Link to home
Start Free TrialLog in
Avatar of Phil_Trahan
Phil_TrahanFlag for Canada

asked on

Pix-515 6 interfaces need help on translate conduit to access-list

Hi,

I got 2 PIX-515 with 6 interfaces in a failover configuration, running OS 6.3.4. I need your help on access-list commands for the inside and DMZ interfaces.I got 1 interface for outside (security=0), 1 for inside (security=100) and 3 DMZ (security=20,40,60). Last interface is for the failover link. I got servers in DMZ01 that need to talk to other servers in DMZ02. I also got a mail relay on DMZ01 that need to talk to my Exchange server in my inside network. What woul be the access-list and static statement to get thoses servers to communicate without loosing the benefit of browsing the internet and pinging from any interface ?

I tried to bind different acces-list to the inside, DMZ01 and DMZ02 interfaces but when I did so, I cannot browse the Inernet from the Inside, DMZ01 or DMZ02. I cannot even PING from inside to other interface !

Here is part of my running config :

access-list outside_acl permit tcp any host x.x.x.6 eq www
access-list outside_acl permit tcp any host x.x.x.4 eq pop3
access-list outside_acl permit tcp any host x.x.x.4 eq smtp
..... (many more, works fine)
access-list ipsec permit ip host 192.168.x.x 192.168.x.x 255.255.255.0
access-list ipsec permit ip host 192.168.x.x 192.168.x.x 255.255.255.0
access-list ipsec permit ip host 192.168.x.x 10.0.x.x 255.255.255.0
..... (many more, works fine)
static (DMZ01,outside) x.x.x.6 192.168.1.6 netmask 255.255.255.255 0 0
static (DMZ01,outside) x.x.x.12 192.168.1.12 netmask 255.255.255.255 0 0
static (DMZ02,DMZ01) 192.168.1.211 192.168.2.11 netmask 255.255.255.255 0 0
static (DMZ02,DMZ01) 192.168.1.210 192.168.2.10 netmask 255.255.255.255 0 0
static (inside,DMZ01) 192.168.1.20 192.168.0.3 netmask 255.255.255.255 0 0
*****conduit statement that I want to replace with access-list *****
conduit permit icmp any any
conduit permit tcp host 192.168.1.20 eq smtp any
conduit permit tcp host 192.168.1.20 eq 3268 any
conduit permit tcp host 192.168.1.211 eq 1433 host 192.168.1.12
conduit permit udp host 192.168.1.210 eq snmp host 192.168.1.12
conduit permit udp host 192.168.1.211 eq snmp host 192.168.1.12

Here is the config I tried but did not work :

access-list inside_acl  permit icmp any any echo-reply  
access-list inside_acl  permit icmp any any source-quench  
access-list inside_acl  permit icmp any any unreachable
access-list inside_acl  permit icmp any any time-exceeded  
access-list inside_acl  permit tcp host 192.168.1.10 host 192.168.1.20 eq smtp  
access-list inside_acl  permit tcp host 192.168.1.10 host 192.168.1.20 eq 3268

access-list DMZ01_acl  permit icmp any any echo-reply
access-list DMZ01_acl  permit icmp any any source-quench  
access-list DMZ01_acl  permit icmp any any unreachable  
access-list DMZ01_acl  permit icmp any any time-exceeded  
access-list DMZ01_acl  permit udp host 192.168.1.12 host 192.168.1.210 eq snmp  
access-list DMZ01_acl  permit udp host 192.168.1.12 host 192.168.1.211 eq snmp  
access-list DMZ01_acl  permit udp host 192.168.1.12 host 192.168.1.211 eq 1433  

Thanks for your help.
Avatar of Les Moore
Les Moore
Flag of United States of America image

