[fw-wiz] Firewall help

Thanks for your help guys. I was able to get it working with the
access-list entries and a nat entry. This allows IP connections and no DNS
which chris had said wouldn't work until that was configured also. I don't
think I will need that as of right now but I may look into it just to see
how to get it working. Thanks for everyone's input!

Paul


Re: DMZ traffic out to internet with PIX 515 (Chris Wargaski)

Message: 1
Date: Sat, 6 Jan 2007 14:20:43 -0600
From: "Chris Wargaski" <cwargaski@xxxxxxxxxx>
Subject: Re: [fw-wiz] DMZ traffic out to internet with PIX 515

You'll need to allow DNs queries outbound from the DMZ, too.

cjw

Christopher J. Wargaski
RMS Technology Solutions, Inc.
cwargaski@xxxxxxxxxx
(847) 215-1661 x223



-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx on behalf of Victor
Williams
Sent: Fri 1/5/2007 6:27 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] DMZ traffic out to internet with PIX 515

You've got no access list entries allowing hosts in the DMZ1 segment
access out to the internet. Also, checking the log buffer on the PIX
will usually give you the culprit of what's causing your access issue if
you have it set up to do so...set the log to warning or higher and it
will show you what the culprit is.

What I believe you need is (at least for traffic to http and https
websites):

access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 any eq 80
access-list dmz_out permit tcp 10.0.0.0 255.255.255.0 any eq 443
nat (DMZ1) 1 10.0.0.0 255.255.255.0

_________________________________________________________________
Fixing up the home? Live Search can help
http://imagine-windowslive.com/search/kits/default.aspx?kit=improve&locale=en-US&source=hmemailtaglinenov06&FORM=WLMTAG

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Sample iptables rules list, inviting your suggestions / criticisms (thanks) :-)
    ... Redirected here from the "Post iptables rules in newsgroups" and "What ... allowing DNS to work to/from the name server that runs on that host. ... # Allow ftp, ssh, mail, http, https. ... # Rule set for the FORWARD chain. ...
    (comp.security.firewalls)
  • Re: /etc/hosts used only sometimes
    ... > I wanted to override DNS in order to see an old version of a web site. ... > HTTPS in graphical web bowser takes me to the old site - new site has ... > files over plain http (becuase it tries to get the file from the wrong ... > backup (or even better wget a snapshot) of the old site. ...
    (comp.os.linux.networking)
  • Re: RPC over HTTP conection delay issue
    ... internal server hostname on the external dns server. ... "Jay" wrote: ... > I can confirm that both are checked, On fast and on slow networks use HTTP ...
    (microsoft.public.exchange.connectivity)
  • Re: Webseitenzugriff mit Anmeldung (Bsp. hotmail)
    ... also habe mal alle Regeln auf deaktiviert gesetzt ausser DNS undd http. ... der http Regel alles auf "standard". ... Kriege leider immer noch Fehlermeldung: ... Logfile zeigt seltsamerweise auch den DNS Fehler nicht mehr. ...
    (microsoft.public.de.german.isaserver)
  • Re: Secure Subsite Problem.
    ... Our site has a main site.com and a secure subsite ... : HTTP Error 403.4 - Forbidden: SSL is required to view this resource. ... without even the implied warranty of merchantability ... How-to: Windows 2000 DNS: ...
    (microsoft.public.inetserver.iis)