Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

DMZ traffic out to internet with PIX 515

From: "Paul Madore" <dexteroc () hotmail com>
Date: Fri, 05 Jan 2007 14:47:51 -0800
I have a PIX 515 running 6.3 with three interfaces including inside, outside 
and DMZ.  I have a webserver in the DMZ that receives traffic on 80 and 443. 
  Currently no traffic can go out of the DMZ to the inside or outside 
interfaces.  My problem is: I want to be able to get out to the internet 
from the DMZ.  Here are the relevant entries in my config minus public IP's. 
  I am thinking I need a NAT and GLOBAL entry and I tried that but the 
global entry killed all incoming traffic to the DMZ but maybe I just had the 
entry wrong...  Thanks


nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security50
access-list acl_out permit tcp any host <public.ip> eq www
access-list acl_out permit tcp any host <public.ip> eq https
access-list acl_out permit tcp any host <public.ip> eq smtp
access-list acl_out permit icmp any any
access-list acl_out permit tcp any interface outside
access-list acl_out permit tcp any eq pop3 host <public.ip> eq pop3
access-list acl_out permit tcp any eq smtp host <public.ip> eq smtp
access-list acl_out permit tcp any eq ftp host <public.ip> eq ftp
access-list dmz_out permit icmp any any
access-list dmz_out permit tcp host 10.0.0.3 host 1.1.1.1 range 12100 12109
access-list inside_outbound_nat0_acl permit ip any vpn_mobile 255.0.0.0
access-list outside_cryptomap_dyn_20 permit ip any vpn_mobile 255.0.0.0
ip address outside <public.ip> 255.255.255.224
ip address inside 1.141.1.99 255.0.0.0
ip address DMZ1 10.0.0.1 255.255.255.0
ip local pool mobile 1.141.4.1-1.141.4.15
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 vpn_mobile 255.0.0.0 0 0
static (DMZ1,outside) tcp <public.ip> www 10.0.0.3 www netmask 
255.255.255.255 0 0
static (DMZ1,outside) tcp <public.ip> https 10.0.0.3 https netmask 
255.255.255.255 0 0
static (inside,outside) tcp <public.ip> smtp 1.1.1.1 smtp netmask 
255.255.255.255 0 0
static (inside,outside) tcp interface 3389 IPO 3389 netmask 255.255.255.255 
0 0
static (inside,outside) tcp interface 444 email 444 netmask 255.255.255.255 
0 0
static (inside,outside) tcp interface 4125 email 4125 netmask 
255.255.255.255 0 0
static (inside,outside) tcp interface https email https netmask 
255.255.255.255 0 0
static (inside,outside) tcp interface pptp email pptp netmask 
255.255.255.255 0 0
static (inside,outside) tcp interface nntp email nntp netmask 
255.255.255.255 0 0
static (inside,outside) tcp interface pop3 email pop3 netmask 
255.255.255.255 0 0
static (inside,outside) tcp interface smtp email smtp netmask 
255.255.255.255 0 0
static (inside,outside) tcp interface ftp email ftp netmask 255.255.255.255 
0 0
static (inside,outside) tcp interface www email www netmask 255.255.255.255 
0 0
static (inside,DMZ1) vpn_mobile vpn_mobile netmask 255.0.0.0 0 0
access-group acl_out in interface outside
access-group dmz_out in interface DMZ1
route outside 0.0.0.0 0.0.0.0 <public.ip> 1

_________________________________________________________________
The MSN Entertainment Guide to Golden Globes is here.  Get all the scoop. 
http://tv.msn.com/tv/globes2007/?icid=nctagline2

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: