Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

traffic can not go through PIX from DMZ to DMZ2

from [Ercan Elibol] Network Security [Permanent Link]
Subject: traffic can not go through PIX from DMZ to DMZ2
Date: Sat, 25 Feb 2006 15:28:53 -0500 
hi all,

traffic originating from DMZ subnet can not go to DMZ2, which has a lower
security level. But from DMZ2 to DMZ I can get through, except pinging. I
could not figure out why the PIX is not allowing it? can you please take a
look at the config? thanks a lot.

if I try to ping a DMZ2 host:

Feb 26 2006 16:22:47: %PIX-6-302020: Built ICMP connection for faddr
10.168.16.10/0 gaddr 10.168.16.0/1 laddr 10.168.11.10/512
Feb 26 2006 16:22:49: %PIX-6-302021: Teardown ICMP connection for faddr
10.168.16.10/0 gaddr 10.168.16.0/1 laddr 10.168.11.10/512
Feb 26 2006 16:22:49: %PIX-6-609002: Teardown local-host
DMZ2:10.168.16.10duration 0:00:02
Feb 26 2006 16:22:52: %PIX-7-111009: User 'enable_15' executed cmd: show
logging
Feb 26 2006 16:22:52: %PIX-6-609001: Built local-host DMZ2:10.168.16.10
Feb 26 2006 16:22:52: %PIX-6-302020: Built ICMP connection for faddr
10.168.16.10/0 gaddr 10.168.16.0/1 laddr 10.168.11.10/512
Feb 26 2006 16:22:54: %PIX-6-302021: Teardown ICMP connection for faddr
10.168.16.10/0 gaddr 10.168.16.0/1 laddr 10.168.11.10/512
Feb 26 2006 16:22:54: %PIX-6-609002: Teardown local-host
DMZ2:10.168.16.10duration 0:00:02
Feb 26 2006 16:22:57: %PIX-6-609001: Built local-host DMZ2:10.168.16.10
Feb 26 2006 16:22:57: %PIX-6-302020: Built ICMP connection for faddr
10.168.16.10/0 gaddr 10.168.16.0/1 laddr 10.168.11.10/512
Feb 26 2006 16:22:59: %PIX-6-302021: Teardown ICMP connection for faddr
10.168.16.10/0 gaddr 10.168.16.0/1 laddr 10.168.11.10/512
Feb 26 2006 16:22:59: %PIX-6-609002: Teardown local-host
DMZ2:10.168.16.10duration 0:00:02
Feb 26 2006 16:23:02: %PIX-6-609001: Built local-host DMZ2:10.168.16.10
Feb 26 2006 16:23:02: %PIX-6-302020: Built ICMP connection for faddr
10.168.16.10/0 gaddr 10.168.16.0/1 laddr 10.168.11.10/512
Feb 26 2006 16:23:04: %PIX-6-302021: Teardown ICMP connection for faddr
10.168.16.10/0 gaddr 10.168.16.0/1 laddr 10.168.11.10/512
Feb 26 2006 16:23:04: %PIX-6-609002: Teardown local-host
DMZ2:10.168.16.10duration 0:00:02




PIX Version 7.0(4)
!
hostname pix525
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif OUTSIDE
 security-level 0
 ip address 11.247.47.165 255.255.255.224
!
interface Ethernet1
 description PRIVATE_SUBNET
 nameif DMZ
 security-level 50
 ip address 10.168.11.254 255.255.255.0
!
interface Ethernet2
 nameif DMZ2
 security-level 30
 ip address 10.168.16.254 255.255.255.0
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0
 description inside_gi_fiber
 nameif INSIDE
 security-level 100
 ip address 11.247.47.158 255.255.255.248
!
ftp mode passive
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN extended permit ip any any
access-list INSIDE_IN extended permit tcp any any
access-list INSIDE_IN extended permit udp any any
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit tcp any eq 500 any
access-list OUTSIDE_IN extended permit tcp any eq 50 any
access-list OUTSIDE_IN extended permit tcp any eq 51 any
access-list DMZ2_IN extended permit icmp any any
access-list DMZ2_IN extended permit ip any any
access-list DMZ2_IN extended permit udp any any
access-list DMZ2_IN extended permit tcp any any
access-list DMZ_IN extended permit icmp any any
access-list DMZ_IN extended permit ip any any
access-list DMZ_IN extended permit udp any any
access-list DMZ_IN extended permit tcp any any
pager lines 24
logging enable
logging timestamp
logging buffered debugging
mtu OUTSIDE 1500
mtu DMZ 1500
mtu DMZ2 1500
mtu INSIDE 1500
no failover
asdm image flash:/asdm-504.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 2 11.247.47.170
global (OUTSIDE) 1 11.247.47.171
global (DMZ2) 1 10.168.16.0 netmask 255.255.255.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (DMZ2) 2 0.0.0.0 0.0.0.0
nat (INSIDE) 0 0.0.0.0 0.0.0.0
static (DMZ,DMZ2) tcp 10.168.11.10 telnet 10.168.11.10 telnet netmask
255.255.255.255
static (DMZ,DMZ2) tcp 10.168.11.10 445 10.168.11.10 445 netmask
255.255.255.255
static (DMZ,OUTSIDE) 11.247.47.173 10.168.11.10 netmask 255.255.255.255
static (DMZ2,DMZ) 10.168.16.0 10.168.16.0 netmask 255.255.255.0
access-group OUTSIDE_IN in interface OUTSIDE
access-group DMZ_IN in interface DMZ
access-group DMZ2_IN in interface DMZ2
access-group INSIDE_IN in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 11.247.47.190 1
route INSIDE 11.247.168.0 255.255.254.0 11.247.47.155 1
route INSIDE 11.247.171.128 255.255.255.128 11.247.47.155 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username ercan password 1DWw7A7UB4N9qgcY encrypted privilege 15
http server enable
http 11.247.168.0 255.255.254.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface OUTSIDE
isakmp enable OUTSIDE
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1000
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key
telnet 11.247.168.0 255.255.254.0 INSIDE
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • traffic can not go through PIX from DMZ to DMZ2, Ercan Elibol <=
Previous by Date:  RE: Open source windows firewall, David Ball
Next by Date:  Re: Trying to nat with iptables (nat / prerouting / iptables), kancerbero
Previous by Thread:  layer 2&3 firewall/filter?, coder
Next by Thread:  PIX Transparent mode, dabance
Indexes:  [Date] [Thread] [Top] [All Lists]