Recent content by psavin

Hi all. Does anyone have any experience configuring a firewall (PIX 515 specifically) and Windows 2003 servers to allow trust connectivity between two domains through the firewall? I currently have a server in the DMZ that needs to authenticate users on a domain inside the firewall. The DMZ...

Unfotunately my Pix is running 6.1, it doesn't understand the "capture" command. When I turn logging on and try to get to the inside from the DMZ (without the "static (inside,dmz) 134.39.x.x 134.39.x.x netmask 255.255.255.0" statement), I don't see any evidence of the traffic from the DMZ to...

Here it is, minus some ACLs that aren't relevant. nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sqlnet...

No. I'm using no nat, so my understanding is that I don't need any global statements...?

I'm still having trouble with this (Ignore my above post, I jumped the gun and thought I had it working, before the xlate had cleared). I can use "static (inside,dmz) 134.39.x.x 134.39.x.x netmask 255.255.255.0" to allow hosts on the dmz to get to the inside interface. However, hosts on the...

Ok, I think I figured it out. What I really needed was no "static (inside,dmz)" command at all. Deleting that static nat allows me to access the specified host on the inside and internal hosts are getting everywhere they ought to be able to as well.

Ok, correction. That worked, in that I could then access the internal server from the DMZ. However, clients on the inside could no longer reach the internet. How could the "static (inside,dmz) 134.39.x.x 134.39.x.x netmask 255.255.255.0" command break connections to the internet?

Ahh, I see! I misunderstood how the static NAT command was working, obviously looking at it backwards. It works now, thanks!

Agreed, it sounds like a messy solution to me. Blacklisting is most effective when it is based on known SPAM houses, as opposed to regional blacklisting. Aside from the potential to block desirable traffic discussed above, it's worth mentioning that extremely long ACLs have the potential to...

Yes, the server I'm trying to get to on the inside has the IP referenced in the first ACL command: access-list acl_dmz permit tcp any host 134.39.x.x eq 80 (where 134.39.x.x is the IP of the server) I just realized I may need a 255.255.255.255 netmask on that command...? I'm trying to allow...

I'm not sure about the startup wizard, I'd guess that it might walk you through changing the required settings. A simpler method would be to use a command line, not much needs to change. I believe that all you need to do is enter these commands, thus changing to your new IP: ip address...

I'm having trouble configuring my PIX 515E to allow access from the DMZ interface to a server that resides on the inside interface. Both DMZ and inside interfaces use public IP using NAT 0. Using a computer on the DMZ I can access any hosts on the outside, but not the server on the inside...

I think your second static nat statement is not required? It appears to do the same 1 to 1 translation that the "nat (dmz) 0 0 0" statement does, but just on the single host (because of the 255.255.255.255 netmask). Using the 0.0.0.0 0.0.0.0 IP and netmask with the nat statement just tells...

I have a nat (dmz) 0 0 0 statement. This is what you mean?

That's what I would have thought, except that it's not working. I cannot ping any of the interfaces from the DMZ, nor can I ping the DMZ interface. Could it be a configuration problem with the router at x.x.1.121 (which I don't have direct access to)? Maybe it won't route x.156.9.128/26...