|
Posted by jywu1@hotmail.com on December 8, 2005, 2:53 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hello,
I setup a PIX 515E firewall with three interface: inside
(192.168.35.5), outside and DMZ (172.30.50.20).
There is a application server with public ip address on remote site
connect to PIX DMZ interface.
The computer of inside network should telnet to the remote server in
DMZ, and remote server will send printing job back to the printers in
inside network.
I have put access-list to permit tcp traffic on port 515 (LPD) and 9100
on DMZ interface.
The computers can telnet to remote server without problem. but when
user request printing, remote server can not send the printing job back
to the printers of inside network.
PIX 515E shows:
%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/729 dst
inside:192.168.1.158/515
%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/721 dst
inside:192.168.1.50/515
%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/726 dst
inside:192.168.1.25/515
%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/727 dst
inside:192.168.1.39/515
%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/60585 dst
inside:192.168.1.114/9100
(Note: If I replace the PIX firewall by a router, configured network
routing, no NAT on it, everything working fine).
A part of PIX 515 configuration is following:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
access-list 110 permit tcp 209.120.100.0 255.255.255.0 range 721 731
192.168.1.0 255.255.255.0 eq lpd
access-list 110 permit tcp 209.120.100.0 255.255.255.0 192.168.1.0
255.255.255.0 eq telnet
access-list 110 permit tcp 209.120.100.0 255.255.255.0 range 721 731
192.168.1.0 255.255.255.0 eq 9100
ip address inside 192.168.35.5 255.255.255.0
ip address dmz 172.30.50.20 255.255.255.248
nat (inside) 0 192.168.1.0 255.255.255.0 0 0
nat (intf2) 0 209.120.100.0 255.255.255.0 0 0
access-group 110 in interface dmz
route dmz 209.120.100.0 255.255.255.0 172.30.50.17 1
route inside 192.168.1.0 255.255.255.0 192.168.35.10 1
I look at the traffic log on PIX firewall, the access-list doesn't seem
to be applied to DMZ interface, because when I show access-list, the
hitcount is 0.
Is it something wrong in my configuration?
Your help will be appreciated.
Thank you.
JY
|
|
Posted by Wil on December 8, 2005, 5:02 pm
If you were Registered and logged in, you could reply and use other advanced thread options
You will also need a static
Wil
my 3¢
|
|
Posted by Wil on December 8, 2005, 5:14 pm
If you were Registered and logged in, you could reply and use other advanced thread options
router, AFAIK you will always need to nat a lower to a higher.
Try this:
! This allows basic Internet usage
global (outside) 1 interface
nat (inside) 1 0 0
nat (dmz) 1 0 0
! This creates a nat from the dmz to the inside
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
happy hunting!
Wil
my 3¢
|
|
Posted by GI on December 15, 2005, 6:27 am
If you were Registered and logged in, you could reply and use other advanced thread options
|
| Similar Threads | Posted | | PIX - enabling PING of inside PIX interface from a host on the outside.... | November 6, 2005, 4:02 pm |
| PIX can't ping from/to inside interface to PC directly connected | January 17, 2007, 1:07 pm |
| Re: Symantec 5620 : permit traffic entering and exiting the same interface | March 5, 2007, 9:55 pm |
| Netscreen - Dual-Untrust configuration - need to route email traffic out specific interface | October 5, 2006, 9:37 pm |
| PIX: Ping VPN host from inside network | March 22, 2007, 3:46 pm |
| Mail server inside the network...Safe? | September 6, 2007, 11:10 am |
| Netscreen 5GT enough for my network traffic? | February 27, 2005, 6:09 pm |
| Firewall Tests Lower after Adding DSL Modem/Router | July 25, 2006, 5:20 pm |
| PIX 515E | September 20, 2006, 6:48 am |
| 5GT to PIX 515E vpn | April 18, 2007, 12:04 pm |
|
XML site map