[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

DMZ routing on PIX

Posted on 2006-03-28
57
Medium Priority
?
2,881 Views
Last Modified: 2010-08-05
I have a PIX 515e running v6.3(5).
I've recently turned up the DMZ interface and want to place a web server behind it.
I've set up the interfaces and created the proper rules but no one on the Internet can access the server.
This is the message that I get in the syslog server:

<166>Mar 28 2006 13:00:21: %PIX-6-106100: access-list acl_out permitted tcp outside/64.119.13.87(2681) -> DMZ/69.7.x.x(80) hit-cnt 1 (first hit)
<166>Mar 28 2006 13:00:21: %PIX-6-302013: Built inbound TCP connection 423 for outside:64.119.13.87/2681 (64.119.13.87/2681) to DMZ:192.168.10.3/80 (69.7.x.x/80)
<166>Mar 28 2006 13:00:21: %PIX-6-106015: Deny TCP (no connection) from 192.168.10.3/80 to 64.119.13.87/2681 flags SYN ACK  on interface inside
<166>Mar 28 2006 13:00:21: %PIX-6-110001: No route to 192.168.10.3 from 64.119.13.87

And here is my configuration (I've stripped out the irrelevent data):
----------------
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 207.243.xx.xx NISC_inbound
name 172.16.4.1 Brian_int
name 172.16.1.5 Positron_int
name 172.16.1.3 Proton_int
name 172.16.1.2 Electron_int
name 69.7.32.7 Positron_ext
name 69.7.32.6 Electron_ext
name 69.7.32.5 Proton_ext
name 172.16.1.9 iVUE_Server
name 192.168.10.2 Athos_DMZ
name 192.168.10.3 Porthos_DMZ
name 69.7.32.4 ebill_ext
name 172.16.8.0 FH
name 172.16.0.0 ES
name 69.7.xx.xx Public
object-group service TERMINAL_SERVICES tcp
  description Microsoft Terminal Services
  port-object eq 3389
object-group service Messenger_File_Transfer tcp
  port-object range 6891 6900
access-list compiled
access-list acl_out deny udp any eq netbios-ns any
access-list acl_out deny udp any eq netbios-dgm any
access-list acl_out deny tcp any eq netbios-ssn any
access-list acl_out permit tcp any any object-group Messenger_File_Transfer
access-list acl_out remark Outlook Web Access (for redirect)
access-list acl_out permit tcp any host Proton_ext eq www
access-list acl_out remark Outlook Web Access
access-list acl_out permit tcp any host Proton_ext eq https
access-list acl_out remark Inbound mail
access-list acl_out permit tcp any host Proton_ext eq smtp
access-list acl_out remark New web site
access-list acl_out permit tcp any host 69.7.32.9 eq www log
access-list acl_out remark Web Site
access-list acl_out permit tcp any host Electron_ext eq www
access-list acl_out remark E-Bill
access-list acl_out permit tcp any host ebill_ext eq https
access-list acl_out remark NISC secure telnet
access-list acl_out permit tcp host NISC_inbound host ebill_ext eq ssh
access-list acl_out remark NISC Term Svcs to Positron
access-list acl_out permit tcp host NISC_inbound host Positron_ext object-group TERMINAL_SERVICES
access-list inside_outbound_nat0_acl permit ip any ES 255.255.0.0
icmp deny any outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp deny any inside
ip address outside 69.7.xx.xx 255.255.255.240
ip address inside 172.16.0.2 255.255.248.0
ip address DMZ 192.168.10.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name Test attack action alarm drop reset
ip audit interface outside Test
ip audit interface inside Test
ip audit info action alarm drop
ip audit attack action alarm drop
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) Proton_ext Proton_int netmask 255.255.255.255 0 0
static (inside,outside) Electron_ext Electron_int netmask 255.255.255.255 0 0
static (inside,outside) ebill_ext iVUE_Server netmask 255.255.255.255 0 0
static (inside,outside) Positron_ext Positron_int netmask 255.255.255.255 0 0
static (DMZ,outside) 69.7.xx.xx Porthos_DMZ netmask 255.255.255.255 0 0
access-group acl_out in interface outside
rip inside default version 2
route outside 0.0.0.0 0.0.0.0 69.7.xx.xx 1
route inside FH 255.255.248.0 172.16.0.7 1
: end
[OK]
----------------

I don't have a router in the DMZ and am hoping that this issue can be resolved without one.
Can anyone help?
0
Comment
Question by:Brian Longworth
  • 23
  • 22
  • 10
  • +1
56 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16320842
May be I cannot see the wood for the trees.....

I can see that static for the dmz,outside but not a permit statement, nor can I see an access-group applied to the DMZ interface. Sorry if its there and I have just missed it
0
 

Author Comment

by:Brian Longworth
ID: 16323898
If you can't see it, it may not be there. I don't know PIX as well as I wish I did and, therefore, do all the configuration through PDM. I thought that I set it up properly as I used the other interfaces as a template.

Regardless, I think the main issue may be the route issue as reported by syslog:
<166>Mar 28 2006 13:00:21: %PIX-6-110001: No route to 192.168.10.3 from 64.119.13.87
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16324682
Shouldn't really need a route as the interface is directly connected but...
route DMZ 192.168.10.0 255.255.255.0

is the web server trying to call something inside on your LAN?
access-list acl_out permit tcp any host 69.7.32.9 eq www log   Is this the permit line for the webserver in the DMZ?
If so,
static (DMZ,outside) 69.7.xx.xx Porthos_DMZ netmask 255.255.255.255 0 0 would then be the permit statement as per your listing.
As you are not filtering any outgoing traffic from the DMZ no access-group statement would be needed.

however, the error is being reported for interface inside. I would have expected the error to have been for interface DMZ or outside.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 

Author Comment

by:Brian Longworth
ID: 16325157
Maybe it will help if you know what the address ranges are for each interfacve:
inside: 172.16.xx.xx
DMZ: 192.168.10.xx
outside: 69.7.xx.xx

The syslog clearly shows that it's able to pass traffic from outside to DMZ but can't pass traffic from DMZ to outside because of (what appears to be) a routing issue. There's no router on the DMZ subnet therefore, no gateway address.

This is what I can't figure out.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16325422
As long as the boxes on the DMZ subnet are default-gateway'ed to the DMz pix address, nothing else should be needed as the PIX default route will deal with it. As the DMZ subnet is directly attached to the PIX, this should not need a route either. However, I do agree that that is how the log reads.

A clear xlate may be all that is needed Brian simply to reset the cache.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16325432
PS. The only element that i can not see is what is in your rip tables.

If you do a show ip rip, what do you see?
Also sh ip route
0
 

Author Comment

by:Brian Longworth
ID: 16325693
PIX515# sh rip
rip inside default version 2

PIX515# sh route
        outside 0.0.0.0 0.0.0.0 69.7.32.1 1 OTHER static
        outside Public 255.255.255.240 69.7.32.3 1 CONNECT static
        inside ES 255.255.248.0 172.16.0.2 1 CONNECT static
        inside FH 255.255.248.0 172.16.0.7 1 OTHER static
        DMZ 192.168.10.0 255.255.255.0 192.168.10.1 1 CONNECT static
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16325901
Yes, so the route for the DMZ is already there.

So I wonder why the heck it thinks it has a better route to the 69 network through the inside interface.
Brian, on your internal devices, I assume these are running RIP also. Do you have any static routes set anywhere for the 69.x.y.z addresses? If so, these could be being passed via the rip statements and then being picked up by the PIX. The PIX will see thr ip updates and be told that hey, i have a route to the 69 network and i learnt it trough the inside interface.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16325938
Try turning off the RIP in the PIX for a while so that the PIX uses its own routing. this might need a reboot.
if you don#t feel comfortable doing this, disconnect the internal nic at a suitable time and reboot the PIX. See if you can get to the web server now when the PIX has not learnt any router from elsewhere
0
 

Author Comment

by:Brian Longworth
ID: 16326075
The internal routers use rip but the gateway of last resort on them is the internal interface of the PIX.
In retrospect, neither the routers nor the PIX really need to have RIP turned on since I have static routes set up
I don't have any static routes set up for the outside network.

I'll try your suggestions when I have a chance.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16326107
OK :)
0
 

Author Comment

by:Brian Longworth
ID: 16326193
I cleared xlate and turned off RIP but I still can't get to the server in the DMZ.
This is what syslog is showing now:

<166>Mar 29 2006 12:33:18: %PIX-6-106015: Deny TCP (no connection) from 192.168.10.3/80 to 64.119.13.87/4740 flags SYN ACK  on interface inside
<166>Mar 29 2006 12:33:18: %PIX-6-110001: No route to 192.168.10.3 from 64.119.13.87

(The 64.119 address is my external testing computer)

I don't know why it's denying the connection unless it's related to the routing issue. I do have a permit rule to alolow traffic to the DMZ server on port 80.
0
 

Author Comment

by:Brian Longworth
ID: 16326278
Would it be better for me to bite the bullet and upgrade the OS to v7.1?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16326358
I knew this month had gone too well for me.

