Hello, I setup a PIX 515E firewall with three interface: inside (192.168.35.5), outside and DMZ (172.30.50.20). There is a application server with public ip address on remote site connect to PIX DMZ interface. The computer of inside network should telnet to the remote server in DMZ, and remote server will send printing job back to the printers in inside network. I have put access-list to permit tcp traffic on port 515 (LPD) and 9100 on DMZ interface.
The computers can telnet to remote server without problem. but when user request printing, remote server can not send the printing job back to the printers of inside network.
PIX 515E shows: %PIX-3-106010: Deny inbound tcp src DMZ:126.96.36.199/729 dst inside:192.168.1.158/515 %PIX-3-106010: Deny inbound tcp src DMZ:188.8.131.52/721 dst inside:192.168.1.50/515 %PIX-3-106010: Deny inbound tcp src DMZ:184.108.40.206/726 dst inside:192.168.1.25/515 %PIX-3-106010: Deny inbound tcp src DMZ:220.127.116.11/727 dst inside:192.168.1.39/515 %PIX-3-106010: Deny inbound tcp src DMZ:18.104.22.168/60585 dst inside:192.168.1.114/9100
(Note: If I replace the PIX firewall by a router, configured network routing, no NAT on it, everything working fine).
A part of PIX 515 configuration is following:
PIX Version 6.1(3) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security10
access-list 110 permit tcp 22.214.171.124 255.255.255.0 range 721 731192.168.1.0 255.255.255.0 eq lpd access-list 110 permit tcp 126.96.36.199 255.255.255.0 192.168.1.0 255.255.255.0 eq telnet access-list 110 permit tcp 188.8.131.52 255.255.255.0 range 721 731 192.168.1.0 255.255.255.0 eq 9100
ip address inside 192.168.35.5 255.255.255.0 ip address dmz 172.30.50.20 255.255.255.248
nat (inside) 0 192.168.1.0 255.255.255.0 0 0 nat (intf2) 0 184.108.40.206 255.255.255.0 0 0
access-group 110 in interface dmz
route dmz 220.127.116.11 255.255.255.0 172.30.50.17 1 route inside 192.168.1.0 255.255.255.0 192.168.35.10 1
I look at the traffic log on PIX firewall, the access-list doesn't seem to be applied to DMZ interface, because when I show access-list, the hitcount is 0.
Is it something wrong in my configuration? Your help will be appreciated. Thank you. JY