[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 356
  • Last Modified:

traffic from DMZ to LAN on a Pix5063 with VLANs

Hi there,

I have a Cisco Pix 506e with 2 virtual interfaces added to the physical inside interface as per below:

interface ethernet0 10full
interface ethernet1 auto                        
interface ethernet1 vlan2 logical                                
interface ethernet1 vlan3 logical

nameif ethernet0 outside security0
nameif inside security100
nameif vlan2 LAN security100
nameif vlan3 DMZ security50

ip address outside x.x.x.x 255.255.255.252
ip address inside 192.168.100.254 255.255.255.055.128 outside                                
ip address DMZ 10.0.0.254 255.255.255.055.255.255.255 outside                
ip address LAN 192.168.1.254 255.255.255.00.0 255.255.255.255 inside

The inside interface is connected to a trunking port on my "vlan switch" and 2 other ports on the switch are connected to my LAN and DMZ and are in the vlan2 and vlan3 as appropriate.

That 192.168.100.254 address is basically unused (I wasn't sure if I could just put in 0.0.0.0 or even assign no IP), it's the DMZ and LAN interfaces that are used.  

I have traffic coming in from the outside OK and both the DMZ and LAN can get to the internet OK, what I don't know how to do is to get traffic flowing between the DMZ and the LAN.

How do I do that? I'd like to open it right up for now so traffic can freely flow in both directions (from 192.168.1.0/24 to 10.0.0.0/24) and then once I'm all sorted I want to lock down access from the DMZ so it can only get to the servers and ports it needs to.

Thanks,

Simon

0
obstech
Asked:
obstech
  • 4
  • 2
  • 2
1 Solution
 
lrmooreCommented:
\\-- first you need NAT. This can be same inside/dmz like such:
 static (LAN,DMZ) 192.168.1.254 192.168.1.254 netmask 255.255.255.0

\\-- then you need to permit traffic from DMZ into LAN
 access-list dmz permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
 access-list dmz permit tcp host <mailhost> eq 25 any
 access-list dmz permit tcp host <webhost> eq 80 any
 access-list dmz permit udp 10.0.0.0 255.255.255.0 any eq 53

 access-group dmz in interface DMZ

0
 
Keith AlabasterCommented:
\\-- first you need NAT. This can be same inside/dmz like such:
 static (LAN,DMZ) 192.168.1.254 192.168.1.254 netmask 255.255.255.0

lrmoore, do you have a link that explains this part or a quick summary? I've seen it used but never quite got my head around the purpose.
Thanks
keith
0
 
lrmooreCommented:
Actually, I made and error in the post.
It should be a network subnet nat:

 static (LAN,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

For any PIX OS prior to 7.0 you must have a nat xlate for any traffic crossing interfaces higher to lower. static statement does the nat, but to the same IP.
You can also use access-lists and nat zero to bypass nat but it still goes through the nat process. For local interface access a static is much easier and more desireable. Nat zero wants traffic to originate from the interface it is applied (usually inside) where a static doesn't matter where traffic originates.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Keith AlabasterCommented:
Thanks very much.
Regards
keith
0
 
obstechAuthor Commented:
Thanks Irmoore, that's sorted it.

Cheers,

Simon
0
 
Keith AlabasterCommented:
Obstech, I think you have accepted my comment by mistake. If it is OK with you, I will edit the question and accept LRMoore's answer instead. Can you confirm this is OK for me to do please?
0
 
obstechAuthor Commented:
Sorry fellas, my mistake, meant to give points to Irmoore but obviously had a brain spasm.
0
 
Keith AlabasterCommented:
No problem, I have already made the change but thank you for confirming it.

Regards

Keith
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now