Solved

Pix 515e DMZ problems

Posted on 2004-03-27
20
1,489 Views
Last Modified: 2013-11-16
I have a pix 515E and i am trying to allow my inside hosts access to my dmz hosts. However i am not having a lot luck in this process. I also am hanging a Vpn Hardware client off of the DMZ that will tunnel into one of our corp sites. There are some static translations that i have on the dmz to point to network printers on my inside network. This is to allow printer traffic coming through the vpn hardware client into the inside network. I am confused on the proper NAT and or Static statements. Thanks for any help.

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname pix1
domain-name ourdomain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_dmz permit ip 10.60.4.1 255.255.255.0 10.5.5.0 255.255.255.0
access-list acl_dmz permit ip 10.5.5.0 255.255.255.0 10.60.4.1 255.255.255.0
access-list acl_dmz permit icmp any any echo
access-list acl_dmz permit icmp any any echo-reply
access-list no_nat permit ip 10.5.5.0 255.255.255.0 10.60.4.1 255.255.255.0
access-list no_nat permit icmp any any
access-list acl_dmz_in permit ip 10.5.5.0 255.255.255.0 10.60.4.0 255.255.255.0
access-list acl_dmz_in permit ip 10.60.4.0 255.255.255.0 10.5.5.0 255.255.255.0
access-list acl_dmz_in permit icmp any any echo-reply
access-list acl_dmz_in permit icmp any any
access-list acl_outside_in deny udp any any eq 99
access-list acl_outside_in deny udp any any eq 1434
access-list acl_outside_in deny tcp any any eq 6667
access-list acl_outside_in deny udp any any eq 6667
access-list acl_outside_in deny tcp any any eq 445
access-list acl_outside_in deny tcp any any eq 4444
access-list acl_outside_in deny tcp any any eq 593
pager lines 24
logging on
logging buffered notifications
logging trap debugging
icmp permit any echo-reply inside
icmp permit any echo inside
icmp permit any echo dmz
icmp permit any echo-reply dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 2xx.2xx.x.2 255.255.255.224
ip address inside 10.5.5.1 255.255.255.0
ip address dmz 10.60.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 10.1.1.1-10.1.1.30
ip local pool vendors 192.168.150.1-192.168.150.10
pdm history enable
arp timeout 14400
global (outside) 1 2xx.xxx.xx.30 netmask 255.255.255.224
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list no_nat
static (inside,outside) 2xx.xxx.xxx.3 10.5.5.3 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.xxx.xxx.7 10.5.5.7 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.xxx.xxx.8 10.5.5.8 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.10 10.5.5.230 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.11 10.5.5.231 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.12 10.5.5.232 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.13 10.5.5.236 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.14 10.5.5.237 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.15 10.5.5.238 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.22 10.5.5.241 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.16 10.5.5.242 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.17 10.5.5.243 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.18 10.5.5.244 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.19 10.5.5.246 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.20 10.5.5.247 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.23 10.5.5.248 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.xxx.xxx.9 10.5.5.9 netmask 255.255.255.255 0 0
static (inside,outside) 2xx.xxx.xxx.10 10.5.5.10 netmask 255.255.255.255 0 0
static (inside,dmz) 10.5.5.0 10.5.5.0 netmask 255.255.255.0 0 0
access-group acl_dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 2xx.2xx.xx.182 1
route dmz 172.16.2.0 255.255.255.0 10.60.4.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.5.5.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.5.5.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd address 10.5.5.50-10.5.5.150 inside
dhcpd dns 2xx.2xx.xx.18 2xx.2xx.xx.7
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ourdomain
dhcpd enable inside
terminal width 80
0
Comment
Question by:rolltide_bama
  • 9
  • 7
  • 2
  • +1
20 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10699041
Wow, where to start.... bad juju going on here...

These lines don't make sense to me:
>access-list no_nat permit ip 10.5.5.0 255.255.255.0 10.60.4.1 255.255.255.0
10.60.4.1 is a host address, should be 10.60.4.0

>access-list no_nat permit icmp any any
This definitely will not help your troubleshooting..

