Solved

Pix-515 6 interfaces need help on translate conduit to access-list

Posted on 2004-09-13
5
360 Views
Last Modified: 2011-04-14
Hi,

I got 2 PIX-515 with 6 interfaces in a failover configuration, running OS 6.3.4. I need your help on access-list commands for the inside and DMZ interfaces.I got 1 interface for outside (security=0), 1 for inside (security=100) and 3 DMZ (security=20,40,60). Last interface is for the failover link. I got servers in DMZ01 that need to talk to other servers in DMZ02. I also got a mail relay on DMZ01 that need to talk to my Exchange server in my inside network. What woul be the access-list and static statement to get thoses servers to communicate without loosing the benefit of browsing the internet and pinging from any interface ?

I tried to bind different acces-list to the inside, DMZ01 and DMZ02 interfaces but when I did so, I cannot browse the Inernet from the Inside, DMZ01 or DMZ02. I cannot even PING from inside to other interface !

Here is part of my running config :

access-list outside_acl permit tcp any host x.x.x.6 eq www
access-list outside_acl permit tcp any host x.x.x.4 eq pop3
access-list outside_acl permit tcp any host x.x.x.4 eq smtp
..... (many more, works fine)
access-list ipsec permit ip host 192.168.x.x 192.168.x.x 255.255.255.0
access-list ipsec permit ip host 192.168.x.x 192.168.x.x 255.255.255.0
access-list ipsec permit ip host 192.168.x.x 10.0.x.x 255.255.255.0
..... (many more, works fine)
static (DMZ01,outside) x.x.x.6 192.168.1.6 netmask 255.255.255.255 0 0
static (DMZ01,outside) x.x.x.12 192.168.1.12 netmask 255.255.255.255 0 0
static (DMZ02,DMZ01) 192.168.1.211 192.168.2.11 netmask 255.255.255.255 0 0
static (DMZ02,DMZ01) 192.168.1.210 192.168.2.10 netmask 255.255.255.255 0 0
static (inside,DMZ01) 192.168.1.20 192.168.0.3 netmask 255.255.255.255 0 0
*****conduit statement that I want to replace with access-list *****
conduit permit icmp any any
conduit permit tcp host 192.168.1.20 eq smtp any
conduit permit tcp host 192.168.1.20 eq 3268 any
conduit permit tcp host 192.168.1.211 eq 1433 host 192.168.1.12
conduit permit udp host 192.168.1.210 eq snmp host 192.168.1.12
conduit permit udp host 192.168.1.211 eq snmp host 192.168.1.12

Here is the config I tried but did not work :

access-list inside_acl  permit icmp any any echo-reply  
access-list inside_acl  permit icmp any any source-quench  
access-list inside_acl  permit icmp any any unreachable
access-list inside_acl  permit icmp any any time-exceeded  
access-list inside_acl  permit tcp host 192.168.1.10 host 192.168.1.20 eq smtp  
access-list inside_acl  permit tcp host 192.168.1.10 host 192.168.1.20 eq 3268

access-list DMZ01_acl  permit icmp any any echo-reply
access-list DMZ01_acl  permit icmp any any source-quench  
access-list DMZ01_acl  permit icmp any any unreachable  
access-list DMZ01_acl  permit icmp any any time-exceeded  
access-list DMZ01_acl  permit udp host 192.168.1.12 host 192.168.1.210 eq snmp  
access-list DMZ01_acl  permit udp host 192.168.1.12 host 192.168.1.211 eq snmp  
access-list DMZ01_acl  permit udp host 192.168.1.12 host 192.168.1.211 eq 1433  

Thanks for your help.
0
Comment
Question by:Phil_Trahan
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12049578
For DMZ01 - outside and DMZ01 to DMZ02 traffic

