[fw-wiz] help...

From: michael (madams@humanfactors.com)
Date: 02/17/03

  • Next message: Scot Hartman: "RE: [fw-wiz] insecurity in internet connection thro cable modems" 
    From: "michael" <madams@humanfactors.com>
To: <firewall-wizards@honor.icsalabs.com>
Date: Mon, 17 Feb 2003 13:04:25 -0600

    I have a problem which is actually supposed to be easy--at least according
    to the Cisco examples, but seems to be giving me fits. I just can't figure
    out where I'm going wrong. A particular company--being rather, shall we
    say, posessed of parsimonious pecuniary policies, will not update one of
    their old PIX firewalls beyond version 4.2. In itself, that's not really
    too much of an issue. It has three interfaces, and one of them is now to be
    designated as a DMZ. (This version--although old--of the IOS does indeed
    handle more than two interfaces)

    I have set it up according to examples on CCO, and interestingly enough it
    will work just fine when passing traffic from the outside interface to the
    DMZ interface. The DMZ is configured for NAT. However, the one thing that
    has me stumped is why I cannot get it to--through either statics or
    conduits--communicate with an interface which is of "higher" security level.
    According to everything I know (which admittedly is not omnicient) this can
    be done even though by default a "lower" security level interface does not
    communicate with a "higher" level unless exceptions are made. There are
    examples on CCO. But it doesn't so far work. I can ping a host on the DMZ,
    but the host is not actually responding--the PIX does because of a static
    mapping...

    Any advice that would be helpful in creating an exception that would allow
    traffic initiated from the inside interface to the DMZ interface to actually
    work?

    Thanks!

    Michael

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    Relevant Pages

    • Proxy ARP and Routing
      ... some CPE from our ISP connected to a firewall. ... the public IPs on the physical DMZ network. ... packets to the host on the DMZ? ... on the DMZ interface. ...
      (SunManagers)
    • Re: ASA Firewall and Web Server Help!!!
      ... the www traffic to an ip located in my DMZ but i need that this ... traffic are sent to a host in my internal network. ... interface GigabitEthernet0/0 ...
      (comp.dcom.sys.cisco)
    • [fw-wiz] Double firewall setup (long)
      ... One PIX 515E w/ 3 interfaces: inside, outside, DMZ. ... access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq www ... interface ethernet0 auto ...
      (Firewall-Wizards)
    • Re: Need Help Configuring Static NAT and Access List
      ... The ip address on the outside interface is 200.1.1.132. ... address on the dmz interface is 192.168.20.1. ... To test I have one host, ... my static NAT statement Am I missing something? ...
      (comp.dcom.sys.cisco)
    • [fw-wiz] Transparent DMZ
      ... an outside, inside and dmz, the dmz should be able to use public ips ... the inside interface works fine however the dmz does not ... is my dmz host, and it can not get out to the internet ... permit tcp any host 38.102.248.179 ...
      (Firewall-Wizards)