.255.255.0
ip address ring4-mediasvrs 10.9.4.254 255.255.255.0
ip address ring5-testdr 10.9.5.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address public 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address ring2-dmz2 0.0.0.0
failover ip address ring3-dmz1 0.0.0.0
failover ip address ring4-mediasvrs 0.0.0.0
failover ip address ring5-testdr 0.0.0.0
pdm history enable
arp timeout 14400
global (public) 1 x.x.x.146 netmask 255.255.255.240
global (ring3-dmz1) 1 10.9.3.240-10.9.3.249 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (ring3-dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (ring3-dmz1,public) svr-iis3-ext svr-iis3 netmask 255.255.255.255 0 0
static (ring3-dmz1,public) svr-wms2-ext svr-wms2 netmask 255.255.255.255 0 0
access-group public-access in interface public
access-group ring3 in interface ring3-dmz1
route public 0.0.0.0 0.0.0.0 x.x.x.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.9.1.241 255.255.255.255 inside
http ring1 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet ring1 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address 10.9.1.230-10.9.1.239 inside
dhcpd dns 10.9.1.1 sql1
dhcpd wins 10.9.1.1 sql1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain mynetwork.net
dhcpd enable inside
terminal width 80
Cryptochecksum:d36eb23113865db9373ba013cc27a2d5
: end