Firewall Wizards mailing list archives
Re: PIX 515E config - DMZ host to inside host
From: "Julian M. Dragut" <julianmd () gmail com>
Date: Thu, 1 Mar 2007 18:36:25 -0500
Hi there, Your route command route internal 10.133.0.0 255.255.0.0 10.133.100.129 1 says If you want to send a packet to the 10.133.0.0 network, use the 10.133.100.129 address as gateway. What you want to accomplish is let a host from LAN see a host in the DMZ. try this for a change: no route internal 10.133.0.0 255.255.0.0 10.133.100.129 1 wr mem cl xl and from the Internal host - 10.133.24.3 ping the DMZ host - 10.134.1.2 Best regards, On 2/27/07, Chris Mitchell <sw () dorksville net> wrote:
Greetings folks, PIX newbie here, not really a firewall guy but need to get some stuff done with it, and am pretty good at basic configs. I have a 515E with 3 interfaces (inside, outside, DMZ)- I need to allow access from a host in the DMZ to an internal host. DMZ host - 10.134.1.2 Internal host - 10.133.24.3 I've done a few things, but after a few days of spinning my wheels I thought I'd seek advice :) Some info omitted for security reasons. PIX Version 6.1(4) nameif ethernet0 outside security0 nameif ethernet1 internal security50 nameif ethernet2 dmz security30 enable password xxx passwd xxx hostname xxx domain-name xxx fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no fixup protocol domain 53 fixup protocol rtsp 8554 fixup protocol rtsp 7000 fixup protocol rtsp 7001 names access-list acl_in6 permit ip host 10.133.100.208 any access-list acl_in6 permit ip host 10.133.100.209 any access-list acl_in6 permit ip host 10.133.100.207 any access-list acl_in6 permit ip host 10.133.100.206 any access-list acl_in6 permit ip host 10.133.100.129 any access-list acl_in6 permit ip 10.133.100.0 255.255.255.0 host 10.134.1.1 access-list acl_in6 permit ip 10.133.25.0 255.255.255.0 host 10.134.1.1 access-list acl_in6 permit ip 10.133.24.0 255.255.255.0 host 10.134.1.1 access-list acl_in6 permit ip host 10.133.100.205 any access-list acl_in6 permit ip 10.133.100.0 255.255.255.0 any access-list acl_in6 permit ip 10.133.24.0 255.255.255.0 host 10.134.1.2 access-list acl_in6 permit ip host 10.134.1.2 host 10.133.24.3 access-list acl_out3 permit tcp any host 203.xx.xxx.xxx eq smtp access-list acl_out3 permit tcp any host 203.xx.xxx.xxx eq www access-list acl_out3 permit tcp any host 203.xx.xxx.xxx eq 1352 access-list acl_dmz3 permit tcp host 10.134.1.1 host 10.134.1.207 eq smtp access-list acl_dmz3 permit ip host 10.134.1.2 host 10.133.24.3 access-list acl_dmz3 permit tcp host 10.134.1.2 host 10.133.24.3 access-list acl_dmz3 permit udp host 10.134.1.2 host 10.133.24.3 pager lines 24 logging on logging timestamp logging buffered debugging logging trap warnings logging host internal 10.133.25.4 logging host internal 10.133.25.3 interface ethernet0 100full interface ethernet1 100full interface ethernet2 10full icmp deny any echo outside icmp permit 10.133.25.0 255.255.255.0 echo dmz icmp permit 10.134.1.0 255.255.255.0 echo dmz mtu outside 1500 mtu internal 1500 mtu dmz 1500 ip address outside 203.xx.xxx.xxx 255.255.255.248 ip address internal 10.133.100.210 255.255.255.0 ip address dmz 10.134.1.129 255.255.255.0 ip audit name infopolicy info action alarm ip audit name attackpolicy info action alarm drop ip audit interface outside infopolicy ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface global (dmz) 1 10.134.1.130 netmask 255.255.255.0 nat (internal) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 static (dmz,outside) tcp interface www 10.134.1.1 www netmask 255.255.255.255 10 10 static (internal,dmz) tcp 10.134.1.5 1352 10.133.25.5 1352 netmask 255.255.255.255 0 0 static (internal,dmz) tcp 10.134.1.6 1352 10.133.25.6 1352 netmask 255.255.255.255 0 0 static (dmz,outside) tcp interface 1352 10.134.1.1 1352 netmask 255.255.255.255 10 10 static (internal,dmz) tcp 10.134.1.10 1352 10.133.24.10 1352 netmask 255.255.255.255 0 0 static (internal,outside) tcp interface smtp 10.133.100.207 smtp netmask 255.255.255.255 0 0 static (internal,dmz) tcp 10.134.1.207 smtp 10.133.100.207 smtp netmask 255.255.255.255 0 0 static (internal,dmz) 10.133.24.0 10.134.1.0 netmask 255.255.255.0 0 0 access-group acl_out3 in interface outside access-group acl_in6 in interface internal access-group acl_dmz3 in interface dmz route outside 0.0.0.0 0.0.0.0 203.xx.xxx.xxx 1 route internal 10.133.0.0 255.255.0.0 10.133.100.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 10.133.100.0 255.255.255.0 internal http 10.133.25.0 255.255.255.0 internal floodguard enable no sysopt route dnat telnet timeout 30 ssh 10.133.100.208 255.255.255.255 internal ssh 10.134.1.1 255.255.255.255 internal ssh 10.133.24.0 255.255.255.0 internal ssh 10.133.0.0 255.255.0.0 internal ssh 10.133.100.208 255.255.255.255 dmz ssh 10.133.100.0 255.255.255.0 dmz ssh 10.134.1.1 255.255.255.255 dmz ssh timeout 30 terminal width 80 Cryptochecksum:9c355bdae4a42aa97de9f3d2c77559a3 Regards, Chris Mitchell _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-- Best regards, Julian Dragut www.networkmanager.org If you knew that you wouldn't fall, how far would you have gone? _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX 515E config - DMZ host to inside host Chris Mitchell (Mar 01)
- Re: PIX 515E config - DMZ host to inside host Julian M. Dragut (Mar 02)
- Re: PIX 515E config - DMZ host to inside host kevin horvath (Mar 02)
- Re: PIX 515E config - DMZ host to inside host Josh (Mar 02)
- Re: PIX 515E config - DMZ host to inside host Security Guy (Mar 02)
- Re: PIX 515E config - DMZ host to inside host Paul Melson (Mar 02)
- <Possible follow-ups>
- Re: PIX 515E config - DMZ host to inside host John.Crissup (Mar 02)
- Re: PIX 515E config - DMZ host to inside host Chris Mitchell (Mar 02)