[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 529
  • Last Modified:

PIX 515E Configuration for DMZ - access the DMZ from internal clients

Needing assistance in configuring a PIX 515E to use a DMZ and have the server in the DMZ accessible from the clients on the private (inside) side of the firewall.

Here is the config for the firewall:

PIXFIREWALL# show conf
: Saved
: Written by enable_15 at 11:20:26.763 UTC Wed Mar 22 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password NA3kCu/6slD/O7aS level 10 encrypted
enable password rOx8.Y2f6t2O2J6d encrypted
passwd CchT5YiB9kSAWob1 encrypted
hostname PIXFIREWALL
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit tcp any host 24.1.3.37 eq www
access-list outside_acl permit tcp any host 24.1.3.37 eq https
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl deny tcp any any eq ftp
access-list outside_acl permit tcp any host 24.1.3.36 eq 10000
access-list outside_acl deny tcp any any eq telnet
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.37 192.168.1.49 netmask 255.255.255.255 0 0
static (dmz,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 24.1.3.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.1.3.38 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username username password epNzeQOJEcyLcSzn encrypted privilege 15
terminal width 90
Cryptochecksum:7c94591755b1df876ae190b86fefe7aa

I need for the clients on the inside network (192.168.1.0) to be able to access the DMZ (192.168.20.0) and the server residing in the DMZ needs to be able to access the Windows DOMAIN for Active Directory Authentication and a SQL server (both reside behind the firewall - on the 192.168.1.0 network).

Thanks for your assist!

Sean
0
saladart
Asked:
saladart
  • 3
  • 2
1 Solution
 
jjoseph_xCommented:
The clients on the inside network should already be able to access the servers in the DMZ (if the PIX is the default gateway for both subnets or if you have the appropriate routing).  With the PIXes an interface with higher security (like the inside interface with security100) can access an interface with a lower security (like the outside interface or the dmz interface), without the use of access-lists.

However to allow the servers in the DMZ to access servers on your network, you'll need to do three things

1) create the appropriate access list:

access-list dmz-acl permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq 1433
access-list dmz-acl permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq 88
access-list dmz-acl permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq 88
access-list dmz-acl permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq 445
access-list dmz-acl permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq 389
access-list dmz-acl permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq 53


88 is for kerberos (which can use either UDP or TCP depending on how it's configured... though the default is UDP)
445 is for Microsoft directory services and SMB.
389 is for LDAP
and 53 is for DNS (you'll need to locate the DCs for a DNS look-up).

2) you'll need to bind the ACL interface via an access-group:

access-group dmz_acl in interface dmz

3) you've already done the static access translation:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

That should do what you'd want.
0
 
saladartAuthor Commented:
JJOSEPH x,

Thanks for your assistance.

Seems like everything is working except connectivity between the webserver (in the DMZ - 20.49) and the SQL Server - (on the inside (protected) network - 1.40).  Testing the ODBC connection, I cannot access the SQL server through port 1433 using the IP address or the computer name.

Any assistance will be greatly appreciated.

Sean
0
 
jjoseph_xCommented:
If you've got the access-list:

access-list dmz-acl permit tcp host xx.xx.20.49 host xx.xx.1.40 eq 1433 then you should be able to hit the SQL Server.

Can you telnet to port 1433 on the SQL Server from the webserver?  So double-check to make sure that the SQL Server is listening on port 1433 (you can do a netstat -a -p tcp to show you the TCP ports on which the SQL Server is listening).  Also check to make sure that the Windows Firewall service isn't blocking the port on the SQL Server.



0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
saladartAuthor Commented:
I cannot telnet to the SQL server from the webserver.  In addition, the netstat -a -p tcp does not return anything listening on port 1433.  The windows firewall service is not running.

I checked the default port on the SQL server - it is set to 1433.  The instance of SQL that is running is not the default instance - would that cause the server to listen on a different port?

Sean
0
 
saladartAuthor Commented:
Ok - the port that was used was not 1433 - it was 1161.  Once I reconfigured the ODBC connection I could get a connect with the DATABASE.

It is dog slow but it connects...making progress...

Now, as to the speed issue - any ideas as to why it would be slow?  Anything in the firewall that could cause this?

Here is the latest config:

: Saved
: Written by enable_15 at 18:19:30.152 UTC Wed Mar 22 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password XXXXXXXXXXlevel 10 encrypted
enable password XXXXXXXX encrypted
passwd CchT5YiB9kSAWob1 encrypted
hostname PIXFIREWALL
domain-name ocusoft.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit tcp any host 24.1.3.37 eq www
access-list outside_acl permit tcp any host 24.1.3.37 eq https
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl permit tcp any host 24.1.3.36 eq 21012
access-list outside_acl deny tcp any any eq telnet
access-list dmz_in permit icmp any any
access-list dmz_in permit ip host 192.168.20.49 host 192.168.1.50
access-list dmz_in permit udp host 192.168.20.49 host 192.168.1.50 eq 88
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq 445
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq domain
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.40 eq 1161
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.40 eq 1433
access-list dmz_in permit tcp host 192.168.20.49 host 192.168.1.50 eq 88
access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 110 permit icmp any any
access-list dmz_out permit tcp any any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
static (dmz,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
access-group dmz_out in interface dmz
route outside 0.0.0.0 0.0.0.0 24.227.133.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.1.3.38 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username username password epNzeQOJEcyLcSzn encrypted privilege 15
terminal width 90
Cryptochecksum:5e1c2f93572b8d24bd1e5dcb9a06994f
0
 
calvinetterCommented:
If performance is terrible, you may have a speed/duplex mismatch. In your config, the PIX dmz interface is manually set to 100 Mbps full-duplex.  If the interface on the switch/other device it's plugged into is set to "auto" then set the following on your PIX:
  interface ethernet2 auto

If that doesn't help any, if you're able to, manually set the other interface that's connected to your PIX's dmz port to:
  100 Mbps, full-duplex
Then on your PIX, set it back to the explicit speed/duplex:
  interface ethernet2 100full

In order for ethernet interfaces to play nice together they should *both* be set to either "auto" for speed/duplex or both manually set to a specific speed/duplex.

cheers
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now