If your goal is to not use NAT between the DMZ and the inside, then these statics don't make sense, either. You can't do both (no_nat & static):
>static (dmz,inside) 10.60.4.10 10.5.5.230 netmask 255.255.255.255 0 0
>static (dmz,inside) 10.60.4.11 10.5.5.231 netmask 255.255.255.255 0 0
<etc>
Remove them all.....

This syntax has been depricated in favor of the no_nat acl with Nat 0, and should be removed:
>static (inside,dmz) 10.5.5.0 10.5.5.0 netmask 255.255.255.0 0 0

You have created an access-list that simply denies some ports. Everything is already denied by default, so these lines are useless. For the outside_in acl, all we want are the permit statements, unless there is something specific that you want to log hits agains on a deny.
>access-list acl_outside_in deny udp any any eq 99
>access-list acl_outside_in deny udp any any eq 1434
< etc>

Besides, you have not applied the acl_outside_in to the outside interface..
The only acl that you have applied is the acl_dmz_in in interface dmz

The acl_dmz_in access-list actually permits ALL traffice between the two subnets:
>access-list acl_dmz_in permit ip 10.60.4.0 255.255.255.0 10.5.5.0 255.255.255.0

The other lines are redundant, or incorrect.

>access-list acl_dmz_in permit ip 10.5.5.0 255.255.255.0 10.60.4.0 255.255.255.0
Will never match because souce will always be 10.60.4.x

>access-list acl_dmz_in permit icmp any any echo-reply
This is OK, but is covered by the "any any" below

>access-list acl_dmz_in permit icmp any any
This is also covered by permit "ip" in the first line.

What, exactly, do you want to permit into the servers that you have assigned statics from the outside? Do you have a mail server? Web server? Other? If not, then what is the purpose of the statics?

What is the hardware VPN clien's IP address? 10.60.4.2 ?
What is this route statement for?
>route dmz 172.16.2.0 255.255.255.0 10.60.4.2 1

You have nothing else in your acls, statics, or other nat statements to show any need for a route to that subnet...




0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10699048
Oh, yeah
welcome to EE!  I'm a Bama fan myself.
When you cross the state line, they stop you and make you declare. Auburn or Alabama.
First time I was in Ala was when Bear Bryant was still coaching and Bama was #1. That was a no-brainer decision.
Of course, the wife's a big Auburn fan so the Ironbowl is interesting.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10699152
Also lookup the 'alias' command.  This will enable internal hosts to access DMZ servers using their public / internet addresses.  Makes like a bit easier.
0
 

Author Comment

by:rolltide_bama
ID: 10703937
lrmoore, thanks for the information i am going to remove the stuff you said and see what happens. Rolltide, that's crazy. I know what your saying about crossing the state line and them making you declare Auburn or Alabama.   A lot of my family is from Alabama and i have been raised tolltide, even though i am a Florida Gator graduate, haha. I have a vpn hardware client hanging off the dmz. it's private side is 10.60.4.2.  The 172.16.2.x network refers to the private network that hardware vpn clients routes to.

I need to route traffic for my internal users to that 172.16.2.x network. Only traffic going that direction is telnet. Tricky thing here is that i have a bunch of network printers on my inside network, that also need to be accessed by the dmz network. The server on the dmz side (172.16.2.x)  see's the printers as 10.60.4.x address, however i need that address translated because the printer really resides on my inside network. I know this sounds screwy and i am sure there are better ways to do this but i have no control over the setup of the site that i have to connect to.  I guess i am most confused on allowing access from my inside to my dmz without being translated.

Thanks for the help so far.
0
 

Author Comment

by:rolltide_bama
ID: 10704365
Well since the pix isnt in production yet your advice has worked on allowing me to reach my dmz. Where i am a lil hazey is when my dmz host goes to the inside, is it being translated or not via the nat (dmz) 0 access-list no_nat

should i add

access-list no_nat permit ip 10.60.4.0 255.255.255.0 10.5.5.0 255.255.255.0      

 or will that mess up my

static (dmz,inside) 10.60.4.10 10.5.5.230 netmask 255.255.255.255 0 0

As for the global (dmz) 1 interface command. Is this allowing my dmz hosts to access to my inside or outside. I cannot get my test server in my dmz to access any traffic on the net, etc.. i cant ping anything outside my network.  Sorry for all the questions but i confused as heck reading all the different posts cisco had on their site, etc.. They need to update there site more often, but i guess they would rather you buy a pricey smartnet.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10704618
You don't need a mirror line in the acl for no_nat

