Sign in with
Sign up | Sign in
Your question

PIX 515e and the DMZ

Last response: in Networking
Share
July 3, 2004 12:03:06 PM

Archived from groups: comp.security.firewalls (More info?)

I need my firewall to let traffic for mail (tcp port 25) from the
OUTSIDE int to the INSIDE int. I also need to allow traffic for SSH
(tcp port 22) from the OUTSIDE int to the DMZ. Right now only mail
gets thru to its target server on the INSIDE int. below is my config.
what could be wrong?

here is my config. What could be wrong now

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password BObnFRYhrLLX7XML encrypted
passwd a0Zhrf6icaFKoQsr encrypted
name 192.168.11.35 mx1

access-list acl_out permit tcp any host 207.97.140.22 eq smtp
access-list acl_out permit tcp any host 207.97.140.22 eq https
access-list acl_out permit tcp any host 207.97.140.130 eq ssh
access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.15.0
255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.15.0
255.255.255.0
access-list 101 permit ip 192.168.22.0 255.255.255.0 192.168.15.0
255.255.255.0

mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 207.97.140.3 255.255.255.0
ip address inside 192.168.11.50 255.255.255.0
ip address dmz 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.15.1-192.168.15.254
arp timeout 14400
global (outside) 1 207.97.140.200-207.97.140.225
global (outside) 1 207.97.140.226
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 207.97.140.22 mx1 netmask 255.255.255.255 0 0

static (dmz,outside) 209.97.140.130 192.168.100.41 netmask
255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 207.97.140.1 1
route inside 192.168.0.0 255.255.255.0 192.168.11.1 1
route inside 192.168.22.0 255.255.255.0 192.168.11.1 1

More about : pix 515e dmz

Anonymous
July 4, 2004 12:59:30 AM

Archived from groups: comp.security.firewalls (More info?)

static (dmz,outside) 209.97.140.130 192.168.100.41 netmask 255.255.255.255 0
0

This should be

static (dmz,outside) 207.97.140.130 192.168.100.41 netmask 255.255.255.255 0
0

You have the wrong IP address on the outside part of the translation. Don't
worry it took me about ten minutes to spot this one, and I have done the
same myself, a simple slip of the finger when typing in the address.

Regards,

Reg


"Mick" <mdm1@telx.com> wrote in message
news:77936935.0407030703.2c6ad235@posting.google.com...
> I need my firewall to let traffic for mail (tcp port 25) from the
> OUTSIDE int to the INSIDE int. I also need to allow traffic for SSH
> (tcp port 22) from the OUTSIDE int to the DMZ. Right now only mail
> gets thru to its target server on the INSIDE int. below is my config.
> what could be wrong?
>
> here is my config. What could be wrong now
>
> PIX Version 6.3(1)
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security50
> enable password BObnFRYhrLLX7XML encrypted
> passwd a0Zhrf6icaFKoQsr encrypted
> name 192.168.11.35 mx1
>
> access-list acl_out permit tcp any host 207.97.140.22 eq smtp
> access-list acl_out permit tcp any host 207.97.140.22 eq https
> access-list acl_out permit tcp any host 207.97.140.130 eq ssh
> access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.15.0
> 255.255.255.0
> access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.15.0
> 255.255.255.0
> access-list 101 permit ip 192.168.22.0 255.255.255.0 192.168.15.0
> 255.255.255.0
>
> mtu outside 1500
> mtu inside 1500
> mtu dmz 1500
> ip address outside 207.97.140.3 255.255.255.0
> ip address inside 192.168.11.50 255.255.255.0
> ip address dmz 192.168.100.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool ippool 192.168.15.1-192.168.15.254
> arp timeout 14400
> global (outside) 1 207.97.140.200-207.97.140.225
> global (outside) 1 207.97.140.226
> nat (inside) 0 access-list 101
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> static (inside,outside) 207.97.140.22 mx1 netmask 255.255.255.255 0 0
>
> static (dmz,outside) 209.97.140.130 192.168.100.41 netmask
> 255.255.255.255 0 0
> static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
> access-group acl_out in interface outside
> route outside 0.0.0.0 0.0.0.0 207.97.140.1 1
> route inside 192.168.0.0 255.255.255.0 192.168.11.1 1
> route inside 192.168.22.0 255.255.255.0 192.168.11.1 1
!