- Posts: 9
- Thank you received: 0
Need PIX Config recommendation
18 years 8 months ago #13260
by eeee
Need PIX Config recommendation was created by eeee
hi,
I have a PIX 525 with 2 DMZ interface, 1 inside, 1 outside. I'm having trouble pinging from DMZ ro DMZ2, can you please tell me what's wrong in the config? I can ping the outside router x.x.x.190 from each DMZ but not vice versa...
Thanks
ee
PIX Version 7.0(4)
!
hostname pix525
!
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address X.X.X.165 255.255.255.224
!
interface Ethernet1
description PRIVATE_SUBNET
nameif DMZ
security-level 50
ip address 10.168.11.254 255.255.255.0
!
interface Ethernet2
nameif DMZ2
security-level 30
ip address 10.168.16.254 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
no nameif
no security-level
no ip address
!
interface GigabitEthernet0
description inside_gi_fiber
nameif INSIDE
security-level 100
ip address X.X.X.158 255.255.255.248
!
ftp mode passive
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN extended permit ip any any
access-list INSIDE_IN extended permit tcp any any
access-list INSIDE_IN extended permit udp any any
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit tcp any eq 500 any
access-list OUTSIDE_IN extended permit tcp any eq 50 any
access-list OUTSIDE_IN extended permit tcp any eq 51 any
access-list DMZ2_IN extended permit icmp any any
access-list DMZ2_IN extended permit ip any any
access-list DMZ2_IN extended permit udp any any
access-list DMZ2_IN extended permit tcp any any
access-list DMZ_IN extended permit ip any any
access-list DMZ_IN extended permit udp any any
access-list DMZ_IN extended permit tcp any any
access-list DMZ_IN extended permit icmp any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu OUTSIDE 1500
mtu DMZ 1500
mtu DMZ2 1500
mtu INSIDE 1500
no failover
asdm image flash:/asdm-504.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 x.x.x.171
global (OUTSIDE) 2 x.x.x.170
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (DMZ2) 2 0.0.0.0 0.0.0.0
nat (INSIDE) 0 0.0.0.0 0.0.0.0
access-group OUTSIDE_IN in interface OUTSIDE
access-group DMZ_IN in interface DMZ
access-group DMZ2_IN in interface DMZ2
access-group INSIDE_IN in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 X.X.X.190 1
route INSIDE X.X.168.0 255.255.254.0 X.X.X.155 1
route INSIDE X.X.X.128 255.255.255.128 X.X.X.155 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface OUTSIDE
isakmp enable OUTSIDE
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1000
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end
I have a PIX 525 with 2 DMZ interface, 1 inside, 1 outside. I'm having trouble pinging from DMZ ro DMZ2, can you please tell me what's wrong in the config? I can ping the outside router x.x.x.190 from each DMZ but not vice versa...
Thanks
ee
PIX Version 7.0(4)
!
hostname pix525
!
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address X.X.X.165 255.255.255.224
!
interface Ethernet1
description PRIVATE_SUBNET
nameif DMZ
security-level 50
ip address 10.168.11.254 255.255.255.0
!
interface Ethernet2
nameif DMZ2
security-level 30
ip address 10.168.16.254 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
no nameif
no security-level
no ip address
!
interface GigabitEthernet0
description inside_gi_fiber
nameif INSIDE
security-level 100
ip address X.X.X.158 255.255.255.248
!
ftp mode passive
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN extended permit ip any any
access-list INSIDE_IN extended permit tcp any any
access-list INSIDE_IN extended permit udp any any
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit tcp any eq 500 any
access-list OUTSIDE_IN extended permit tcp any eq 50 any
access-list OUTSIDE_IN extended permit tcp any eq 51 any
access-list DMZ2_IN extended permit icmp any any
access-list DMZ2_IN extended permit ip any any
access-list DMZ2_IN extended permit udp any any
access-list DMZ2_IN extended permit tcp any any
access-list DMZ_IN extended permit ip any any
access-list DMZ_IN extended permit udp any any
access-list DMZ_IN extended permit tcp any any
access-list DMZ_IN extended permit icmp any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu OUTSIDE 1500
mtu DMZ 1500
mtu DMZ2 1500
mtu INSIDE 1500
no failover
asdm image flash:/asdm-504.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 x.x.x.171
global (OUTSIDE) 2 x.x.x.170
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (DMZ2) 2 0.0.0.0 0.0.0.0
nat (INSIDE) 0 0.0.0.0 0.0.0.0
access-group OUTSIDE_IN in interface OUTSIDE
access-group DMZ_IN in interface DMZ
access-group DMZ2_IN in interface DMZ2
access-group INSIDE_IN in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 X.X.X.190 1
route INSIDE X.X.168.0 255.255.254.0 X.X.X.155 1
route INSIDE X.X.X.128 255.255.255.128 X.X.X.155 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface OUTSIDE
isakmp enable OUTSIDE
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1000
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end
18 years 8 months ago #13261
by havohej
Replied by havohej on topic Re: Need PIX Config recommendation
the security level of each interface is the reason you can ping from the dmzs to the outside, but not from the outsides to the dmzs.
the rule states that you cant ping from a low level interface to a high level interface, but you can from a high level to the low level, it is a genral default rule in the firewall.
the same applies from the dmzs, you cant ping from the low level to the high level.
the rule states that you cant ping from a low level interface to a high level interface, but you can from a high level to the low level, it is a genral default rule in the firewall.
the same applies from the dmzs, you cant ping from the low level to the high level.
Time to create page: 0.114 seconds