Solved

Pixs config with exchange 2003 and dmz

Posted on 2004-09-04
15
753 Views
Last Modified: 2011-10-03
This question was opened due the question below.
http://www.experts-exchange.com/Security/Firewalls/Q_21115382.html

I need to config the dmz with web and exchange 2003 with the pix.

Internet
    |
    |
Router
    |
    |
 Pix------DMZ with I want to put the web server and ftp server here and use Port redirection
   |
   |
Private Lan(inside) with Active Directory DC, and DNS, "EXCHANGE 2003"

Two public IPs one for F/0 and one for outside pix. Please help with the config below.

ip address outside public_ip
ip address inside 192.168.10.1 255.255.255.0
ip address dmz 172.16.10.1 255.255.255.0  ????? Is this subnet right

Outside interface;

object-group service Web_Mail_Server tcp    
 Port-object eq www
 Port-object eq https    
 Port-object eq ftp
 Port-object eq email

access-list outside_in permit tcp any any object-group Web_Mail_Server
access-list outside_in deny ip any any
access-group outside_in in interface outside

DMZ
    access-list dmz_in permit ip any host 172.16.10.2  ?? or more restrictive
    access-list dmz_in deny ip any any

No Nat
access-list no_nat permit ip 192.168.10.0 255.255.255.0 host 172.16.20.2

nat (inside) 0 access-list no_nat
nat (inside) 2 0 0
nat (dmz) 2 0 0  ??? do i need this

Inside
  ????????

Static's
  static (dmz, outside) tcp interface www 172.16.10.2 www
  static (dmz, outside) tcp interface ftp 172.16.10.2 ftp
  static (inside, outside) tcp interface smtp 192.168.10.2 smtp
  static (inside, outside) tcp interface https 192.168.10.2 https  ??? How would i redirect https for OWA.
 












0
Comment
Question by:mcfr6070
  • 7
  • 7
15 Comments
 
LVL 11

Expert Comment

by:billwharton
Comment Utility
mcr
Question

1) 172.16.10.2 is your Exchange & OWA server sitting in the DMZ and hence you need the following ports: http, https, ftp & smtp. Am I right?

2) 192.168.10.2 is your DC sitting in the inside. Right?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
>ip address dmz 172.16.10.1 255.255.255.0  ????? Is this subnet right
Use whatever subnet you want. It is perfectly appropriate to use this subnet mask on a DMZ interface, as long as every device on the DMZ also has the same mask.

>access-list outside_in permit tcp any any object-group Web_Mail_Server  <== Not a good idea to use "any any"
>access-list outside_in deny ip any any  <=== DO NOT DO THIS!

Rather, since you are using the interface as your nat address
  access-list outside_in permit tcp any interface outside object-group Web_Mail_Server


>DMZ
    access-list dmz_in permit ip host 172.16.10.2  192.168.10.1 255.255.255.0
    access-list dmz_in permit udp host 172.16.10.2 any eq domain  <- permit the server dns lookups
    access-list dmz_in permit tcp host 172.16.10.2 any eq www  <- permit the server to browse
    access-list dmz_in permit tcp host 172.16.10.2 any eq https  <- permit the server to get Windows updates
    access-list dmz_in permit tcp host 172.16.10.2 any eq smtp  <- permit the server to send out smtp mail
    access-list dmz_in permit tcp host 172.16.10.2 eq www any  <- permit response to any request http
    access-list dmz_in permit tcp host 172.16.10.2 eq https any  <-  permit response to any request for https

    access-list dmz_in deny ip any any


>No Nat
  access-list no_nat permit ip 192.168.10.0 255.255.255.0 host 172.16.20.2
  nat (inside) 0 access-list no_nat

The preferred way to bypass nat between inside and DMZ:
 
  no access-list no_nat permit ip 192.168.10.0 255.255.255.0 host 172.16.20.2
  no nat (inside) 0 access-list no_nat

   static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

>nat (inside) 2 0 0
  nat (dmz) 2 0 0  ??? do i need this

Here's what you need:

   global (outside) 1 <interface | ip address | range>
   nat (inside) 1 192.168.10.0 255.255.255.0
   nat (dmz) 1 172.16.20.0 255.255.255.0

Note the "1" in the Nat matches the "1" for the global. If you want to use a different global IP for the inside and for the DMZ, you have this option:

   global (outside) 1 <interface | ip address | range>
   global (outside) 2 <interface | ip address | range>
   nat (inside) 1 192.168.10.0 255.255.255.0
   nat (dmz) 2 172.16.20.0 255.255.255.0

nat-1 matches global-1, nat-2 matches global-2

>Statics
These all look fine...

static (inside, outside) tcp interface https 192.168.10.2 https  ??? How would i redirect https for OWA.

If you're going to redirect https using the interface IP, you must disable the PIX's internal https server (so you can't use the PDM GUI)
    no http server enable

Highly suggest you get another public IP address to redirect the https to.
As for the redictions of the OWA, that would be an Exchange server config that I can't be much help on.


0
 

Author Comment

by:mcfr6070
Comment Utility
bill, the exchange server is in the inside,
 Exchange 192.168.10.2  smtp, and owa
 DC 192.168.10.3

DMZ
 172.16.10.2 web and ftp
0
 

Author Comment

by:mcfr6070
Comment Utility
irmoore, I got some questions on the config

>access-list outside_in deny ip any any   <=== DO NOT DO THIS!

why should i not do this in the outside interface? the dmz interface has it?

>The preferred way to bypass nat between inside and DMZ:

static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

   why is the same ip on the destination and source?
   If i were to use the nat the way i had it what problems would i have?

>Highly suggest you get another public IP address to redirect the https to.

  If i got another public ip would do the following to redirect the traffic to that ip?
   static (inside, outside) public_ip 192.168.10.4 netmask 255.255.255.255 0 0   remark assuming the .4 is a second interface on the exchange server and the .2 is the first
Would i need an acl applied to the inside or static?? not sure

Ok one last question, do i need some acls for the inside? I guess my thought behind that is the fact the a lower interface will not be able to send smtp request to the inside exchange. I know we have the static but i thought you needed both a static and an acl?

thank you for your help..

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>>access-list outside_in deny ip any any   <=== DO NOT DO THIS!
>why should i not do this in the outside interface? the dmz interface has it?

The DMZ acl has enough permits to allow traffic from specific servers/services
The outside acl with deny ip any any will bock all returning traffic from connections initiated on the inside or from the DMZ (i.e. dns queries, www browsing, etc)

All unsolicited traffic from outside is automatically blocked, with ASA creating permits "on the fly" for return traffic coming back in response to a request from the inside (www browse, etc). Unless and until you expressly permit it with an access-list (access-list outside_in permit tcp any host <host> object-group Web_Mail_Server)
The PIX is not IOS and the acls do not behave exactly the same as they do on a router. By setting a explicit deny all, you will block traffic.

>static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
>   why is the same ip on the destination and source?

This statement says that between the inside interface and the dmz, the IP subnet 192.168.10.0 is NOT natted. It is the same from the inside to the dmz.

With Nat 0 statement was designed for IPSEC functions and works well for that. However, since the acl is built with source/destination, (i.e. inside to dmz) and only applied to the inside, the issue is confusing to traffic comeing from the DMZ to the inside. Simply much cleaner to use a static in this case.

> If i got another public ip would do the following to redirect the traffic to that ip?
>   static (inside, outside) public_ip 192.168.10.4 netmask 255.255.255.255 0 0  
Yes, but it  does not have to be a second interface on the server. Actually, it should be the one and only interface on the server
      static (inside, outside) new_public_ip 192.168.10.2 netmask 255.255.255.255 0 0
Or, you can reserver part of this 2nd ip and only use the port forwarding:
     static (inside, outside) tcp new_public_ip 25 192.168.10.4 25 netmask 255.255.255.255 0 0

>Would i need an acl applied to the inside or static?? not sure
No acls applied to the inside are necessary. If you feel the need, then suggest
 deny x
 deny y
 deny z
 permit ip any any  

>i thought you needed both a static and an acl?
Yes, but from higher security interface to lower security interface, the acl is default "permit ip any any" unless/until you change it (see above)
0
 

Author Comment

by:mcfr6070
Comment Utility
I’m testing the config.
>access-list dmz_in permit ip host 172.16.10.2  192.168.10.1 255.255.255.0

 I’m I suppose to let the entire 192.168.10.0 subnet access to 172.16.10.2? I got an error while inputting the above line but I think its because it is not 192.168.10.0 255.255.255.0..
Thank you.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>ip address inside 192.168.10.1 255.255.255.0
With this config item, I just assumed that this was the real subnet of the inside...

>I’m I suppose to let the entire 192.168.10.0 subnet access to 172.16.10.2?
This is to be applied to the dmz interface, and permits the host server to talk to anyone on the inside LAN. You can make it as restrictive as you want, or as liberal as you want, this is just a starting point.

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Are you still working on this? Can you close out this question yet?
0
 

Author Comment

by:mcfr6070
Comment Utility
I am sorry for the delay, I just got everything set up. I will be launching everything within a day or two and testing this out. I hope its ok to leave the question open…thanks for your help.
0
 

Author Comment

by:mcfr6070
Comment Utility
Please help.
Here is the problem I encountered; the pcs in the inside were not able to connect to the internet. This includes the DC and mail server. When I did a sh xlate it showed the ip using pat.
Here is the config. DMZ was not tested.  Here is the config. thank you

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password Wxl3HeIv428WKR.Y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name mydomain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service Inbound_Web_Server tcp
  port-object eq www
  port-object eq https
  port-object eq ftp
  port-object eq domain
  port-object eq smtp
access-list outside_in permit tcp any interface outside object-group Inbound_Web
_Server
access-list dmz_in permit ip host 172.16.5.2 192.168.60.0 255.255.255.0
access-list dmz_in permit icmp any any
access-list dmz_in permit udp host 172.16.5.2 any eq domain
access-list dmz_in permit tcp host 172.16.5.2 any eq www
access-list dmz_in permit tcp host 172.16.5.2 any eq https
access-list dmz_in permit tcp host 172.16.5.2 eq www any
access-list dmz_in permit tcp host 172.16.5.2 eq https any
access-list dmz_in permit tcp host 172.16.5.2 eq ftp any
access-list dmz_in deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside public_IP 255.255.255.252
ip address inside 192.168.60.1 255.255.255.0
ip address dmz 172.16.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.60.0 255.255.255.0 0 0
nat (dmz) 1 172.16.5.0 255.255.255.0 0 0
static (dmz,outside) tcp interface www 172.16.5.2 www netmask 255.255.255.255 0
0
static (dmz,outside) tcp interface ftp 172.16.5.2 ftp netmask 255.255.255.255 0
0
static (inside,outside) tcp interface smtp 192.168.60.2 smtp netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface https 192.168.60.2 https netmask 255.255.2
55.255 0 0
static (inside,outside) tcp interface www 192.168.60.2 www netmask 255.255.255.2
55 0 0
static (inside,dmz) 192.168.60.0 192.168.60.0 netmask 255.255.255.0 0 0
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 public_ip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.60.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:f3ebcfdcf8080680a57fe91696e836a7
: end
[OK]

sh xlate
5 in use, 20 most used  ***this is the outside public ip
PAT Global 216.x.x.x(1167) Local 192.168.60.2(1142)
PAT Global 216.x.x.x(1112) Local 192.168.60.3(2311)
PAT Global 216.x.x.x(1113) Local 192.168.60.5(1037)
PAT Global 216.x.x.x(1168) Local 192.168.60.2(1143)
PAT Global 216.x.x.x(1169) Local 192.168.60.2(1149)

sh connectoins **we forward to our isp dns

UDP out public_dns:53 in 192.168.60.5:1037 idle 0:01:09 flags -

UDP out public_dns:53 in 192.168.60.5:1037 idle 0:01:09 flags -

UDP out public_dns:53 in 192.168.60.5:1037 idle 0:01:09 flags -

UDP out public_dns:53 in 192.168.60.5:1037 idle 0:01:09 flags -

UDP out public_dns:53 in 192.168.60.5:1037 idle 0:01:09 flags -
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
This should be the only thing that does not work:
>static (inside,outside) tcp interface https 192.168.60.2 https

You can't use the interface to forward https while still having the internal http server enabled.

>When I did a sh xlate it showed the ip using pat
Of course it does. All you have is the Interface IP address.

It looks like the PC's on the inside can get out to the Internet. What exactly is not working at this point?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>the pcs in the inside were not able to connect to the internet. This includes the DC and mail server.
Are you positive that these PC's and servers point to the PIX inside IP address as the default gateway?

Just noticed something else:
>static (dmz,outside) tcp interface www 172.16.5.2 www netmask 255.255.255.255
>static (inside,outside) tcp interface www 192.168.60.2 www netmask 255.255.255.255

You can't forward port 80 from the interface to two different inside/dmz hosts. Pick one or the other, not both.
0
 

Author Comment

by:mcfr6070
Comment Utility
>This should be the only thing that does not work:
>static (inside,outside) tcp interface https 192.168.60.2 https
 I will take this line out since ssl will not be used until everything is up and running.

The hosts from the inside are not unable to browse the net.

 The gateway i put on the hosts is 192.168.60.1

>static (dmz,outside) tcp interface www 172.16.5.2 www netmask 255.255.255.255
  If i take this line out how will that affect the web server?

>static (inside,outside) tcp interface www 192.168.60.2 www netmask 255.255.255.255
  This line i had so owa will work, is this right?

 I'm not sure if this will help you but from the pix i can ping all interfaces including the routers.

thanks for all your help,







0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>The hosts from the inside are not unable to browse the net.

Help me out here. Host can or cannot browse the internet? I know they can't ping, but can they bring up a web browser and get to www.experts-exchange.com? Do you have a proper DNS server IP in the client config?

>>static (dmz,outside) tcp interface www 172.16.5.2 www netmask 255.255.255.255
>  If i take this line out how will that affect the web server?
  It will block all public access to this WWW server
>>static (inside,outside) tcp interface www 192.168.60.2 www netmask 255.255.255.255
  >This line i had so owa will work, is this right?
  Not with the line above in the same config.

Bottom line. You cannot have TWO webservers, both using port 80, and both using "interface" as their public IP. You must do one of two things:
1) get another public IP address so that you can use a different public IP for each server
2) Set one of the servers to use a different port other than port 80, perhaps 81 or something. Clients will have to access it using http://<ip address>:81

0
 

Author Comment

by:mcfr6070
Comment Utility
Host cannot bring up  www.experts-exchange.com.

>Do you have a proper DNS server IP in the client config?
For DNS we forward to our isp. I used their ips 216.x.x.x on the client pc. I also used our own dns server(which forwards to our ISP as well) ip on the client pc.

>static (dmz,outside) tcp interface www 172.16.5.2 www netmask 255.255.255.255
  I will take this line out.

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now