Firewall Wizards mailing list archives

Re: DMZ traffic out to internet with PIX 515

From: Victor Williams <vbwilliams () neb rr com>
Date: Fri, 05 Jan 2007 18:27:44 -0600

You've got no access list entries allowing hosts in the DMZ1 segment 
access out to the internet.  Also, checking the log buffer on the PIX 
will usually give you the culprit of what's causing your access issue if 
you have it set up to do so...set the log to warning or higher and it 
will show you what the culprit is. 

What I believe you need is (at least for traffic to http and https 
websites):

access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 any eq 80
access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 any eq 443
nat (DMZ1) 1 10.0.0.0 255.255.255.0





Paul Madore wrote:

I have a PIX 515 running 6.3 with three interfaces including inside, outside 
and DMZ.  I have a webserver in the DMZ that receives traffic on 80 and 443. 
 Currently no traffic can go out of the DMZ to the inside or outside 
interfaces.  My problem is: I want to be able to get out to the internet 
from the DMZ.  Here are the relevant entries in my config minus public IP's. 
 I am thinking I need a NAT and GLOBAL entry and I tried that but the 
global entry killed all incoming traffic to the DMZ but maybe I just had the 
entry wrong...  Thanks


nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security50
access-list acl_out permit tcp any host <public.ip> eq www
access-list acl_out permit tcp any host <public.ip> eq https
access-list acl_out permit tcp any host <public.ip> eq smtp
access-list acl_out permit icmp any any
access-list acl_out permit tcp any interface outside
access-list acl_out permit tcp any eq pop3 host <public.ip> eq pop3
access-list acl_out permit tcp any eq smtp host <public.ip> eq smtp
access-list acl_out permit tcp any eq ftp host <public.ip> eq ftp
access-list dmz_out permit icmp any any
access-list dmz_out permit tcp host 10.0.0.3 host 1.1.1.1 range 12100 12109
access-list inside_outbound_nat0_acl permit ip any vpn_mobile 255.0.0.0
access-list outside_cryptomap_dyn_20 permit ip any vpn_mobile 255.0.0.0
ip address outside <public.ip> 255.255.255.224
ip address inside 1.141.1.99 255.0.0.0
ip address DMZ1 10.0.0.1 255.255.255.0
ip local pool mobile 1.141.4.1-1.141.4.15
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 vpn_mobile 255.0.0.0 0 0
static (DMZ1,outside) tcp <public.ip> www 10.0.0.3 www netmask 
255.255.255.255 0 0
static (DMZ1,outside) tcp <public.ip> https 10.0.0.3 https netmask 
255.255.255.255 0 0
static (inside,outside) tcp <public.ip> smtp 1.1.1.1 smtp netmask 
255.255.255.255 0 0
static (inside,outside) tcp interface 3389 IPO 3389 netmask 255.255.255.255 
0 0
static (inside,outside) tcp interface 444 email 444 netmask 255.255.255.255 
0 0
static (inside,outside) tcp interface 4125 email 4125 netmask 
255.255.255.255 0 0
static (inside,outside) tcp interface https email https netmask 
255.255.255.255 0 0
static (inside,outside) tcp interface pptp email pptp netmask 
255.255.255.255 0 0
static (inside,outside) tcp interface nntp email nntp netmask 
255.255.255.255 0 0
static (inside,outside) tcp interface pop3 email pop3 netmask 
255.255.255.255 0 0
static (inside,outside) tcp interface smtp email smtp netmask 
255.255.255.255 0 0
static (inside,outside) tcp interface ftp email ftp netmask 255.255.255.255 
0 0
static (inside,outside) tcp interface www email www netmask 255.255.255.255 
0 0
static (inside,DMZ1) vpn_mobile vpn_mobile netmask 255.0.0.0 0 0
access-group acl_out in interface outside
access-group dmz_out in interface DMZ1
route outside 0.0.0.0 0.0.0.0 <public.ip> 1

_________________________________________________________________
The MSN Entertainment Guide to Golden Globes is here.  Get all the scoop. 
http://tv.msn.com/tv/globes2007/?icid=nctagline2

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

DMZ traffic out to internet with PIX 515 Paul Madore (Jan 05)
- Re: DMZ traffic out to internet with PIX 515 Victor Williams (Jan 06)
  - Re: DMZ traffic out to internet with PIX 515 Chris Wargaski (Jan 06)
- Re: DMZ traffic out to internet with PIX 515 Frank Knobbe (Jan 08)