On 12/21/06, Brian Blater wrote:
> The Pix is running 6.3(3) and is connected to a RR cable network like so:
> internet --- cbl modem --- linksys voip --- pix outside
> It is a private network between the voip and the pix outside interface.

What's the subnet mask on your Linksys router? I would bet this is
part of your problem if you're trying to disable NAT on the PIX. I'll
bet it's and it should probably be a /16 mask so that
packets from the inside and DMZ nets don't need to be NAT-ed through
the PIX.

> I'm first trying to clean the config up some and get the dmz interface
> setup and working correctly.

The DMZ interface looks fine. The problem is that there's not
access-list to allow traffic from dmz -> inside, and there's no NAT
for dmz -> outside, so the packets are getting dropped by your Linksys
router (see above).

> Since this pix is behind the voip router I
> don't believe I need the NAT statement any more since the voip should
> be doing the NAT.

Yes, but with a PIX, you need to turn NAT off with these:

nat (inside) 0 0 0
nat (dmz) 0 0 0

> I would like
> all traffic from the inside to be able to go to the internet and the
> dmz unrestricted.

This is implicit in 'nameif ethernet1 inside security100', no
access-list is neccessary for the inside interface.

> I would like all traffic from the dmz to go to the
> internet unrestricted. I only want to allow certain traffic from the
> dmz to the inside network

Traffic from dmz -> outside is implicitly allowed by 'nameif ethernet2
dmz security50', but you will need to create an access-list for dmz ->
inside traffic, which may mess up the security level on the interface,
so you will want to explicitly define all traffic leaving the dmz:

access-group dmz in interface dmz
access-list dmz permit [define dmz -> inside here]
access-list dmz deny ip
access-list dmz permit ip any

> and certain traffic from the internet to the
> dmz.

This is going to require that you get that Linksys out from in front
of the PIX. Then you can use static to perform port redirection from
the outside to the inside. Then allow this traffic in the outside
access-list. But of course, doing this negates some of the stuff I
told you above, like the nat (dmz) 0 command.

firewall-wizards mailing list