Firewall Wizards mailing list archives
Re: DMZ traffic out to internet with PIX 515
From: Victor Williams <vbwilliams () neb rr com>
Date: Fri, 05 Jan 2007 18:27:44 -0600
You've got no access list entries allowing hosts in the DMZ1 segment access out to the internet. Also, checking the log buffer on the PIX will usually give you the culprit of what's causing your access issue if you have it set up to do so...set the log to warning or higher and it will show you what the culprit is. What I believe you need is (at least for traffic to http and https websites): access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 any eq 80 access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 any eq 443 nat (DMZ1) 1 10.0.0.0 255.255.255.0 Paul Madore wrote:
I have a PIX 515 running 6.3 with three interfaces including inside, outside and DMZ. I have a webserver in the DMZ that receives traffic on 80 and 443. Currently no traffic can go out of the DMZ to the inside or outside interfaces. My problem is: I want to be able to get out to the internet from the DMZ. Here are the relevant entries in my config minus public IP's. I am thinking I need a NAT and GLOBAL entry and I tried that but the global entry killed all incoming traffic to the DMZ but maybe I just had the entry wrong... Thanks nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ1 security50 access-list acl_out permit tcp any host <public.ip> eq www access-list acl_out permit tcp any host <public.ip> eq https access-list acl_out permit tcp any host <public.ip> eq smtp access-list acl_out permit icmp any any access-list acl_out permit tcp any interface outside access-list acl_out permit tcp any eq pop3 host <public.ip> eq pop3 access-list acl_out permit tcp any eq smtp host <public.ip> eq smtp access-list acl_out permit tcp any eq ftp host <public.ip> eq ftp access-list dmz_out permit icmp any any access-list dmz_out permit tcp host 10.0.0.3 host 1.1.1.1 range 12100 12109 access-list inside_outbound_nat0_acl permit ip any vpn_mobile 255.0.0.0 access-list outside_cryptomap_dyn_20 permit ip any vpn_mobile 255.0.0.0 ip address outside <public.ip> 255.255.255.224 ip address inside 1.141.1.99 255.0.0.0 ip address DMZ1 10.0.0.1 255.255.255.0 ip local pool mobile 1.141.4.1-1.141.4.15 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 vpn_mobile 255.0.0.0 0 0 static (DMZ1,outside) tcp <public.ip> www 10.0.0.3 www netmask 255.255.255.255 0 0 static (DMZ1,outside) tcp <public.ip> https 10.0.0.3 https netmask 255.255.255.255 0 0 static (inside,outside) tcp <public.ip> smtp 1.1.1.1 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3389 IPO 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 444 email 444 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 4125 email 4125 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface https email https netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pptp email pptp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface nntp email nntp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pop3 email pop3 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp email smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ftp email ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www email www netmask 255.255.255.255 0 0 static (inside,DMZ1) vpn_mobile vpn_mobile netmask 255.0.0.0 0 0 access-group acl_out in interface outside access-group dmz_out in interface DMZ1 route outside 0.0.0.0 0.0.0.0 <public.ip> 1 _________________________________________________________________ The MSN Entertainment Guide to Golden Globes is here. Get all the scoop. http://tv.msn.com/tv/globes2007/?icid=nctagline2 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- DMZ traffic out to internet with PIX 515 Paul Madore (Jan 05)
- Re: DMZ traffic out to internet with PIX 515 Victor Williams (Jan 06)
- Re: DMZ traffic out to internet with PIX 515 Chris Wargaski (Jan 06)
- Re: DMZ traffic out to internet with PIX 515 Frank Knobbe (Jan 08)
- Re: DMZ traffic out to internet with PIX 515 Victor Williams (Jan 06)