Help allowing access to dmz from intf2

joeschmoes · Aug 18, 2008

I have vpn users that connect from the outside. While connected, I need them to be able to access servers on my dmz. Please let me know what I'm missing. Here is the PIX configuration. Any help would be greatly appreciate.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet2 vlan20 physical
interface ethernet2 vlan40 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif vlan40 dmz security4
enable password omitted encrypted
passwd omitted encrypted
hostname tcmh-pix
domain-name
clock timezone CST -6
clock summer-time CDT recurring
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.123.0 RadiologyVPN
name 205.128.1.10 tcmtest
access-list outside_access_in permit tcp any host abc.abc.abc.abc eq ssh
access-list outside_access_in permit tcp any host abc abc.abc.abc.abc www
access-list outside_access_in permit tcp any host abc.abc.abc.abc eq https
access-list outside_access_in permit tcp any host abc.abc.abc.abc eq citrix-ica
access-list outside_access_in permit tcp any host abc.abc.abc.abc eq 8000
access-list outside_access_in permit tcp any host abc.abc.abc.abc eq 8100
access-list outside_access_in permit icmp any host abc.abc.abc.abc
access-list outside_access_in permit tcp any host abc.abc.abc.abc eq 8200
access-list outside_access_in permit tcp any host abc.abc.abc.abcceq 8300
access-list 101 permit ip 205.128.1.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.20.1.0 255.255.255.0
access-list 101 permit ip 10.1.0.0 255.255.0.0 192.168.25.0 255.255.255.0
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list 103 permit ip 205.128.1.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list 103 permit ip host 205.128.1.5 host 10.0.0.2
access-list 103 permit ip 10.1.0.0 255.255.0.0 192.168.25.0 255.255.255.0
access-list 103 permit ip host tcmtest host 10.0.0.2
access-list 110 permit ip host 192.168.1.12 2.2.2.0 255.255.255.0
access-list 110 permit ip host tcmtest host 10.0.0.2
access-list 110 permit ip host 205.128.1.5 host 10.0.0.2
access-list inside_nat0_outbound permit ip host 192.168.1.12 2.2.2.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list inside_nat0_outbound permit ip host 192.168.1.12 RadiologyVPN 255.255.255.0
access-list nonat_dmz permit ip host 205.128.1.5 host 10.0.0.2
access-list outside_cryptomap_40 permit ip host 192.168.1.12 RadiologyVPN 255.255.255.0
access-list dmz_in permit icmp any any
access-list dmz_in permit ip any any
access-list intf2 permit ip any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list capin permit tcp host 192.168.1.38 host 10.1.1.38
access-list capin permit tcp host 10.1.1.38 host 192.168.1.38
access-list capin permit tcp host 205.128.1.24 host 10.1.1.38
access-list capin permit tcp host 10.1.1.38 host 205.128.1.24
access-list capin permit tcp host 205.128.1.5 host 192.168.1.2
access-list capin permit tcp host 192.168.1.2 host 205.128.1.5
pager lines 25
logging timestamp
logging console debugging
logging monitor errors
logging trap informational
logging facility 23
logging host inside 192.168.1.54
logging host inside 192.168.1.15
logging host outside 216.229.83.99
logging host inside 192.168.1.118
logging host inside 192.168.1.122
logging host inside 192.168.1.38
logging message 101001 level emergencies
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside abc.abc.abc.abc 255.255.255.240
ip address inside 192.168.1.111 255.255.255.0
ip address intf2 205.128.1.85 255.255.255.128
ip address dmz 10.1.1.100 255.255.0.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm drop
ip local pool CaboolVPN 192.168.25.20-192.168.25.30 mask 255.255.255.0
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0 dns 0 0
nat (intf2) 0 access-list 103
nat (intf2) 0 tcmtest 255.255.255.255 0 0
nat (intf2) 10 0.0.0.0 0.0.0.0 dns 0 0
static (inside,outside) tcp interface citrix-ica 192.168.1.9 citrix-ica dns netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8000 192.168.1.9 https dns netmask 255.255.255.255 0 0
static (intf2,outside) tcp 216.229.83.105 8100 10.1.2.1

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp interface 8200 192.168.1.17 https netmask 255.255.255.255 0 0
static (intf2,outside) tcp interface https 205.128.1.70 https dns netmask 255.255.255.255 0 0
static (intf2,outside) tcp interface

http://www 205.128.1.70

http://www dns

netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8300 192.168.1.207

http://www netmask

255.255.255.255 0 0
static (intf2,inside) 205.128.1.0 205.128.1.0 netmask 255.255.255.0 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (inside,intf2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group intf2 in interface intf2
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 abc.abc.abc.abc 1
route outside 216.229.83.0 255.255.255.0 abc.abc.abc.abc 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 1-65535 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http abc.abc.abc.abc 255.255.255.0 outside
http 192.168.1.54 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.38 255.255.255.255 intf2
snmp-server host dmz 10.1.1.20
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
tftp-server inside 192.168.1.122 03162007.txt
floodguard enable
sysopt connection tcpmss 1192
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 56-bit esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address 110
crypto map outside_map 30 set peer 70.159.142.2
crypto map outside_map 30 set transform-set ESP-DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 198.237.84.34
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 70.159.142.2 netmask 255.255.255.255
isakmp key ******** address 198.237.84.34 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Cabool address-pool CaboolVPN
vpngroup Cabool dns-server 192.168.1.251 205.128.1.117
vpngroup Cabool default-domain tcmh.org
vpngroup Cabool split-tunnel 101
vpngroup Cabool idle-time 1800
vpngroup Cabool password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh abc.abc.abc.abc 255.255.255.0 outside
ssh 172.68.225.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.25.0 255.255.255.0 intf2
ssh timeout 60
console timeout 0
vpdn username cliff password *********
vpdn enable outside
dhcpd dns 216.229.72.9
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside

Supergrrover · Aug 19, 2008

Make a no nat ACL for your DMZ
access-list nonat-dmz permit ip 10.1.0.0 255.255.0.0 192.168.25.0 255.255.255.0

and
nat (DMZ) 0 access-list nonat-dmz

You have no entry for nat for the DMZ. Does traffic go in/out to the internet?

Brent
Systems Engineer / Consultant
CCNP, CCSP

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Help allowing access to dmz from intf2

joeschmoes

IS-IT--Management

Supergrrover

IS-IT--Management

Similar threads

Part and Inventory Search

Sponsor