Skip to main content

traffic from one DMZ to other DMZ

More
18 years 9 months ago #13357 by eeee
hi all,
I have two DMZs (DMZ and DMZ2), from DMZ2 (security level 30) to DMZ (security level 50) I can get to file server and telnet server (just for testing) (but ping does not work). but from higher security level DMZ to lower DMZ2 I can not access. I suspect my static entries are not correct. I opened all ports for all traffic to see it is working.

what's wrong with the config?

thanks

Ercan



PIX Version 7.0(4)
!
hostname pix525
domain-name net.usf.edu
enable password 57PHczSbnXbPilxu encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 11.247.47.165 255.255.255.224
!
interface Ethernet1
description PRIVATE_SUBNET
nameif DMZ
security-level 50
ip address 10.168.11.254 255.255.255.0
!
interface Ethernet2
nameif DMZ2
security-level 30
ip address 10.168.16.254 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
no nameif
no security-level
no ip address
!
interface GigabitEthernet0
description inside_gi_fiber
nameif INSIDE
security-level 100
ip address 11.247.47.158 255.255.255.248
!
ftp mode passive
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN extended permit ip any any
access-list INSIDE_IN extended permit tcp any any
access-list INSIDE_IN extended permit udp any any
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit tcp any eq 500 any
access-list OUTSIDE_IN extended permit tcp any eq 50 any
access-list OUTSIDE_IN extended permit tcp any eq 51 any
access-list DMZ2_IN extended permit icmp any any
access-list DMZ2_IN extended permit ip any any
access-list DMZ2_IN extended permit udp any any
access-list DMZ2_IN extended permit tcp any any
access-list DMZ_IN extended permit icmp any any
access-list DMZ_IN extended permit ip any any
access-list DMZ_IN extended permit udp any any
access-list DMZ_IN extended permit tcp any any
pager lines 24
logging enable
logging timestamp
logging buffered debugging
mtu OUTSIDE 1500
mtu DMZ 1500
mtu DMZ2 1500
mtu INSIDE 1500
no failover
asdm image flash:/asdm-504.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 2 11.247.47.170
global (OUTSIDE) 1 11.247.47.171
nat (DMZ) 1 10.168.11.0 255.255.255.0
nat (DMZ2) 1 10.168.16.0 255.255.255.0
nat (INSIDE) 0 0.0.0.0 0.0.0.0
static (DMZ,DMZ2) tcp 10.168.11.10 telnet 10.168.11.10 telnet netmask 255.255.255.255
static (DMZ,DMZ2) tcp 10.168.11.10 445 10.168.11.10 445 netmask 255.255.255.255
static (DMZ2,DMZ) tcp 10.168.16.10 telnet 10.168.16.10 telnet netmask 255.255.255.255
static (DMZ,OUTSIDE) 11.247.47.173 10.168.11.10 netmask 255.255.255.255
access-group OUTSIDE_IN in interface OUTSIDE
access-group DMZ_IN in interface DMZ
access-group DMZ2_IN in interface DMZ2
access-group INSIDE_IN in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 11.247.47.190 1
route INSIDE 11.247.168.0 255.255.254.0 11.247.47.155 1
route INSIDE 11.247.171.128 255.255.255.128 11.247.47.155 1
Time to create page: 0.117 seconds