For DMZ01 - outside and DMZ01 to DMZ02 traffic

access-list DMZ01_acl  permit icmp any any echo-reply
access-list DMZ01_acl  permit icmp any any source-quench  
access-list DMZ01_acl  permit icmp any any unreachable  
access-list DMZ01_acl  permit icmp any any time-exceeded  
access-list DMZ01_acl  permit udp host 192.168.1.12 host 192.168.1.210 eq snmp  
access-list DMZ01_acl  permit udp host 192.168.1.12 host 192.168.1.211 eq snmp  
access-list DMZ01_acl  permit udp host 192.168.1.12 host 192.168.1.211 eq 1433  
 # -- continue with everything else that you need to permit -- #
access-list DMZ01_acl permit tcp host 192.168.1.6 eq www any  <- www server to respond
access-list DMZ01_acl permit tcp host 192.168.1.4 eq smtp any  <- smtp server to send
access-list DMZ01_acl permit tcp host 192.168.1.6 host 192.168.1.211 eq sql  <-example DMZ1-DMZ2
access-list DMZ01_acl permit tcp 192.168.1.0 255.255.255.0 any eq www <- all hosts to browse
access-list DMZ01_acl permit tcp 192.168.1.0 255.255.255.0 any eq https  <- all hosts to browse
access-list DMZ01_acl permit udp 192.168.1.0 255.255.255.0 any eq domain <- all hosts to use dns

Just remember that you want to account for everything that originates on that interface once you put in a single permit, you have to plan for everything outbound through that interface.


Avatar of Phil_Trahan

ASKER

Thanks,

Does that mean that I have to add a permit statement for every replying port of every server in DMZ01, even if those ports/servers are already listed in the access-list outside_acl ? I thought that by default I could browse the web with NAT on the DMZ01 interface and Global on the outside interface... Is that a change because of the 6.3 version or because of the access-list statement ? I'm confused...

By the way, I upgraded from 5.2.3 to 6.3.x and I'm having problem since. Is 6.3.x a stable release ? My first problem was that the active Pix crashed 2 times per day (loosing every VPN connection each time, very frustrating...) Reading de bugs on Cisco site, I found that maybe bug #CSCed42539 was my problem and that it was fixed in 6.3.4. So I upgraded to 6.3.4 last friday. I had to reboot the pix 2 times since friday because the Pix was not accepting any new connection... It seems to happen hen a Cisco VPN client disconnect. I'm thinking of downgrading back to 5.2.3...
>I thought that by default I could browse the web with NAT on the DMZ01 interface and Global on the outside interface...
No changes, just that if you add any single line to a acl (i.e. to permit icmp), then you must then permit everything that you want. You might want to consider keeping your conduits for the time being...


6.3.4 is a very stable release. I've never had any issues with the PIX failing. Your PIX is so old, you might want to check the recall notice: See if your serial number falls into any of these notices:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00800949c7.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00800949ca.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00800949c9.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00800949c8.shtml
ok, but I'm still confused...

I want to use PDM 301 so I have to stay with 6.3.4 but PDM doesn't permit the use of ACL and Conduit in the same config, so I have to remove all the conduit statement. I checked the recall notices and the only one that apply is the last one but I have to assume that I had a software problem since before upgrading I never had to reboot any of the two pix for 2 years... also the load is always under 3 Mbps and the max VPN is 12.

If I replace the conduit with access-list, I'm still confused what statement I need.

I got 2 servers in DMZ01, one is a web server (192.168.1.3), the other (192.168.1.4) is a mail gateway. Here is my outside ACL :

access-list outside_acl  permit tcp any host 207.x.x.3 eq www
access-list outside_acl  permit tcp any host 207.x.x.3 eq https
access-list outside_acl  permit tcp any host 207.x.x.3 eq ftp
access-list outside_acl  permit tcp any host 207.x.x.4 eq pop3
access-list outside_acl  permit tcp any host 207.x.x.4 eq smtp

The web server need to communicate with a SQL server (192.168.2.10) located in DMZ02 (higher security int).
The mail server need to communicate with an Exchange server (192.168.0.3) located inside (Highest interface).
I'm using NAT on every interface and a static statement for every server :
static (DMZ02,DMZ01) 192.168.1.210 192.168.2.10 netmask 255.255.255.255 0 0
static (inside,DMZ01) 192.168.1.20 192.168.0.3 netmask 255.255.255.255 0 0

What would be the ACL statement for DMZ01, DMZ02 and Inside ?



ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial