Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco PIX 515 traffic between networks

Posted on 2006-04-06
3
Medium Priority
?
419 Views
Last Modified: 2013-11-16
I have a PIX 515E w/ 6 interfaces...

Outside - 192.168.1.195 - Security0 - Internet
Inside - 10.3.3.1 - Security100 - Network Management systems
dmz - 10.2.2.1 - Security10 - Web, DNS, Proxy, SMTP servers (inbound & outbound)
corporate - 10.1.1.1 - Security80 - Our internal corporate network

I have 6 IPs I can use on my external interface.

I need my management & monitoring systems on the Inside interface to access all the hosts on the dmz & corporate interfaces, plus some external systems on the Internet.

I need the systems on my Corporate network to access the systems on the DMZ network.

All the networks need access to the Internet.

I've tried working with NAT 0 and can't seem to get it to work they way I want.

This is a stripped version of my config (I've removed all the existing NAT entries, since right now they're only for some VPNs we have).

interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
nameif ethernet3 corporate security80
nameif ethernet4 intf4 security1
nameif ethernet5 intf5 security1
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list FromInet permit tcp any host 192.168.1.200 eq smtp
access-list FromInet permit tcp any host 192.168.1.200 eq https
access-list FromInet permit tcp any host 192.168.1.201 eq www
access-list FromInet permit udp any host 192.168.1.201 eq domain
access-list FromInet permit tcp any host 192.168.1.201 eq ftp
access-list FromInet permit udp any host 192.168.1.202 eq domain
access-list FromInet permit tcp any host 192.168.1.202 eq pop3
access-list FromInet permit tcp any host 192.168.1.202 eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu corporate 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 192.168.1.195 255.255.255.240
ip address inside 10.3.3.1 255.255.255.0
ip address dmz 10.2.2.1 255.255.255.0
ip address corporate 10.1.1.1 255.255.255.0
no ip address intf4
no ip address intf5
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip verify reverse-path interface corporate
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address ets
no failover ip address itservices
no failover ip address intf5
no pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz) 10 0.0.0.0 0.0.0.0 0 0
nat (corporate) 10 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) tcp 192.168.1.201 www 10.2.2.5 www netmask 255.255.255.255 0 0
static (dmz,outside) udp 192.168.1.201 domain 10.2.2.5 domain netmask 255.255.255.255 0 0
static (dmz,outside) tcp 192.168.1.201 ftp 10.2.2.5 ftp netmask 255.255.255.255 0 0
static (dmz,outside) tcp 192.168.1.201 3128 10.2.2.5 3128 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 192.168.1.202 pop3 10.2.2.6 pop3 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 192.168.1.202 smtp 10.2.2.6 smtp netmask 255.255.255.255 0 0
static (dmz,outside) udp 192.168.1.202 domain 10.2.2.6 domain netmask 255.255.255.255 0 0
static (dmz,outside) tcp 192.168.1.200 smtp 10.2.2.8 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.1.200 https 10.1.1.6 https netmask 255.255.255.255 0 0
static (outside,dmz) 10.2.2.5 192.168.1.201 dns netmask 255.255.255.255 0 0
static (outside,dmz) 10.2.2.6 192.168.1.202 dns netmask 255.255.255.255 0 0
static (outside,inside) 10.2.2.5 192.168.1.201 dns netmask 255.255.255.255 0 0
static (outside,inside) 10.2.2.6 192.168.1.202 dns netmask 255.255.255.255 0 0
access-group FromInet in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.193 1
timeout xlate 0:05:00
timeout conn 10:00:00 half-closed 0:05:00 udp 1:00:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
snmp-server host itservices netmgmt
snmp-server location STESI Server Room
snmp-server contact admin@sttenergy.com
snmp-server community stesi
no snmp-server enable traps
floodguard enable


Currently, hosts on the Internet can access the hosts on the DMZ network without a problem using NAT & statics.

All of the networks can access the Internet without problems.  I cannot seem to get traffic to move between the networks.
0
Comment
Question by:shawnsouthern
  • 2
3 Comments
 
LVL 20

Expert Comment

by:calvinetter
ID: 16391667
 Without seeing the rest of your config (particularly any nat entries):
As long as you're not *initiating* traffic from the less-trusted interfaces (such as DMZ or corporate) to the inside interface, you won't need to apply ACLs to the DMZ or corporate interfaces, so do the following:

clear xlate
static (dmz,inside) 10.2.2.0 10.2.2.0 netmask 255.255.255.0
static (corporate,inside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

This disables NAT between DMZ/inside, & corporate/inside, so as long as you initiate a connection from the inside, you can access the DMZ hosts by their actual IPs (10.2.2.x), for example.

cheers
0
 
LVL 1

Author Comment

by:shawnsouthern
ID: 16400816
The issue actually appears to be with these entries:

static (outside,dmz) 10.2.2.5 192.168.1.201 dns netmask 255.255.255.255 0 0
static (outside,dmz) 10.2.2.6 192.168.1.202 dns netmask 255.255.255.255 0 0
static (outside,inside) 10.2.2.5 192.168.1.201 dns netmask 255.255.255.255 0 0
static (outside,inside) 10.2.2.6 192.168.1.202 dns netmask 255.255.255.255 0 0

I need to have some sort of DNS/alias working to access the web sites in the DMZ from internal, since I really don't want to have to maintain 2 sets of DNS servers just for that to work.

If I remove those entries, traffic flows, but I lose the DNS aliasing that I need.
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 1000 total points
ID: 16407738
 You've got several unnecessary/incorrect static entries.  When doing "DNS doctoring" you also need to add the "dns" keyword on your nat (<interface>) statements.
  Try this:
clear xlate
clear local
no static (dmz,outside) tcp 192.168.1.201 www 10.2.2.5 www
no static (dmz,outside) udp 192.168.1.201 domain 10.2.2.5 domain
no static (dmz,outside) tcp 192.168.1.201 ftp 10.2.2.5 ftp
no static (dmz,outside) tcp 192.168.1.201 3128 10.2.2.5 3128
no static (dmz,outside) tcp 192.168.1.202 pop3 10.2.2.6 pop3
no static (dmz,outside) tcp 192.168.1.202 smtp 10.2.2.6 smtp
no static (dmz,outside) udp 192.168.1.202 domain 10.2.2.6 domain
no static (outside,dmz) 10.2.2.5 192.168.1.201 dns
no static (outside,dmz) 10.2.2.6 192.168.1.202 dns
no static (outside,inside) 10.2.2.5 192.168.1.201 dns
no static (outside,inside) 10.2.2.6 192.168.1.202 dns
no nat (inside) 10 0.0.0.0 0.0.0.0
no nat (dmz) 10 0.0.0.0 0.0.0.0
no nat (corporate) 10 0.0.0.0 0.0.0.0
nat (inside) 10 0.0.0.0 0.0.0.0 dns
nat (dmz) 10 0.0.0.0 0.0.0.0 dns
nat (corporate) 10 0.0.0.0 0.0.0.0 dns
static (dmz,outside) 192.168.1.201 10.2.2.5 dns
static (dmz,outside) 192.168.1.202 10.2.2.6 dns

cheers
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Loops Section Overview
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question