Allow printing traffic from DMZ(Lower Security interface) to inside network on PIX 515E
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Allow printing traffic from DMZ(Lower Security interface) to inside network on PIX 515E

From: <jywu1@hotmail.com>
Date: Thu Dec 08 2005 - 20:53:25 CET



Hello,


I setup a PIX 515E firewall with three interface: inside


(192.168.35.5), outside and DMZ (172.30.50.20).


There is a application server with public ip address on remote site


connect to PIX DMZ interface.


The computer of inside network should telnet to the remote server in


DMZ, and remote server will send printing job back to the printers in


inside network.


I have put access-list to permit tcp traffic on port 515 (LPD) and 9100


on DMZ interface.



The computers can telnet to remote server without problem. but when


user request printing, remote server can not send the printing job back


to the printers of inside network.



PIX 515E shows:


%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/729 dst


inside:192.168.1.158/515


%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/721 dst


inside:192.168.1.50/515


%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/726 dst


inside:192.168.1.25/515


%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/727 dst


inside:192.168.1.39/515


%PIX-3-106010: Deny inbound tcp src DMZ:209.120.100.50/60585 dst


inside:192.168.1.114/9100



(Note: If I replace the PIX firewall by a router, configured network


routing, no NAT on it, everything working fine).



A part of PIX 515 configuration is following:



PIX Version 6.1(3)


nameif ethernet0 outside security0


nameif ethernet1 inside security100


nameif ethernet2 DMZ security10



access-list 110 permit tcp 209.120.100.0 255.255.255.0 range 721 731


192.168.1.0 255.255.255.0 eq lpd


access-list 110 permit tcp 209.120.100.0 255.255.255.0 192.168.1.0


255.255.255.0 eq telnet


access-list 110 permit tcp 209.120.100.0 255.255.255.0 range 721 731


192.168.1.0 255.255.255.0 eq 9100



ip address inside 192.168.35.5 255.255.255.0


ip address dmz 172.30.50.20 255.255.255.248



nat (inside) 0 192.168.1.0 255.255.255.0 0 0


nat (intf2) 0 209.120.100.0 255.255.255.0 0 0



access-group 110 in interface dmz



route dmz 209.120.100.0 255.255.255.0 172.30.50.17 1


route inside 192.168.1.0 255.255.255.0 192.168.35.10 1



I look at the traffic log on PIX firewall, the access-list doesn't seem


to be applied to DMZ interface, because when I show access-list, the


hitcount is 0.



Is it something wrong in my configuration?


Your help will be appreciated.


Thank you.


JY


Received on Sun Dec 11 14:24:52 2005