You guys may want to ask this on the CCIE Security list as well :-) http://www.groupstudy.com/list/security.html
Paul ""Gaz"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Can't see anything wrong. Have you done a 'clear xlate', and if necessary a > reboot? > Otherwise can't see anything, as long as IP config is OK on devices on DMZ. > > Gaz > > ""cage"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > The following is my configure of pix 525, now the nodes in the dmz can not > > connect to the outside, why? > > and do i have to use the NAT command to the traffic from the dmz to the > > outside. It seem that the pix cant route the dmz traffic to the outside. > > help me! please! > > > > sh conf > > : Saved > > : > > PIX Version 6.0(1) > > nameif ethernet0 outside security0 > > nameif ethernet1 inside security100 > > nameif ethernet2 dmz security50 > > nameif ethernet3 intf3 security15 > > nameif ethernet4 intf4 security20 > > enable password 8Ry2YjIyt7RRXU24 encrypted > > passwd 2KFQnbNIdI.2KYOU encrypted > > hostname pixfirewall > > fixup protocol ftp 21 > > fixup protocol http 80 > > fixup protocol h323 1720 > > fixup protocol rsh 514 > > fixup protocol smtp 25 > > fixup protocol sqlnet 1521 > > fixup protocol sip 5060 > > fixup protocol skinny 2000 > > names > > access-list acl_in permit tcp any host 202.99.33.69 eq smtp > > access-list acl_in permit tcp any host 202.99.33.72 eq www > > access-list acl_in permit tcp any host 202.99.33.66 eq domain > > access-list acl_in permit tcp any host 202.99.33.67 eq domain > > access-list acl_in permit icmp any any > > access-list ping_acl permit icmp any any > > pager lines 30 > > interface ethernet0 auto > > interface ethernet1 auto > > interface ethernet2 auto > > > > > > interface ethernet3 auto shutdown > > interface ethernet4 auto shutdown > > mtu outside 1500 > > mtu inside 1500 > > mtu dmz 1500 > > mtu intf3 1500 > > mtu intf4 1500 > > ip address outside 210.82.34.29 255.255.255.0 > > ip address inside 192.168.4.1 255.255.255.0 > > ip address dmz 202.99.33.254 255.255.255.0 > > ip address intf3 127.0.0.1 255.255.255.255 > > ip address intf4 127.0.0.1 255.255.255.255 > > ip audit info action alarm > > ip audit attack action alarm > > no failover > > failover timeout 0:00:00 > > failover poll 15 > > failover ip address outside 0.0.0.0 > > failover ip address inside 0.0.0.0 > > failover ip address dmz 0.0.0.0 > > failover ip address intf3 0.0.0.0 > > failover ip address intf4 0.0.0.0 > > pdm history enable > > arp timeout 14400 > > global (dmz) 1 202.99.33.73 netmask 255.255.255.0 > > nat (inside) 1 0 0 > > nat (dmz) 0 202.99.33.0 255.255.255.0 0 0 > > static (dmz,outside) 202.99.33.69 202.99.33.69 netmask 255.255.255.255 0 0 > > static (dmz,outside) 202.99.33.72 202.99.33.72 netmask 255.255.255.255 0 0 > > static (dmz,outside) 202.99.33.66 202.99.33.66 netmask 255.255.255.255 0 0 > > > > > > static (dmz,outside) 202.99.33.67 202.99.33.67 netmask 255.255.255.255 0 0 > > access-group acl_in in interface outside > > access-group ping_acl in interface dmz > > route outside 0.0.0.0 0.0.0.0 210.82.34.25 1 > > timeout xlate 3:00:00 > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > > 0:05:00 sip 0:30:00 sip_media 0:02:00 > > timeout uauth 0:05:00 absolute > > aaa-server TACACS+ protocol tacacs+ > > aaa-server RADIUS protocol radius > > no snmp-server location > > no snmp-server contact > > snmp-server community public > > no snmp-server enable traps > > floodguard enable > > no sysopt route dnat > > telnet timeout 5 > > ssh timeout 5 > > terminal width 80 > > Cryptochecksum:3be86ece2c90058e0c9190f986717d63 > > > > pixfirewall# Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33273&t=33184 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
