[fw-wiz] DMZ traffic out to internet with PIX 515



I have a PIX 515 running 6.3 with three interfaces including inside, outside
and DMZ. I have a webserver in the DMZ that receives traffic on 80 and 443.
Currently no traffic can go out of the DMZ to the inside or outside
interfaces. My problem is: I want to be able to get out to the internet
from the DMZ. Here are the relevant entries in my config minus public IP's.
I am thinking I need a NAT and GLOBAL entry and I tried that but the
global entry killed all incoming traffic to the DMZ but maybe I just had the
entry wrong... Thanks


nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security50
access-list acl_out permit tcp any host <public.ip> eq www
access-list acl_out permit tcp any host <public.ip> eq https
access-list acl_out permit tcp any host <public.ip> eq smtp
access-list acl_out permit icmp any any
access-list acl_out permit tcp any interface outside
access-list acl_out permit tcp any eq pop3 host <public.ip> eq pop3
access-list acl_out permit tcp any eq smtp host <public.ip> eq smtp
access-list acl_out permit tcp any eq ftp host <public.ip> eq ftp
access-list dmz_out permit icmp any any
access-list dmz_out permit tcp host 10.0.0.3 host 1.1.1.1 range 12100 12109
access-list inside_outbound_nat0_acl permit ip any vpn_mobile 255.0.0.0
access-list outside_cryptomap_dyn_20 permit ip any vpn_mobile 255.0.0.0
ip address outside <public.ip> 255.255.255.224
ip address inside 1.141.1.99 255.0.0.0
ip address DMZ1 10.0.0.1 255.255.255.0
ip local pool mobile 1.141.4.1-1.141.4.15
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 vpn_mobile 255.0.0.0 0 0
static (DMZ1,outside) tcp <public.ip> www 10.0.0.3 www netmask
255.255.255.255 0 0
static (DMZ1,outside) tcp <public.ip> https 10.0.0.3 https netmask
255.255.255.255 0 0
static (inside,outside) tcp <public.ip> smtp 1.1.1.1 smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 3389 IPO 3389 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 444 email 444 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 4125 email 4125 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface https email https netmask
255.255.255.255 0 0
static (inside,outside) tcp interface pptp email pptp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface nntp email nntp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface pop3 email pop3 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface smtp email smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface ftp email ftp netmask 255.255.255.255
0 0
static (inside,outside) tcp interface www email www netmask 255.255.255.255
0 0
static (inside,DMZ1) vpn_mobile vpn_mobile netmask 255.0.0.0 0 0
access-group acl_out in interface outside
access-group dmz_out in interface DMZ1
route outside 0.0.0.0 0.0.0.0 <public.ip> 1

_________________________________________________________________
The MSN Entertainment Guide to Golden Globes is here. Get all the scoop.
http://tv.msn.com/tv/globes2007/?icid=nctagline2

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • [fw-wiz] Double firewall setup (long)
    ... One PIX 515E w/ 3 interfaces: inside, outside, DMZ. ... access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq www ... interface ethernet0 auto ...
    (Firewall-Wizards)
  • Re: [fw-wiz] PIX access-list help
    ... Easiest thing to remember is any communication is allowed from a higher ... DMZ, DMZ to outside) unless explicitly prevented. ... You create an ACL and apply it either in or out of the interface. ... are applied "access-group out interface blah". ...
    (Firewall-Wizards)
  • Re: Configuring Cisco PIX 520.
    ... interface so that each of the 4 interfaces will be its own network ... DMZ network: 192.168.3.0/24 ... fixup protocol dns maximum-length ...
    (comp.dcom.sys.cisco)
  • Re: new to cisco asa 5505
    ... communication between the DMZ VLAN and the Inside ... interface Vlan1 ... access-group outside_access_in in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: Configuring Cisco PIX 520.
    ... interface so that each of the 4 interfaces will be its own network ... DMZ network: 192.168.3.0/24 ... fixup protocol dns maximum-length ...
    (comp.dcom.sys.cisco)