>global (dmz)
This is a global command to nat traffic from inside to the DMZ

To get from DMZ out, you need to add
nat (dmz) 1 10.5.5.0 255.255.255.0

To be able to ping, you need to specifically permit icmp echo-reply inbound

access-list icmp_in permit icmp any any echo-reply
access-list icmp_in permit icmp any any time-exceeded  <- might be "ttl-exceeded"
access-list icmp_in permit icmp any any unreachable

access-group icmp_in in interface outside

Now, you should be able to ping and traceroute from a host in the DMZ.

0
 

Author Comment

by:rolltide_bama
ID: 10705687
i almost have this thing whipped i think. I can allow outside access into my dmz ok.

the nat (dmz) 1 10.5.5.0 255.255.255.0 statement, does that mean send outside traffic to the 10.5.5.x network.... Because that's on my inside leg.

wouldnt it be nat (dmz) 1 10.60.4.0 255.255.255.0  

when a host goes to the outside what address is it being translated out as?? or PAT'd out i should say??

And since i am going from higher to lower i shouldnt need an acl allowing traffic to return to my host in the dmz.  I guess once i get this lil quirk whipped i should be good to go. I can access traffic in the dmz from the inside and vice versa.

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 10705804
>wouldnt it be nat (dmz) 1 10.60.4.0 255.255.255.0  

I think so. I have not had enough coffee this morning.

The number after the (dmz) "1" in this case, must match a global (outside) "1" in your case uses the PAT host address of 2xx.xxx.xx.30
So these two lines together permit outgoing traffic from the DMZ to the world, using PAT

nat (dmz) 1 10.60.4.0 255.255.255.0  
global (outside) 1 2xx.xxx.xx.30 netmask 255.255.255.224

These two lines together permit outgoing traffic from the inside to the world, using PAT
nat (inside) 1 0.0.0.0 0.0.0.0   <-- does not matter what the source IP is if originates on inside
global (outside) 1 2xx.xxx.xx.30 netmask 255.255.255.224

You can choose to use different IP's for each segment for troubleshooting purposes. You'll know if the outside source is .20, then it originated on the Inside, if outside source is .29, then the packet originated from the DMZ...

nat (dmz) 2 10.60.4.0 255.255.255.0  
global (outside) 2 2xx.xxx.xx.29 netmask 255.255.255.224

I hope I'm not confusing you too much..



0
 

Author Comment

by:rolltide_bama
ID: 10706055
ok, i am not confused at all on the global's. I configured my pix a lil simpler to get the dmz concept working and like i said i am close. i turned on debugging and it's showing this on my syslog

3/29/2004 12:44      Warning      %PIX-4-106023: Deny udp src dmz:172.16.1.3/1052 dst outside:169.254.244.249/161 by access-group "acl_dmz"


I am posting my cleaned up config again, i figured it would make things easier. thanks for all this help, i know u must think i am crazy.

: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname pix1
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list no_nat permit ip 10.5.5.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list acl_dmz permit ip 172.16.1.0 255.255.255.0 10.5.5.0 255.255.255.0
access-list acl_dmz permit icmp any any echo
access-list acl_dmz permit icmp any any echo-reply
access-list acl_outside_in permit tcp any host 2xx.2xx.1xx.10 eq www
pager lines 24
logging on
logging buffered informational
logging trap debugging
logging host inside 10.5.5.50
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 2xx.2xx.1xx.2 255.255.255.224
ip address inside 10.5.5.1 255.255.255.0
ip address dmz 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 2xx.2xx.1xx.29
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list no_nat
nat (dmz) 2 172.16.1.0 255.255.255.0 0 0
static (dmz,outside) 2xx.2xx.1xx.10 172.16.1.2 netmask 255.255.255.255 0 0
access-group acl_outside_in in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 128.10.10.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.5.5.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 79

Expert Comment

by:lrmoore
ID: 10706220
>Deny udp src dmz:172.16.1.3/1052 dst outside:169.254.244.249/161
Actually, this is a good thing. There is no good reason for these packets to get to your network anyway. 169.254.0.0 is a private "APIPA" network that is a default config if a newer windows client (XP for sure) can't get a DHCP address. There should never be any viable snmp traps sent to this network address, and you definately don't need them on your network.

