hi everyone,
I have a pix 515 version 6.3 (3) with three interfaces ...inside, outside, and DMZ. I have a webserver in the DMZ and up until now I only needed www and https traffic to get to it. But now I need some of the webpages to have links to go out to https pages on other external servers. Currently I cannot do that so as a test, I set up a workstation in the DMZ and it cannot get out to the internet either. The workstation can only see and ping the webserver and the DMZ interface but cannot go to any websites. From everything I have learned lately, traffic should be allowed from a higher security zone (DMZ) to a lower security zone (outside) so maybe I just need a Static command to allow DMZ traffic to go out. The webserver is at 10.0.0.3 and here is my config minus external IP's and other non important entries like PDM, HTTP, FIXUP and ISAKMP, etc. Thanks
PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ1 security50 enable password xxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxx encrypted hostname name.pix domain-name name.com names name 1.141.1.11 IPO name 1.141.1.29 email name exchange name 1.0.0.0 vpn_mobile access-list acl_out permit tcp any host eq www access-list acl_out permit tcp any host eq https access-list acl_out permit tcp any host eq smtp access-list acl_out permit icmp any any access-list acl_out permit tcp any interface outside access-list acl_out permit tcp any eq pop3 host eq pop3 access-list acl_out permit tcp any eq smtp host eq smtp access-list acl_out permit tcp any eq ftp host eq ftp access-list dmz_out permit icmp any any access-list dmz_out permit tcp host 10.0.0.3 host 1.1.1.1 range 12100
12109 access-list inside_outbound_nat0_acl permit ip any vpn_mobile 255.0.0.0access-list outside_cryptomap_dyn_20 permit ip any vpn_mobile 255.0.0.0
mtu outside 1500 mtu inside 1500 mtu DMZ1 1500 ip address outside 255.255.255.224 ip address inside 1.141.1.99 255.0.0.0 ip address DMZ1 10.0.0.1 255.255.255.0 arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 vpn_mobile 255.0.0.0 0 0 static (DMZ1,outside) tcp www 10.0.0.3 www netmask
255.255.255.255 0 0 static (DMZ1,outside) tcp https 10.0.0.3 https netmask 255.255.255.255 0 0 static (inside,outside) tcp smtp 1.1.1.1 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3389 IPO 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 444 email 444 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 4125 email 4125 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface https email https netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pptp email pptp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface nntp email nntp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pop3 email pop3 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp email smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ftp email ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www email www netmask 255.255.255.255 0 0 static (inside,DMZ1) vpn_mobile vpn_mobile netmask 255.0.0.0 0 0 access-group acl_out in interface outside access-group dmz_out in interface DMZ1 route outside 0.0.0.0 0.0.0.0 1 timeout xlate 3:00:00 http server enable no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 1.141.2.223 /tftp-root/ floodguard enable sysopt connection permit-ipsec telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:xxxxxxxxxxxxxxxxxxx