1. How do your inside users get out? There is no global command for inside. You should test that first before you work on the DMZ stuff. It's a little easier to get working and it verifies that you know how to configure NAT/PAT.
2. I don't think this is a problem, but I would match your nat (dmz) 0 with your statics. What I mean is if you are going to use a nat (dmz) 0 202.99.33.0 255.255.255.0 then make your static static (dmz, outside) 202.99.33.0 202.99.33.0. You have specific static's for each host which you don't need. It should work even if they are not the same, but I typically try and follow the documentation. Since I haven't tested them not matching my suggestion is to do what is in the command reference. 2. If you have servers on the DMZ that you want to translate to a global address then you will need a nat (dmz) 1 command. 3. When you say you are trying to connect what are you trying to do? Ping, www, smtp, etc. You only allow ICMP from your DMZ to anywhere. If you are trying to connect to the web server from the outside then the inbound connection will be permitted, but the return traffic will not. 4. Enable logging and check your logs. It will give you very good details on what is going on if you choose debugging. Just log to Syslog or the buffer. I didn't test any of these suggestions so I'm not 100% sure. But, if you get logging going that will definitely point you in the right direction of what is wrong. John Kaberna CCIE #7146 www.netcginc.com (415) 750-3800 Instructor for 5-day CCIE class for ccbootcamp.com __________________ CCIE Security Training www.netcginc.com/training.htm ""cage"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > The following is my configure of pix 525, now the nodes in the dmz can not > connect to the outside, why? > and do i have to use the NAT command to the traffic from the dmz to the > outside. It seem that the pix cant route the dmz traffic to the outside. > help me! please! > > sh conf > : Saved > : > PIX Version 6.0(1) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security50 > nameif ethernet3 intf3 security15 > nameif ethernet4 intf4 security20 > enable password 8Ry2YjIyt7RRXU24 encrypted > passwd 2KFQnbNIdI.2KYOU encrypted > hostname pixfirewall > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > names > access-list acl_in permit tcp any host 202.99.33.69 eq smtp > access-list acl_in permit tcp any host 202.99.33.72 eq www > access-list acl_in permit tcp any host 202.99.33.66 eq domain > access-list acl_in permit tcp any host 202.99.33.67 eq domain > access-list acl_in permit icmp any any > access-list ping_acl permit icmp any any > pager lines 30 > interface ethernet0 auto > interface ethernet1 auto > interface ethernet2 auto > > > interface ethernet3 auto shutdown > interface ethernet4 auto shutdown > mtu outside 1500 > mtu inside 1500 > mtu dmz 1500 > mtu intf3 1500 > mtu intf4 1500 > ip address outside 210.82.34.29 255.255.255.0 > ip address inside 192.168.4.1 255.255.255.0 > ip address dmz 202.99.33.254 255.255.255.0 > ip address intf3 127.0.0.1 255.255.255.255 > ip address intf4 127.0.0.1 255.255.255.255 > ip audit info action alarm > ip audit attack action alarm > no failover > failover timeout 0:00:00 > failover poll 15 > failover ip address outside 0.0.0.0 > failover ip address inside 0.0.0.0 > failover ip address dmz 0.0.0.0 > failover ip address intf3 0.0.0.0 > failover ip address intf4 0.0.0.0 > pdm history enable > arp timeout 14400 > global (dmz) 1 202.99.33.73 netmask 255.255.255.0 > nat (inside) 1 0 0 > nat (dmz) 0 202.99.33.0 255.255.255.0 0 0 > static (dmz,outside) 202.99.33.69 202.99.33.69 netmask 255.255.255.255 0 0 > static (dmz,outside) 202.99.33.72 202.99.33.72 netmask 255.255.255.255 0 0 > static (dmz,outside) 202.99.33.66 202.99.33.66 netmask 255.255.255.255 0 0 > > > static (dmz,outside) 202.99.33.67 202.99.33.67 netmask 255.255.255.255 0 0 > access-group acl_in in interface outside > access-group ping_acl in interface dmz > route outside 0.0.0.0 0.0.0.0 210.82.34.25 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > no sysopt route dnat > telnet timeout 5 > ssh timeout 5 > terminal width 80 > Cryptochecksum:3be86ece2c90058e0c9190f986717d63 > > pixfirewall# Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33260&t=33184 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