access-list DMZ01_acl  permit icmp any any echo-reply
access-list DMZ01_acl  permit icmp any any source-quench  
access-list DMZ01_acl  permit icmp any any unreachable  
access-list DMZ01_acl  permit icmp any any time-exceeded  
access-list DMZ01_acl  permit udp host 192.168.1.12 host 192.168.1.210 eq snmp  
access-list DMZ01_acl  permit udp host 192.168.1.12 host 192.168.1.211 eq snmp  
access-list DMZ01_acl  permit udp host 192.168.1.12 host 192.168.1.211 eq 1433  
 # -- continue with everything else that you need to permit -- #
access-list DMZ01_acl permit tcp host 192.168.1.6 eq www any  <- www server to respond
access-list DMZ01_acl permit tcp host 192.168.1.4 eq smtp any  <- smtp server to send
access-list DMZ01_acl permit tcp host 192.168.1.6 host 192.168.1.211 eq sql  <-example DMZ1-DMZ2
access-list DMZ01_acl permit tcp 192.168.1.0 255.255.255.0 any eq www <- all hosts to browse
access-list DMZ01_acl permit tcp 192.168.1.0 255.255.255.0 any eq https  <- all hosts to browse
access-list DMZ01_acl permit udp 192.168.1.0 255.255.255.0 any eq domain <- all hosts to use dns

Just remember that you want to account for everything that originates on that interface once you put in a single permit, you have to plan for everything outbound through that interface.


0
 

Author Comment

by:Phil_Trahan
ID: 12049703
Thanks,

Does that mean that I have to add a permit statement for every replying port of every server in DMZ01, even if those ports/servers are already listed in the access-list outside_acl ? I thought that by default I could browse the web with NAT on the DMZ01 interface and Global on the outside interface... Is that a change because of the 6.3 version or because of the access-list statement ? I'm confused...

By the way, I upgraded from 5.2.3 to 6.3.x and I'm having problem since. Is 6.3.x a stable release ? My first problem was that the active Pix crashed 2 times per day (loosing every VPN connection each time, very frustrating...) Reading de bugs on Cisco site, I found that maybe bug #CSCed42539 was my problem and that it was fixed in 6.3.4. So I upgraded to 6.3.4 last friday. I had to reboot the pix 2 times since friday because the Pix was not accepting any new connection... It seems to happen hen a Cisco VPN client disconnect. I'm thinking of downgrading back to 5.2.3...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12049812
>I thought that by default I could browse the web with NAT on the DMZ01 interface and Global on the outside interface...
No changes, just that if you add any single line to a acl (i.e. to permit icmp), then you must then permit everything that you want. You might want to consider keeping your conduits for the time being...


6.3.4 is a very stable release. I've never had any issues with the PIX failing. Your PIX is so old, you might want to check the recall notice: See if your serial number falls into any of these notices:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00800949c7.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00800949ca.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00800949c9.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00800949c8.shtml
0
 

Author Comment

by:Phil_Trahan
ID: 12055813
ok, but I'm still confused...

I want to use PDM 301 so I have to stay with 6.3.4 but PDM doesn't permit the use of ACL and Conduit in the same config, so I have to remove all the conduit statement. I checked the recall notices and the only one that apply is the last one but I have to assume that I had a software problem since before upgrading I never had to reboot any of the two pix for 2 years... also the load is always under 3 Mbps and the max VPN is 12.

If I replace the conduit with access-list, I'm still confused what statement I need.

I got 2 servers in DMZ01, one is a web server (192.168.1.3), the other (192.168.1.4) is a mail gateway. Here is my outside ACL :

access-list outside_acl  permit tcp any host 207.x.x.3 eq www
access-list outside_acl  permit tcp any host 207.x.x.3 eq https
access-list outside_acl  permit tcp any host 207.x.x.3 eq ftp
access-list outside_acl  permit tcp any host 207.x.x.4 eq pop3
access-list outside_acl  permit tcp any host 207.x.x.4 eq smtp

The web server need to communicate with a SQL server (192.168.2.10) located in DMZ02 (higher security int).
The mail server need to communicate with an Exchange server (192.168.0.3) located inside (Highest interface).
I'm using NAT on every interface and a static statement for every server :
static (DMZ02,DMZ01) 192.168.1.210 192.168.2.10 netmask 255.255.255.255 0 0
static (inside,DMZ01) 192.168.1.20 192.168.0.3 netmask 255.255.255.255 0 0

What would be the ACL statement for DMZ01, DMZ02 and Inside ?



0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12403896
Sorry it's been so long before I got back with you. I was hoping some of our other experts here would jump in and help out.
How are you doing on this? Any progress?

0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
firewall rules 2 68
iptables nat port range centos 6.x 21 93
FortiGate - Unable to delete Traffic Shaper 2 49
DHCP lease issue ? 8 84
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now