On the web server, does it have a log? Does it show the traffic arriving from the outside?
do a show access-list. Are there any hits against the www permit line for the DMZ targeted traffic?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16326431
There is no need for what you are doing here. Yes, v7 has some good features but (no offence) you are doing nothing special. this is bread-and-butter stuff and 6.3 shouldn't be causing this issue at all. According to your config, you should get one access-list shown.

One other thing i just noticed,, you can assign a NAT group to the DMZ interface please and retry.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16326455
Sorry, hit the return key by accident. Was going to ask, can the webserver surf the web in its own right?
0
 

Author Comment

by:Brian Longworth
ID: 16326472
PIX515# sh access-list
access-list compiled
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list acl_out turbo-configured; 12 elements
access-list acl_out line 11 remark New web site
access-list acl_out line 12 permit tcp any host 69.7.32.9 eq www log 6 interval 300 (hitcnt=5)
access-list inside_outbound_nat0_acl turbo-configured; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any ES 255.255.0.0 (hitcnt=61)

(I've removed the data for the other rules)

The server doesn't show any hits from outside.
0
 

Author Comment

by:Brian Longworth
ID: 16326529
I don't really understand your request, "assign a NAT group to the DMZ interface ".
Can you elaborate or instruct me how?

The web server cannot browse the web. When I connect the second NIC to the inside network, then I can.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16326712
lol, I take it that the default gateway of the web server is pointing to the ip address of the pix dmz interface isn't it?
Sorry, i had to ask.....

global (11) outside interface
nat (DMZ) 11 0.0.0.0 0.0.0.0 0 0
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16326769
What that SHOULD do it so tell the pix that any traffic originating from the DMZ interface should leave as if it had come from the outside interface of the PIX. Same as the Global/NAT lines do for the inside interface.

Really clutching at straws so I am going to call in some assistance.
0
 

Author Comment

by:Brian Longworth
ID: 16326798
I'm about to leave for the day so I'll try this in the morning.

Thanks
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16326810
OK. I have escalated this one so hopefully you should have a response when you get it.

regards
keith
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16326877
I also assume your interface is not still shutdown either....
0
 

Author Comment

by:Brian Longworth
ID: 16327767
I stopped at my office before I went home and yes, the server is pointed at the PIX DMZ interface for its GW.

I ran the commands that you recommended and they seem to solve anything. Now I have an error in PDM under translation rules that says "Pool 11 not found on any lower security interface."
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16329715
No, problem. just remove the ID 11 statements.
0
 

Author Comment

by:Brian Longworth
ID: 16333221
ID 11 statements?
Such as the ones you suggested I put in?

"global (11) outside interface
nat (DMZ) 11 0.0.0.0 0.0.0.0 0 0"
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 800 total points
ID: 16334745
yes; thanks for reminding me :(

i have escalated this call to the Page editor for firewalls asking him to take a look as obviously I am missing something.
0
 

Author Comment

by:Brian Longworth
ID: 16335235
For your reference, here is the complete configuration with only the sensitive parts edited.
-----------------
PIX515# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password xxxx encrypted
passwd xxxx encrypted
hostname PIX515
domain-name xxxx
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 207.243.68.200 NISC_inbound
name 172.16.4.1 Brian_int
name 172.16.1.5 Positron_int
name 172.16.1.3 Proton_int
name 172.16.1.2 Electron_int
name 69.7.xx.xx Positron_ext
name 69.7.xx.xx Electron_ext
name 69.7.xx.xx Proton_ext
name 172.16.1.9 iVUE_Server
name 192.168.10.2 Athos_DMZ
name 192.168.10.3 Porthos_DMZ
name 69.7.xx.xx ebill_ext
name 172.16.8.0 FH
name 172.16.0.0 ES
name 69.7.xx.xx Public
object-group service TERMINAL_SERVICES tcp
  description Microsoft Terminal Services
  port-object eq 3389
object-group service Messenger_File_Transfer tcp
  port-object range 6891 6900
access-list compiled
access-list acl_out deny udp any eq netbios-ns any
access-list acl_out deny udp any eq netbios-dgm any
access-list acl_out deny tcp any eq netbios-ssn any
access-list acl_out permit tcp any any object-group Messenger_File_Transfer
access-list acl_out remark Outlook Web Access (for redirect)
access-list acl_out permit tcp any host Proton_ext eq www
access-list acl_out remark Outlook Web Access
access-list acl_out permit tcp any host Proton_ext eq https
access-list acl_out remark Inbound mail
access-list acl_out permit tcp any host Proton_ext eq smtp
access-list acl_out remark New web site
access-list acl_out permit tcp any host 69.7.xx.xx eq www log
access-list acl_out remark Web Site
access-list acl_out permit tcp any host Electron_ext eq www
access-list acl_out remark E-Bill
access-list acl_out permit tcp any host ebill_ext eq https
access-list acl_out remark NISC secure telnet
access-list acl_out permit tcp host NISC_inbound host ebill_ext eq ssh
access-list acl_out remark NISC Term Svcs to Positron
access-list acl_out permit tcp host NISC_inbound host Positron_ext object-group TERMINAL_SERVICES
access-list inside_outbound_nat0_acl permit ip any ES 255.255.0.0
no pager
logging on
logging timestamp
logging trap informational
logging host inside Brian_int
no logging message 405001
icmp deny any outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp deny any inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 69.7.xx.xx 255.255.255.240
ip address inside 172.16.0.2 255.255.248.0
ip address DMZ 192.168.10.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name Test attack action alarm drop reset
ip audit interface outside Test
ip audit interface inside Test
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool PPTP_Pool 172.16.2.246-172.16.2.255
pdm location NISC_inbound 255.255.255.255 outside
pdm location ES 255.255.248.0 inside
pdm location Electron_int 255.255.255.255 inside
pdm location Proton_int 255.255.255.255 inside
pdm location Brian_int 255.255.255.255 inside
pdm location 0.0.0.0 255.255.248.0 inside
pdm location Positron_int 255.255.255.255 inside
pdm location FH 255.255.248.0 inside
pdm location ebill_ext 255.255.255.255 outside
pdm location Proton_ext 255.255.255.255 outside
pdm location Electron_ext 255.255.255.255 outside
pdm location Positron_ext 255.255.255.255 outside
pdm location iVUE_Server 255.255.255.255 inside
pdm location Athos_DMZ 255.255.255.255 DMZ
pdm location Porthos_DMZ 255.255.255.255 DMZ
pdm logging warnings 512
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (DMZ) 11 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 11 0.0.0.0 0.0.0.0 0 0
static (inside,outside) Proton_ext Proton_int netmask 255.255.255.255 0 0
static (inside,outside) Electron_ext Electron_int netmask 255.255.255.255 0 0
static (inside,outside) ebill_ext iVUE_Server netmask 255.255.255.255 0 0
static (inside,outside) Positron_ext Positron_int netmask 255.255.255.255 0 0
static (DMZ,outside) 69.7.xx.xx Porthos_DMZ netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 69.7.xx.xx 1
route inside FH 255.255.248.0 172.16.0.7 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 131.107.1.10 source outside prefer
http server enable
http ES 255.255.248.0 inside
http FH 255.255.248.0 inside
snmp-server location xxxx
snmp-server contact Brian S. Longworth
snmp-server community xxxx
no snmp-server enable traps
tftp-server inside Brian_int /pix_config
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet ES 255.255.248.0 inside
telnet FH 255.255.248.0 inside
telnet timeout 10
ssh timeout 5
management-access inside
console timeout 10
vpdn group PPTP_Group accept dialin pptp
vpdn group PPTP_Group ppp authentication pap
vpdn group PPTP_Group ppp authentication chap
vpdn group PPTP_Group ppp authentication mschap
vpdn group PPTP_Group ppp encryption mppe 128 required
vpdn group PPTP_Group client configuration address local PPTP_Pool
vpdn group PPTP_Group client configuration dns 172.16.1.14 172.16.1.8
vpdn group PPTP_Group client configuration wins 172.16.1.14 172.16.1.8
vpdn group PPTP_Group pptp echo 60
vpdn group PPTP_Group client authentication local
vpdn username Beth password *********
vpdn username Betty password *********
vpdn username Rick password *********
vpdn username Judi password *********
vpdn username BrianL password *********
vpdn enable outside
username orcaspower password xxxx encrypted privilege 15
terminal width 80
banner login ----------------------------------------------------------------------
banner login                         Authorized access only!
banner login        Disconnect IMMEDIATELY if you are not an authorized user
banner login ----------------------------------------------------------------------
Cryptochecksum:xxxx
: end
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16335663
hi there

You may have an arp issue if there is an inside router at work - try the following on the pix:

clear arp
sysopt noproxyarp inside
sysopt noproxyarp dmz
no global (DMZ) 11 interface
no nat (DMZ) 11 0.0.0.0 0.0.0.0
clear xlate

Then try from your dmz webserver to access the internet - and try to access it from outside.
hope this helps
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16335683
Thanks nodisco.
Cheers
keith
0
 

Author Comment

by:Brian Longworth
ID: 16335986
one of two work:
I can now access the server pages from outside  (big thumbs up - thanks)

However, I cannot access the web FROM the server.
What do I need to do to allow the server to access ports 80 and 443 on the outside interface and port 53 (for DNS) on the inside interface?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16336067
Brian, this is where the global and NAT pairs come in.
I'll let nodisco answer this one though as i must have got the command wrong last time although it was I use and i have six interfaces on all of my 9 PIX boxes :(
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16336425
Hi there

You *should* have internet connectivity from the webserver now as you are - minus dns of course.  A 1-1 static is natting your DMZ address out the outside with a public address.

See if you can go to http://68.142.226.33/
from the webserver - or configure a public dns server on the local connection of the webserver - i.e. 198.6.1.2

For a matching nat pool for other DMZ machines to go out the internet you would need the following:
nat (DMZ) 10 0.0.0.0 0.0.0.0
###Note that it matches the outside global nat id of 10###

For allowing the webserver in to your inside network to get access to dns:
static (DMZ, inside) 192.168.10.3 192.168.10.3 netmask 255.255.255.255
access-list DMZaccess_in permit udp 192.168.10.3 [ip address of dns server] eq 53
access-list DMZaccess_in permit tcp 192.168.10.3 [ip address of dns server] eq 53
access-group DMZaccess_in in interface DMZ

hope this helps


0
 

Author Comment

by:Brian Longworth
ID: 16336677
I was wrong: I must have fat-fingered the address I was trying to test because I can indeed access the web from the DMZ server.

When I run this command:
"access-list DMZaccess_in permit udp 192.168.10.3 172.16.1.8 eq 53"

I get this error: "ERROR: Source address,mask <Porthos_DMZ,172.16.1.8> doesn't pair"

How can I fix this?

Once this issue is resolved there remains only one simple issue to take care of - I want to block all outbound traffic FROM the DMZ server except ports 80 and 443.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16336947
<<When I run this command:
"access-list DMZaccess_in permit udp 192.168.10.3 172.16.1.8 eq 53"

I get this error: "ERROR: Source address,mask <Porthos_DMZ,172.16.1.8> doesn't pair"

How can I fix this?
>>

Sorry - i neglected the host variable.  To allow the dmzserver access to the dns server and only www and 443 traffic out:

that should be:
access-list DMZaccess_in permit udp host 192.168.10.3 host 172.16.1.8 eq 53
access-list DMZaccess_in permit tcp host 192.168.10.3 host 172.16.1.8 eq 53
access-list DMZaccess_in permit tcp host 182.168.10.3 any eq www
access-list DMZaccess_in permit tcp host 192.168.10.3 any eq 443
access-group DMZaccess_in in interface DMZ


0
 

Author Comment

by:Brian Longworth
ID: 16337964
Can do a DNS lookup - get this error in the syslog:

<163>Mar 30 2006 15:19:23: %PIX-3-305005: No translation group found for udp src DMZ:Porthos_DMZ/1026 dst inside:172.16.1.8/53
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16338054
Have you got this line in the config:
static (DMZ, inside) 192.168.10.3 192.168.10.3 netmask 255.255.255.255

You may also need to run a
clear xlate

hth
0
 

Author Comment

by:Brian Longworth
ID: 16338080
I have that line already and I ran a clear xlate - no go, same error.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16338870
Why do you still have the following in the config ?

 
global (DMZ) 11 interface
nat (DMZ) 11 0.0.0.0 0.0.0.0 0 0

remove 'em, your Webserver is statically mapped with an ip and it should serve it. It is going to be 2 way. So do a clear xlate after removing them and try it.

