04-20-2011 08:07 AM
04-20-2011 01:07 PM
Your untrust zone interface and your DMZ interface are using IP addresses in the same subnet -- that's not going to work.
You also have a Trust->Untrust policy that is a "permit all" at the top (id 1) and is going to shadow all your other 4 Trust->Untrust policies. That doesn't have anything to do with the problem you're asking about -- but it will be a problem for you later if you expect the policy logging on those other policies to work.
04-20-2011 02:01 PM
I have assigned 192.168.3.1/24 to eth 0/1 interface and did a mip to 184.108.40.206 which is eth 0/0
i am attaching you the new config....
what is the ideal solution ....to put my webserver in dmz ......??
thanks for replying
04-20-2011 05:47 PM
It's hard to say what the ideal solution would be for you without knowing more about your environment and what you're needs and goals are.
The MIP is a good starting point, but I would use one of the other IPs in the 220.127.116.11/29 (.72 - .79) address space that you apparently have allocated for your MIP instead of the firewall's interface IP.
04-21-2011 06:54 AM
i did assign different external interface to map it to my webserver
but my server still cannot access the internet..i am attching the config file again
04-21-2011 10:04 AM
Take the SRC-NAT off of your DMZ->Untrust policy (policy id 7).
Using a MIP, the firewall will handle NAT in both directions.
04-21-2011 11:48 AM
i took it off.....
also my webser connected to DMZ has ip address 192.168.3.2 with gateway 192.168.3.1 .. is that correct...
i still cannot access the internet
04-21-2011 01:49 PM
I also see two default routes:
set route 0.0.0.0/0 interface ethernet0/0 gateway 18.104.22.168 set route 0.0.0.0/0 interface tunnel.1
Take out the second one... your route-based VPN route needs to be something [much] more specific than a default 0.0.0.0/0 route.
04-21-2011 02:13 PM
i removed the second default route but still no luck....
my eth0/1 is set to interface mode route
and eth0/0 is set to NAT
is that corrrect..
from my webserver i cannot ping anything ( not 22.214.171.124 nor 126.96.36.199) but i can ping 188.8.131.52 from the internet
thanks for your reply