You did not add global and NAT statements for your DMZ. This will only allow your DMZ hosts to access the internet. The next step is you have to create a static of the form:
static(higher-security, lower-security) global-ip local-ip netmask 255.255.255.255 The next step is you need to create and access list and apply it to your outside interface for the services you want to permit to hosts in you DMZ. At 07:02 PM 4/2/2002 -0500, Brian Guild wrote: >Guys, > >I am having significant trouble configuring my PIX525 firewall. Clients >inside WILL NOT communicate to the outside and vice-versa. I can't ping...I >can't do anything at all, even when I hook up directly to one of the >interfaces with my laptop. I am wondering if someone could look over my >configuration to correct it. Here are my intentions: > >1) All "inside" clients will be numbered with class C addresses of 10.x.x.x. >2) All "inside" clients can reach the outside public internet >3) Outside interface will be assigned 1 IP address and all outgoing >communications should be sent through that IP >4) Other outside IPs in the range of 76-125 will be able to be statically >mapped back to the internal addresses. >5) The DMZ will have addresses in the range of 192.168.x.x and those >addresses will be mapped back statically to the following public IPs >allocated to the DMZ: x.y.z.70-x.y.z.75. >6) I would like the outside interface to use x.y.z.65 > >Could someone please take a look at the current running config below and let >me know what I am doing wrong? > >Thank you, > >Brian > >PIX Version 6.1(1)110 >nameif ethernet0 outside security0 >nameif ethernet1 inside security 100 >nameif ethernet2 dmz security10 >enable password xxxxx encrypted >password xxxxx encrypted >hostname pixfirewall >domain-name body1.com >fixup protocol ftp 21 >fixup protocol http 80 >fixup protocol h323 1720 >fixup protocol rsh 514 >fixup protocol rtsp 554 >fixup protocol smtp 25 >fixup protocol sqlnet 1521 >fixup protocol sip 5060 >fixup protocol skinny 2000 >names >pager lines 24 >interface ethernet0 10full >interface ethernet1 100full >interface ethernet2 100full >mtu outside 1500 >mtu inside 1500 >mtu dmz 1500 >ip address outside x.y.z.65 255.255.255.192 >ip address inside 10.0.0.1 255.255.255.0 >ip address dmz 192.168.0.1 255.255.255.0 >ip audit info action alarm >ip audit attack action alarm >no failover >failover timeout 0:00:00 >failover poll 15 >failover ip address outside 0.0.0.0 >failover ip address inside 0.0.0.0 >failover ip address dmz 0.0.0.0 >pdm history enable >arp timeout 14400 >global (outside) 1 x.y.z.66 >nat (inside) 1 0.0.0.0 0.0.0.0 0 0 >route outside 0.0.0.0 0.0.0.0 x.y.z.67 1 >timeout xlate 3:00:00 >timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 >0:05:00 si >p 0:30:00 sip_media 0:02:00 >timeout uauth 0:05:00 absolute >aaa-server TACACS+ protocol tacacs+ >aaa-server RADIUS protocol radius >http server enable >http 10.1.1.10 255.255.255.255 inside >no snmp-server location >no snmp-server contact >snmp-server community public >no snmp-server enable traps >floodguard enable >no sysopt route dnat >telnet 10.0.0.0 255.255.255.0 inside >telnet timeout 5 >ssh timeout 5 >terminal width 80 > >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