You only want traffic from the 172.16.1.x subnet into your network if it is destined for one of your servers:
>access-list acl_dmz permit ip 172.16.1.0 255.255.255.0 10.5.5.0 255.255.255.0

You have to remember the concepts of security levels on a PIX. Each interface has a security level
>
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
>
All traffic from higher to lower (inside to outside or dmz, dmz to outside) is permitted implicitly
No traffic from lower to higher (outside or dmz to inside) is permitted until and unless you specify with an acl


So what's not working now?
- outbound traffic to Internet from DMZ host? Check
- outbound traffic to Internet from inside hosts? Check
- inbound traffic from DMZ host to internal network without NAT? Check (nat zero and acl in place)
- global inbound web access to server on DMZ? Check (static xlate and acl in place)
- Can you use a host on the inside network to access the web server by public IP? NOPE. You'll either have to use the private IP, or use the "alias" command for "dns doctoring" so that www.yourcompany.com, whatever public IP it resolves to gets "aliased" to the private 172.16.1.2 address

Good going, the config looks so much cleaner now..
0
 

Author Comment

by:rolltide_bama
ID: 10706320
yeah i understand all of the security stuff , but my dmz host(s) still cannot reach the outside world, really weird. i cant telnet, http, etc.. i cleared translations. any other idea's?

one thing on my dmz hosts, should their default gateway be 172.16.1.1 ?  Or should it be the address that's going to be PAT'd out??

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10706475
>should their default gateway be 172.16.1.1
Certainly. The gateway must be on their local subnet.

Can the one server that you have a static xlate for get out and web browse, etc?

>route outside 0.0.0.0 0.0.0.0 128.10.10.201 1
I hope this is just an edited place holder and actually is on the same subnet as your outside interface....2xx.2xx.1xx.2
Can I assume
route outside 0.0.0.0 0.0.0.0 2xx.2xx.1xx.1 ?


0
 

Author Comment

by:rolltide_bama
ID: 10706638
yeah, thats what i was thinking about the gateway being on the same subnet, i was just throwing darts there thinking that maybe for some crazy reason. no the machine that has the static xlate cannot get out, but hosts on the outside can reach it so i know there isnt any cable problems, etc..

that 128.10.10.201 is actually the primary on the eth0 on the router.

the 2xx.xx.1xx.1/27 is the secondary interface on the eth0. Reason i did that is for this testing. once i get this last lil detail worked out i will be able to totally remove the 128.10.10.x network.  I didnt address that. i inherited this network about 2mos ago and there are all sorts of problems including address space not being addressed properly.  Should that make that much of difference being on the secondary? I mean my inside hosts that i am testing with are working fine.  Weird i know..
0
 

Author Comment

by:rolltide_bama
ID: 10715112
lrmoore,

I have found my problem. It was at the end of my acl_dmz access-list.  I had to add this on a per host basis.

access-list acl_dmz line 2 permit tcp host 172.16.1.2 any eq www (hitcnt=27)

phew, what a pain in the butt but it feels good to figure it out. Thanks for all the help on this.  I guess i should prob open up dns to my internal dns server and that should about do it. Box doesnt need to access anything else on the outside world.

Roll-Tide...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10715420
Ah yes, the old acl rule that once you apply a single permit rule, the implicit "deny all" blocks everything else, too.

Glad you're working!
0
 

Expert Comment

by:xloveusa
ID: 12543907
any chance of posting your final config? I'm having the same issues
0
 

Author Comment

by:rolltide_bama
ID: 12543968
sure, what problems are you having?
0
 

Expert Comment

by:xloveusa
ID: 12543994
can't access dmz from inside and reverse. I'm going to go back and start over but that's the issue at hand
0
 

Author Comment

by:rolltide_bama
ID: 12544081
ok, well since this ? is closed, start a new one and send me the link to it and post your static and acl statements
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now