Cheers,
Rajesh
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16340642
hi brian75

Can you post your current config and also the results of
sh xlate

We are most of the way there!
0
 

Author Comment

by:Brian Longworth
ID: 16343772
Here you go
---------------------
PIX515# sh xlate
41 in use, 874 most used
PAT Global 69.7.32.3(52339) Local 172.16.12.7(1156)
PAT Global 69.7.32.3(52323) Local 172.16.1.6(4864)
Global ebill_ext Local iVUE_Server
PAT Global 69.7.32.3(115) Local 172.16.12.20(137)
PAT Global 69.7.32.3(52338) Local 172.16.12.7(1155)
PAT Global 69.7.32.3(52290) Local 172.16.1.6(4862)
PAT Global 69.7.32.3(46322) Local Brian_int(2548)
PAT Global 69.7.32.3(482) Local 172.16.0.7(123)
PAT Global 69.7.32.3(52337) Local 172.16.12.7(1154)
PAT Global 69.7.32.3(52305) Local 172.16.12.7(1123)
PAT Global 69.7.32.3(52336) Local 172.16.12.7(1152)
Global Electron_ext Local Electron_int
PAT Global 69.7.32.3(52327) Local 172.16.12.7(1140)
PAT Global 69.7.32.3(52311) Local 172.16.12.7(1127)
Global Porthos_DMZ Local Porthos_DMZ
PAT Global 69.7.32.3(2791) Local 172.16.2.7(37586)
PAT Global 69.7.32.3(52310) Local 172.16.12.7(1128)
PAT Global 69.7.32.3(52294) Local 172.16.1.6(4863)
PAT Global 69.7.32.3(52341) Local 172.16.1.6(4865)
PAT Global 69.7.32.3(52309) Local 172.16.12.7(1126)
PAT Global 69.7.32.3(52293) Local 172.16.12.7(1113)
PAT Global 69.7.32.3(52244) Local 172.16.4.169(1170)
PAT Global 69.7.32.3(52340) Local 172.16.12.7(1157)
PAT Global 69.7.32.3(52331) Local 172.16.12.7(1147)
PAT Global 69.7.32.3(52299) Local 172.16.12.7(1118)
PAT Global 69.7.32.3(3179) Local Dartagnan_int(1058)
PAT Global 69.7.32.3(52186) Local 172.16.12.11(1115)
PAT Global 69.7.32.3(52330) Local 172.16.12.7(1146)
PAT Global 69.7.32.3(52314) Local 172.16.12.7(1130)
PAT Global 69.7.32.3(52298) Local 172.16.12.7(1116)
PAT Global 69.7.32.3(52297) Local 172.16.12.7(1117)
PAT Global 69.7.32.3(52312) Local 172.16.12.7(1129)
Global Proton_ext Local Proton_int
PAT Global 69.7.32.3(52287) Local 172.16.1.6(4861)
PAT Global 69.7.32.3(52335) Local 172.16.12.7(1153)
PAT Global 69.7.32.3(52303) Local 172.16.12.7(1121)
PAT Global 69.7.32.3(52334) Local 172.16.12.7(1149)
PAT Global 69.7.32.3(52333) Local 172.16.12.7(1150)
PAT Global 69.7.32.3(52332) Local 172.16.12.7(1148)
PAT Global 69.7.32.3(52300) Local 172.16.12.7(1119)
PAT Global 69.7.32.3(3180) Local Andromeda_int(1045)
-----------------------
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
hostname PIX515
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 207.243.68.200 NISC_inbound
name 172.16.4.1 Brian_int
name 172.16.1.5 Positron_int
name 172.16.1.3 Proton_int
name 172.16.1.2 Electron_int
name 69.7.xx.xx Positron_ext
name 69.7.xx.xx Electron_ext
name 69.7.xx.xx Proton_ext
name 172.16.1.9 iVUE_Server
name 192.168.10.2 Athos_DMZ
name 192.168.10.3 Porthos_DMZ
name 69.7.xx.xx ebill_ext
name 172.16.8.0 FH
name 172.16.0.0 ES
name 69.7.xx.xx Public
name 172.16.1.8 Andromeda_int
name 172.16.1.14 Dartagnan_int
object-group service TERMINAL_SERVICES tcp
  description Microsoft Terminal Services
  port-object eq 3389
object-group service Messenger_File_Transfer tcp
  port-object range 6891 6900
object-group network Domain_Controllers
  network-object Andromeda_int 255.255.255.255
  network-object Dartagnan_int 255.255.255.255
access-list compiled
access-list acl_out deny udp any eq netbios-ns any
access-list acl_out deny udp any eq netbios-dgm any
access-list acl_out deny tcp any eq netbios-ssn any
access-list acl_out permit tcp any any object-group Messenger_File_Transfer
access-list acl_out remark Outlook Web Access (for redirect)
access-list acl_out permit tcp any host Proton_ext eq www
access-list acl_out remark Outlook Web Access
access-list acl_out permit tcp any host Proton_ext eq https
access-list acl_out remark Inbound mail
access-list acl_out permit tcp any host Proton_ext eq smtp
access-list acl_out remark New web site
access-list acl_out permit tcp any host 69.7.xx.xx eq www log
access-list acl_out remark Web Site
access-list acl_out permit tcp any host Electron_ext eq www
access-list acl_out remark E-Bill
access-list acl_out permit tcp any host ebill_ext eq https
access-list acl_out remark NISC secure telnet
