I have spent days trying to figure this out. I have read 100's of articles, but there is no config out there I can find that works for me to ping or rdp to my webserver in the dmz. I probably had it right at some point, but the firewall was on for the webserver and it was blocking pings, etc. It is off now
Below is my config
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security60
access-list international permit ip MCCDEN-NET 255.255.255.0 International2 255.255.255.0
access-list no-nat permit ip MCCDEN-NET 255.255.255.0 MCCDEN-NET 255.255.255.0
access-list no-nat permit ip MCCDEN-NET 255.255.255.0 SGF 255.255.255.0
access-list no-nat permit ip MCCDEN-NET 255.255.255.0 International2 255.255.255.0
access-list no-nat permit ip MCCPUB-NET 255.255.255.0 International2 255.255.255.0
access-list 150 permit icmp any host PIX_Outside echo-reply
access-list 150 permit icmp any host PIX_Outside source-quench
access-list 150 permit icmp any host PIX_Outside unreachable
access-list 150 permit icmp any host PIX_Outside time-exceeded
access-list 150 permit tcp any host EXCH_Outside eq smtp
access-list 150 permit tcp any host EXCH_Outside eq www
access-list 150 permit tcp any any eq https
access-list 150 permit icmp any any echo-reply
access-list 150 permit icmp any any time-exceeded
access-list 150 permit icmp any any unreachable
access-list 150 permit tcp any host EXCH_Outside eq https
access-list 150 permit tcp any host WEB_Outside eq www
access-list 150 permit tcp any host WEB_Outside eq https
access-list 150 permit tcp any host WEB_Outside eq ftp
access-list 150 permit tcp any host WEB_Outside eq ftp-data
access-list karmak permit ip MCCDEN-NET 255.255.255.0 SGF 255.255.255.0
access-list dmz_access_in permit icmp DMZ_NET 255.255.255.0 MCCDEN-NET 255.255.255.0 echo
access-list dmz_access_in permit tcp host WEB_Inside host 10.16.17.248
access-list international2 permit ip MCCDEN-NET 255.255.255.0 International2 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside PIX_Outside 255.255.255.224
ip address inside PIX_Inside 255.255.255.0
ip address dmz DMZ 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 MCCDEN-NET 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) EXCH_Outside EXCH_Inside netmask 255.255.255.255 0 0
static (dmz,outside) WEB_Outside WEB_Inside netmask 255.255.255.255 0 0
static (dmz,inside) DMZ_NET DMZ_NET netmask 255.255.255.0 0 0
static (dmz,inside) WEB_Inside WEB_Inside netmask 255.255.255.255 0 0
static (inside,dmz) MCCDEN-NET MCCDEN-NET netmask 255.255.255.0 0 0
access-group 150 in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 ROUTER 1
route inside MCCPUB-NET 255.255.255.0 GATEWAY 1
This current config (in regards to the dmz) is a result of many websites suggestions etc. Most of the config I inherited and did not write myself.
Thanks in advance
Below is my config
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security60
access-list international permit ip MCCDEN-NET 255.255.255.0 International2 255.255.255.0
access-list no-nat permit ip MCCDEN-NET 255.255.255.0 MCCDEN-NET 255.255.255.0
access-list no-nat permit ip MCCDEN-NET 255.255.255.0 SGF 255.255.255.0
access-list no-nat permit ip MCCDEN-NET 255.255.255.0 International2 255.255.255.0
access-list no-nat permit ip MCCPUB-NET 255.255.255.0 International2 255.255.255.0
access-list 150 permit icmp any host PIX_Outside echo-reply
access-list 150 permit icmp any host PIX_Outside source-quench
access-list 150 permit icmp any host PIX_Outside unreachable
access-list 150 permit icmp any host PIX_Outside time-exceeded
access-list 150 permit tcp any host EXCH_Outside eq smtp
access-list 150 permit tcp any host EXCH_Outside eq www
access-list 150 permit tcp any any eq https
access-list 150 permit icmp any any echo-reply
access-list 150 permit icmp any any time-exceeded
access-list 150 permit icmp any any unreachable
access-list 150 permit tcp any host EXCH_Outside eq https
access-list 150 permit tcp any host WEB_Outside eq www
access-list 150 permit tcp any host WEB_Outside eq https
access-list 150 permit tcp any host WEB_Outside eq ftp
access-list 150 permit tcp any host WEB_Outside eq ftp-data
access-list karmak permit ip MCCDEN-NET 255.255.255.0 SGF 255.255.255.0
access-list dmz_access_in permit icmp DMZ_NET 255.255.255.0 MCCDEN-NET 255.255.255.0 echo
access-list dmz_access_in permit tcp host WEB_Inside host 10.16.17.248
access-list international2 permit ip MCCDEN-NET 255.255.255.0 International2 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside PIX_Outside 255.255.255.224
ip address inside PIX_Inside 255.255.255.0
ip address dmz DMZ 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 MCCDEN-NET 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) EXCH_Outside EXCH_Inside netmask 255.255.255.255 0 0
static (dmz,outside) WEB_Outside WEB_Inside netmask 255.255.255.255 0 0
static (dmz,inside) DMZ_NET DMZ_NET netmask 255.255.255.0 0 0
static (dmz,inside) WEB_Inside WEB_Inside netmask 255.255.255.255 0 0
static (inside,dmz) MCCDEN-NET MCCDEN-NET netmask 255.255.255.0 0 0
access-group 150 in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 ROUTER 1
route inside MCCPUB-NET 255.255.255.0 GATEWAY 1
This current config (in regards to the dmz) is a result of many websites suggestions etc. Most of the config I inherited and did not write myself.
Thanks in advance