Re: [fw-wiz] DMZ traffic out to internet with PIX 515



You've got no access list entries allowing hosts in the DMZ1 segment
access out to the internet. Also, checking the log buffer on the PIX
will usually give you the culprit of what's causing your access issue if
you have it set up to do so...set the log to warning or higher and it
will show you what the culprit is.

What I believe you need is (at least for traffic to http and https
websites):

access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 any eq 80
access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 any eq 443
nat (DMZ1) 1 10.0.0.0 255.255.255.0





Paul Madore wrote:

I have a PIX 515 running 6.3 with three interfaces including inside, outside
and DMZ. I have a webserver in the DMZ that receives traffic on 80 and 443.
Currently no traffic can go out of the DMZ to the inside or outside
interfaces. My problem is: I want to be able to get out to the internet
from the DMZ. Here are the relevant entries in my config minus public IP's.
I am thinking I need a NAT and GLOBAL entry and I tried that but the
global entry killed all incoming traffic to the DMZ but maybe I just had the
entry wrong... Thanks


nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security50
access-list acl_out permit tcp any host <public.ip> eq www
access-list acl_out permit tcp any host <public.ip> eq https
access-list acl_out permit tcp any host <public.ip> eq smtp
access-list acl_out permit icmp any any
access-list acl_out permit tcp any interface outside
access-list acl_out permit tcp any eq pop3 host <public.ip> eq pop3
access-list acl_out permit tcp any eq smtp host <public.ip> eq smtp
access-list acl_out permit tcp any eq ftp host <public.ip> eq ftp
access-list dmz_out permit icmp any any
access-list dmz_out permit tcp host 10.0.0.3 host 1.1.1.1 range 12100 12109
access-list inside_outbound_nat0_acl permit ip any vpn_mobile 255.0.0.0
access-list outside_cryptomap_dyn_20 permit ip any vpn_mobile 255.0.0.0
ip address outside <public.ip> 255.255.255.224
ip address inside 1.141.1.99 255.0.0.0
ip address DMZ1 10.0.0.1 255.255.255.0
ip local pool mobile 1.141.4.1-1.141.4.15
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 vpn_mobile 255.0.0.0 0 0
static (DMZ1,outside) tcp <public.ip> www 10.0.0.3 www netmask
255.255.255.255 0 0
static (DMZ1,outside) tcp <public.ip> https 10.0.0.3 https netmask
255.255.255.255 0 0
static (inside,outside) tcp <public.ip> smtp 1.1.1.1 smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 3389 IPO 3389 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 444 email 444 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 4125 email 4125 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface https email https netmask
255.255.255.255 0 0
static (inside,outside) tcp interface pptp email pptp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface nntp email nntp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface pop3 email pop3 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface smtp email smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface ftp email ftp netmask 255.255.255.255
0 0
static (inside,outside) tcp interface www email www netmask 255.255.255.255
0 0
static (inside,DMZ1) vpn_mobile vpn_mobile netmask 255.0.0.0 0 0
access-group acl_out in interface outside
access-group dmz_out in interface DMZ1
route outside 0.0.0.0 0.0.0.0 <public.ip> 1

_________________________________________________________________
The MSN Entertainment Guide to Golden Globes is here. Get all the scoop.
http://tv.msn.com/tv/globes2007/?icid=nctagline2

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards






_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: NAT problems with PIX 501
    ... clear xlate ... static tcp interface 3389 Eureka 3389 netmask ...
    (comp.security.firewalls)
  • Re: PIX 506E Configuration Issue
    ... nameif ethernet1 inside security100 ip address outside 66.125.x.y 255.255.255.248 ip address inside 192.168.1.1 255.255.255.255 hostname firewall ... static tcp interface www 192.168.208.10 www netmask ... static tcp interface https 192.168.208.10 https netmask ...
    (comp.dcom.sys.cisco)
  • Re: How to setup port forwarding in PIX 501?
    ... Here is the multiple line command i have: ... static tcp interface www 192.168.1.99 www netmask ... access-list WEBSERVER permit tcp any host 71.155.211.233 eq 80 ...
    (comp.dcom.sys.cisco)