access-list acl_out permit tcp host NISC_inbound host ebill_ext eq ssh
access-list acl_out remark NISC Term Svcs to Positron
access-list acl_out permit tcp host NISC_inbound host Positron_ext object-group TERMINAL_SERVICES
access-list inside_outbound_nat0_acl permit ip any ES 255.255.0.0
access-list DMZaccess_in permit udp host Porthos_DMZ host Andromeda_int eq domain
access-list DMZaccess_in permit tcp host Porthos_DMZ host Andromeda_int eq domain
access-list DMZaccess_in permit tcp host Porthos_DMZ any eq www
access-list DMZaccess_in permit tcp host Porthos_DMZ any eq https
no pager
logging on
logging timestamp
logging trap informational
logging host inside Brian_int
no logging message 405001
icmp deny any outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp deny any inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 69.7.xx.xx 255.255.255.240
ip address inside 172.16.0.2 255.255.248.0
ip address DMZ 192.168.10.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name Test attack action alarm drop reset
ip audit interface outside Test
ip audit interface inside Test
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool PPTP_Pool 172.16.2.246-172.16.2.255
pdm location NISC_inbound 255.255.255.255 outside
pdm location ES 255.255.248.0 inside
pdm location Electron_int 255.255.255.255 inside
pdm location Proton_int 255.255.255.255 inside
pdm location Brian_int 255.255.255.255 inside
pdm location 0.0.0.0 255.255.248.0 inside
pdm location Positron_int 255.255.255.255 inside
pdm location FH 255.255.248.0 inside
pdm location ebill_ext 255.255.255.255 outside
pdm location Proton_ext 255.255.255.255 outside
pdm location Electron_ext 255.255.255.255 outside
pdm location Positron_ext 255.255.255.255 outside
pdm location iVUE_Server 255.255.255.255 inside
pdm location Athos_DMZ 255.255.255.255 DMZ
pdm location Porthos_DMZ 255.255.255.255 DMZ
pdm location Andromeda_int 255.255.255.255 inside
pdm location Dartagnan_int 255.255.255.255 inside
pdm group Domain_Controllers inside
pdm logging warnings 512
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) Proton_ext Proton_int netmask 255.255.255.255 0 0
static (inside,outside) Electron_ext Electron_int netmask 255.255.255.255 0 0
static (inside,outside) ebill_ext iVUE_Server netmask 255.255.255.255 0 0
static (inside,outside) Positron_ext Positron_int netmask 255.255.255.255 0 0
static (DMZ,outside) 69.7.xx.xx Porthos_DMZ netmask 255.255.255.255 0 0
static (DMZ,inside) Porthos_DMZ Porthos_DMZ netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group DMZaccess_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 69.7.xx.xx 1
route inside FH 255.255.248.0 172.16.0.7 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 131.107.1.10 source outside prefer
http server enable
http ES 255.255.248.0 inside
http FH 255.255.248.0 inside
tftp-server inside Brian_int /pix_config
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp inside
sysopt noproxyarp DMZ
telnet ES 255.255.248.0 inside
telnet FH 255.255.248.0 inside
telnet timeout 10
ssh timeout 5
management-access inside
console timeout 10
vpdn group PPTP_Group accept dialin pptp
vpdn group PPTP_Group ppp authentication pap
vpdn group PPTP_Group ppp authentication chap
vpdn group PPTP_Group ppp authentication mschap
vpdn group PPTP_Group ppp encryption mppe 128 required
vpdn group PPTP_Group client configuration address local PPTP_Pool
vpdn group PPTP_Group client configuration dns Dartagnan_int Andromeda_int
vpdn group PPTP_Group client configuration wins Dartagnan_int Andromeda_int
vpdn group PPTP_Group pptp echo 60
vpdn group PPTP_Group client authentication local
vpdn username Beth password *********
vpdn username Betty password *********
vpdn username Rick password *********
vpdn username Judi password *********
vpdn username BrianL password *********
vpdn enable outside
username orcaspower password encrypted privilege 15
terminal width 80
banner login ----------------------------------------------------------------------
banner login                         Authorized access only!
banner login        Disconnect IMMEDIATELY if you are not an authorized user
banner login ----------------------------------------------------------------------
: end
[OK]

