04-20-2011 08:07 AM
04-20-2011 01:07 PM
Your untrust zone interface and your DMZ interface are using IP addresses in the same subnet -- that's not going to work.
You also have a Trust->Untrust policy that is a "permit all" at the top (id 1) and is going to shadow all your other 4 Trust->Untrust policies. That doesn't have anything to do with the problem you're asking about -- but it will be a problem for you later if you expect the policy logging on those other policies to work.
04-20-2011 02:01 PM
I have assigned 192.168.3.1/24 to eth 0/1 interface and did a mip to 184.108.40.206 which is eth 0/0
i am attaching you the new config....
what is the ideal solution ....to put my webserver in dmz ......??
thanks for replying
04-20-2011 05:47 PM
It's hard to say what the ideal solution would be for you without knowing more about your environment and what you're needs and goals are.
The MIP is a good starting point, but I would use one of the other IPs in the 220.127.116.11/29 (.72 - .79) address space that you apparently have allocated for your MIP instead of the firewall's interface IP.
04-21-2011 06:54 AM
i did assign different external interface to map it to my webserver
but my server still cannot access the internet..i am attching the config file again
04-21-2011 10:04 AM
Take the SRC-NAT off of your DMZ->Untrust policy (policy id 7).
Using a MIP, the firewall will handle NAT in both directions.
04-21-2011 11:48 AM
i took it off.....
also my webser connected to DMZ has ip address 192.168.3.2 with gateway 192.168.3.1 .. is that correct...
i still cannot access the internet
04-21-2011 01:49 PM
I also see two default routes:
set route 0.0.0.0/0 interface ethernet0/0 gateway 18.104.22.168 set route 0.0.0.0/0 interface tunnel.1
Take out the second one... your route-based VPN route needs to be something [much] more specific than a default 0.0.0.0/0 route.
04-21-2011 02:13 PM
i removed the second default route but still no luck....
my eth0/1 is set to interface mode route
and eth0/0 is set to NAT
is that corrrect..
from my webserver i cannot ping anything ( not 22.214.171.124 nor 126.96.36.199) but i can ping 188.8.131.52 from the internet
thanks for your reply
04-21-2011 02:30 PM
Try putting your eth0/0 interface in Route mode.
I feel like now might be a good time to ask if you've read through the ScreenOS documentation? Much of this is covered with explanations and examples in the documentation.
04-22-2011 08:01 AM - edited 04-22-2011 08:01 AM
yes!! i did the read the documentation.
i added policy from dmz to untrust to any any any and tht did the trick..
some reason policy MIP to any pplicy wasnt allowing the traffic. for dmz to untrust
It works now...
Thanks for your reply
04-22-2011 01:14 PM
Did you add a policy from DMZ -> Trust?
04-25-2011 06:37 AM
yes i did!!
its any any any ..just for testing purposes...then i will lock it down...still with any any any ....i can ping 1.24 network from dmz
i m attching the config
04-25-2011 10:25 AM
Try checking the policy logs. You have every policy configured with logging, so the logs should show you if traffic is flowing.
You can also start using debugs to trace packets and see if they're being forwarded or dropped.
Here is a KB Article that should get you started.
If you need further assistance, please provide a network diagram that includes the appropriate networks, endpoints, etc., and also provide some log and/or debug flow output in addition to your current configs.