PIX 515 Config Web/DMZ weirdness

[veral]

Hi all,

With this config, internal can get out to dmz, and can access the internet, but for some reason, the public net cannot access the DMZ servers.

I have a small suspicion that there's a router (the gw) which might need it's arp cache refreshed, as there is another fw in the way which this pix is supposed to replace...

Can you help verify that this config is okay for outside -> DMZ? I have VPN questions also (like, if I define 192.168.10.x as a VPN pool, can it automagically use PDM?)

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in remark allow urchin access to dmz from anywhere
access-list outside_access_in permit tcp any xxx.xxx.xxx.0 255.255.255.0 eq 9999
access-list outside_access_in remark allow ftp access to .194 from anywhere
access-list outside_access_in permit tcp any host xxx.xxx.xxx.194 range ftp-data ftp
access-list outside_access_in remark allow all access to .194 from colo
access-list outside_access_in permit tcp host 212.187.153.12 host xxx.xxx.xxx.194
access-list outside_access_in remark allow all access to .194 from colo
access-list outside_access_in permit tcp host 212.187.153.13 host xxx.xxx.xxx.194
access-list outside_access_in remark allow all access to .194 from colo
access-list outside_access_in permit tcp host 212.187.153.205 host xxx.xxx.xxx.194
access-list outside_access_in remark allow 1433 access to .222 from anywhere
access-list outside_access_in permit tcp any host xxx.xxx.xxx.222 eq 1433
access-list outside_access_in remark allow 1434 access to .222 from anywhere
access-list outside_access_in permit udp any host xxx.xxx.xxx.222
access-list outside_access_in remark allow all access to .222 from office
access-list outside_access_in permit tcp host 217.199.161.23 host xxx.xxx.xxx.222
access-list outside_access_in remark allow https access to .207 from anywhere
access-list outside_access_in permit tcp any host xxx.xxx.xxx.207 eq https
access-list outside_access_in remark allow mysql access to .213 from anywhere
access-list outside_access_in permit tcp any host xxx.xxx.xxx.213 eq 3306
access-list outside_access_in remark allow telnet access to .213 from anywhere
access-list outside_access_in permit tcp any host xxx.xxx.xxx.213 eq telnet
access-list outside_access_in remark allow vnc access to .213 from anywhere
access-list outside_access_in permit tcp any host xxx.xxx.xxx.213 eq 5900

access-list outside_access_in remark allow https access to .198 from anywhere
access-list outside_access_in permit tcp any host xxx.xxx.xxx.198 eq https
access-list outside_access_in remark allow any access to switch from anywhere
access-list outside_access_in permit ip any host xxx.xxx.xxx.220
access-list outside_access_in remark allow 563 access to dmz from anywhere
access-list outside_access_in permit tcp any xxx.xxx.xxx.0 255.255.255.0 eq 563
access-list outside_access_in remark allow 3389 access to dmz from anywhere
access-list outside_access_in permit tcp any xxx.xxx.xxx.0 255.255.255.0 eq 3389
access-list outside_access_in remark allow 8080 access to dmz from anywhere
access-list outside_access_in permit tcp any xxx.xxx.xxx.0 255.255.255.0 eq 8080
access-list outside_access_in remark allow 10000-10201 (backup) access to dmz from anywhere
access-list outside_access_in permit tcp any xxx.xxx.xxx.0 255.255.255.0 range 10000 10201
access-list outside_access_in remark allow fde to dmz from anywhere
access-list outside_access_in permit tcp any xxx.xxx.xxx.0 255.255.255.0 eq 8500
access-list outside_access_in remark allow smtp to dmz from anywhere
access-list outside_access_in permit tcp any xxx.xxx.xxx.0 255.255.255.0 eq smtp

access-list monochrome_splitTunnelAcl permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.240
access-list inside_access_in remark
access-list inside_access_in permit ip any any
access-list inside_access_in remark allow all inside -> outside via tcp
access-list inside_access_in permit tcp any any
access-list dmz_access_in remark
access-list dmz_access_in permit ip any any
pager lines 24
logging on
logging trap errors
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.xxx.221 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.10.1-192.168.10.10
pdm location 192.168.1.254 255.255.255.255 inside
pdm location 192.168.2.194 255.255.255.255 dmz
pdm location 192.168.2.200 255.255.255.255 dmz
pdm location 192.168.2.201 255.255.255.255 dmz
pdm location 192.168.2.202 255.255.255.255 dmz
pdm location 192.168.2.207 255.255.255.255 dmz
pdm location 192.168.2.208 255.255.255.255 dmz
pdm location 192.168.2.210 255.255.255.255 dmz
pdm location 192.168.2.214 255.255.255.255 dmz
pdm location 192.168.2.222 255.255.255.255 dmz
pdm location 192.168.2.195 255.255.255.255 dmz
pdm location 192.168.2.196 255.255.255.255 dmz
pdm location 192.168.2.197 255.255.255.255 dmz
pdm location 192.168.2.209 255.255.255.255 dmz
pdm location 192.168.2.211 255.255.255.255 dmz
pdm location 192.168.2.212 255.255.255.255 dmz
pdm location 192.168.2.213 255.255.255.255 dmz
pdm location 192.168.2.198 255.255.255.255 dmz
pdm location 192.168.2.203 255.255.255.255 dmz
pdm location 192.168.2.218 255.255.255.255 dmz
pdm location 192.168.2.219 255.255.255.255 dmz
pdm location 192.168.2.220 255.255.255.255 dmz

pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (dmz) 10 192.168.2.50-192.168.2.60
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 192.168.1.0 255.255.255.0 0 0
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) xxx.xxx.xxx.194 192.168.2.194 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.200 192.168.2.200 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.201 192.168.2.201 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.202 192.168.2.202 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.208 192.168.2.208 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.222 192.168.2.222 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.207 192.168.2.207 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.210 192.168.2.210 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.214 192.168.2.214 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.195 192.168.2.195 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.211 192.168.2.211 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.212 192.168.2.212 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.209 192.168.2.209 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.213 192.168.2.213 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.197 192.168.2.197 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.196 192.168.2.196 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.198 192.168.2.198 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.218 192.168.2.218 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.219 192.168.2.219 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.203 192.168.2.203 netmask 255.255.255.255 0 0
static (dmz,outside) xxx.xxx.xxx.220 192.168.2.220 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193 1

Thanks in advance

 

[martinp05]

hello,

the access-lists an the static for the inbound traffic looks good.

No, you must define th ip-addresses which should be able to access via the pdm.

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator