Hi,
I'm using a PIX506e and have set up a DMZ using a logical interface on the PIX.
My problem is I can initiate communication from the protected network to the DMZ but not the other way round. For example I can open a TS session on the box in the DMZ, but the box in the DMZ can't communicate with the protected network.
The box in the DMZ is an SMTP smarthost with an IP of 192.168.5.4 (24-bit mask) I need it to be able to communicate with a box on the protected network on 192.168.0.249 using SMTP and a couple of other protocols.
I know my VLAN's are working OK as I can get from the protected network to the internet and to the DMZ and form the DMZ to the internet, but I can't for the life of me figure out why I can initiate communication between the DMZ and the protected network.
I thought it might have something to do with the protected network usign the physical interface, whilst the DMZ uses a logical one, but assigning both to logical interfaces doesn't solve the problem.
The relevant bits of the config are below along with all the ACL's ont he PIX for completeness.
Even if you think this looks OK, please say so
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 physical
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 dmz security50
.............
access-list acl_out permit tcp any host x.x.x.x eq smtp
access-list 100 permit ip 192.168.0.0 255.255.255.0 172.31.0.0 255.255.0.0
access-list 100 permit ip host x.x.x.x 172.31.0.0 255.255.0.0
access-list 108 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 108 permit ip 192.168.0.0 255.255.255.0 172.31.0.0 255.255.0.0
access-list 108 permit ip host x.x.x.x 172.31.0.0 255.255.0.0
access-list 108 permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list acl_dmz permit tcp any host 192.168.5.14 eq smtp
access-list acl_dmz permit udp host 192.168.5.4 any eq domain
access-list acl_dmz permit tcp host 192.168.5.4 any eq domain
access-list acl_dmz permit tcp host 192.168.5.4 any eq smtp
access-list acl_dmz permit tcp host 192.168.5.4 any eq 8081
access-list acl_dmz permit tcp host 192.168.5.4 any eq 81
access-list acl_dmz permit tcp host 192.168.5.4 any eq 82
access-list acl_dmz permit tcp host 192.168.5.4 any eq www
.............
ip address outside x.x.x.x 255.255.255.240
ip address inside 192.168.0.253 255.255.255.0
ip address dmz 192.168.5.1 255.255.255.0
.............
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list 108
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) x.x.x.x 192.168.5.4 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.5.14 192.168.0.249 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
I'm using a PIX506e and have set up a DMZ using a logical interface on the PIX.
My problem is I can initiate communication from the protected network to the DMZ but not the other way round. For example I can open a TS session on the box in the DMZ, but the box in the DMZ can't communicate with the protected network.
The box in the DMZ is an SMTP smarthost with an IP of 192.168.5.4 (24-bit mask) I need it to be able to communicate with a box on the protected network on 192.168.0.249 using SMTP and a couple of other protocols.
I know my VLAN's are working OK as I can get from the protected network to the internet and to the DMZ and form the DMZ to the internet, but I can't for the life of me figure out why I can initiate communication between the DMZ and the protected network.
I thought it might have something to do with the protected network usign the physical interface, whilst the DMZ uses a logical one, but assigning both to logical interfaces doesn't solve the problem.
The relevant bits of the config are below along with all the ACL's ont he PIX for completeness.
Even if you think this looks OK, please say so
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 physical
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 dmz security50
.............
access-list acl_out permit tcp any host x.x.x.x eq smtp
access-list 100 permit ip 192.168.0.0 255.255.255.0 172.31.0.0 255.255.0.0
access-list 100 permit ip host x.x.x.x 172.31.0.0 255.255.0.0
access-list 108 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 108 permit ip 192.168.0.0 255.255.255.0 172.31.0.0 255.255.0.0
access-list 108 permit ip host x.x.x.x 172.31.0.0 255.255.0.0
access-list 108 permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list acl_dmz permit tcp any host 192.168.5.14 eq smtp
access-list acl_dmz permit udp host 192.168.5.4 any eq domain
access-list acl_dmz permit tcp host 192.168.5.4 any eq domain
access-list acl_dmz permit tcp host 192.168.5.4 any eq smtp
access-list acl_dmz permit tcp host 192.168.5.4 any eq 8081
access-list acl_dmz permit tcp host 192.168.5.4 any eq 81
access-list acl_dmz permit tcp host 192.168.5.4 any eq 82
access-list acl_dmz permit tcp host 192.168.5.4 any eq www
.............
ip address outside x.x.x.x 255.255.255.240
ip address inside 192.168.0.253 255.255.255.0
ip address dmz 192.168.5.1 255.255.255.0
.............
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list 108
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) x.x.x.x 192.168.5.4 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.5.14 192.168.0.249 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_dmz in interface dmz