0
 
LVL 19

Expert Comment

by:nodisco
ID: 16344119
Is internet connectivity still working from the webserver?
If so - what is not working - just DNS?

Just to see if the access-list is getting in the way here - can you create an access-list as follows:
access-list DMZaccess_in line 1 permit ip host Porthos_DMZ any

Then try again and when finished post the output of :
sh access-list DMZaccess_in

hth
0
 

Author Comment

by:Brian Longworth
ID: 16344320
Internet still works - both directions; DNS does not.

PIX515# sh access-list DMZaccess_in
access-list DMZaccess_in turbo-configured; 5 elements
access-list DMZaccess_in line 1 permit ip host Porthos_DMZ any (hitcnt=24)
access-list DMZaccess_in line 2 permit udp host Porthos_DMZ host Andromeda_int eq domain (hitcnt=1083)
access-list DMZaccess_in line 3 permit tcp host Porthos_DMZ host Andromeda_int eq domain (hitcnt=0)
access-list DMZaccess_in line 4 permit tcp host Porthos_DMZ any eq www (hitcnt=3)
access-list DMZaccess_in line 5 permit tcp host Porthos_DMZ any eq https (hitcnt=0)
0
 

Author Comment

by:Brian Longworth
ID: 16344357
PDM says that the DNS rules are a "null rule" and, if I open the rule in PDM then close it I get this message:

"No static Network Address Translation (NAT) rule is configured for the destination host or network on interface DMZ. Would you like to add a static NAT rule for the host or network now?"
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16344604
Add the following to the config

global (DMZ) 10 interface

0
 

Author Comment

by:Brian Longworth
ID: 16344738
Didn't work. Syslog shows:
<163>Mar 31 2006 09:56:02: %PIX-3-305005: No translation group found for udp src DMZ:Porthos_DMZ/1027 dst inside:Andromeda_int/53
PDM shows the same message as before
0
 
LVL 19

Accepted Solution

by:
nodisco earned 1200 total points
ID: 16346569
Think i found where the mistake is

no static (DMZ,inside) Porthos_DMZ Porthos_DMZ netmask 255.255.255.255 0 0
static (inside, DMZ) 172.16.1.8 172.16.1.8 netmask 255.255.255.255

You may need to run a clear xlate after it also


0
 

Author Comment

by:Brian Longworth
ID: 16346813
That was it! You're a genius.
Thank you very much for your help.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16348980
Thanks Nodisco; I owe you one.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16349857
Happy to help.

Keith put in a lot of time helping you on this and I think a points split would be fairer.  You can ask Community Support to reopen the question and split accordingly - up to you.

Glad you got working!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16350059
Its no problem nodisco.

I had to call for help, you answered the call, you got the points. Only right.
Regards
keith
0
 

Author Comment

by:Brian Longworth
ID: 16352959
I did a split already. The question was 500 points  - Keith got 200, nodisco got 300.
If either of you think the spit was unfail, I'll be glad to have the questioned reopened and reapportion them.

Brian
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16354419
:)  I think then that you hit the wrong buttons as you gave the points to nodisco and then split them between nodisco and nodisco lol .

I'm comfortable with the result as it is as Nodisco assisted you. If you really feel they should be amended, reply to this post Brian and i will make the change myself.

Best regards
Keith
0
 

Author Comment

by:Brian Longworth
ID: 16356511
Please change the point allocation.

You both worked hard in my behalf and I appreciate it. I'd even give more points if it were possible.

Again, thank you both.

Brian
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16357825
Thanks Brian.

Regards
Keith
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16358375
Cheers to you both
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month18 days, 14 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question