Solved

pix506e with VLAN/DMZ configuration

Posted on 2006-11-10
4
548 Views
Last Modified: 2012-06-21
Hi guys! I need help on this one.
I tried to configure a pix 506e with VLAN (dmz). Its look like the configuration is wrong because i can get trhough the internet with from my dmz.
Here's my configuration so u guys can take a look.
Note that
name 70.50.255.0 wffexch reffeer to my pppoe(outside) i'm not sure if i've do it the right way.


PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 dmz security50
enable password tvY0zL7KMQfzjpvE encrypted
passwdrZRDoMxiLb0qZ2 gB encrypted
hostname merciermur
domain-name ************
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 216.226.59.2 Sirsiservice
name 150.147.1.0 SirsiCorpservice
name 192.168.1.251 Web2
name 192.168.1.250 Unicorn
name 70.50.255.0 wffexch
object-group network Sirsi
  network-object SirsiCorpservice 255.255.255.0
  network-object Sirsiservice 255.255.255.255
object-group network serveurinternes
  network-object Unicorn 255.255.255.255
  network-object Web2 255.255.255.255
object-group service TCP_servicesinternes tcp
  port-object eq www
  port-object range 5100 5101
  port-object eq 210
  port-object eq 2200
  port-object eq 3389
access-list outside_access_in permit tcp object-group Sirsi any
access-list outside_access_in permit tcp any eq 3389 interface outside eq 3389
access-list outside_access_in permit tcp any eq 3388 interface outside eq 3388
access-list outside_access_in permit tcp any eq www interface outside eq www
access-list outside_access_in permit tcp any range 5100 5101 interface outside range 5100 5101
access-list outside_access_in permit tcp any eq 2200 interface outside eq 2200
access-list outside_access_in permit tcp any eq 210 interface outside eq 210
access-list outside_access_in permit tcp interface outside host 192.168.2.1
access-list dmz_access_out permit tcp host wffexch any eq www
access-list dmz_access_out permit tcp host wffexch any eq https
access-list dmz_access_out permit tcp host wffexch any eq domain
access-list dmz_access_out permit udp host wffexch any eq domain
pager lines 24
mtu outside 1492
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Sirsiservice 255.255.255.255 outside
pdm location SirsiCorpservice 255.255.255.0 outside
pdm location Unicorn 255.255.255.255 inside
pdm location Web2 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.255 dmz
pdm group Sirsi outside
pdm group serveurinternes inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5100 Unicorn 5100 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5101 Unicorn 5101 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Web2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2200 Unicorn 2200 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 210 Unicorn 210 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Unicorn 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3388 Web2 3389 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.2.0 netmask 255.255.255.0 0 0
static (dmz,outside) 70.50.255.1 192.168.2.1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group dmz_access_out in interface dmz
route outside 0.0.0.0 0.0.0.0 70.50.255.1 1
timeout xlate 3:00:00
timeout conn 6:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Sirsiservice 255.255.255.255 outside
http SirsiCorpservice 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh Sirsiservice 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname  bib123@123.com
vpdn group pppoe_group ppp authentication pap
vpdn username bib123@123.com password *********
dhcpd address 192.168.1.100-192.168.1.245 inside
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcpd domain ************
dhcpd auto_config outside
dhcpd enable inside
username sirsiadmin password 73x.i.cVFuIpu8uz encrypted privilege 15
terminal width 80
Cryptochecksum:6e3cf24b491f658c9965787096f636bb
: end
[OK]


Thanks alot guys!
0
Comment
Question by:dautech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17915829
>ip address dmz 192.168.2.1 255.255.255.0
>static (dmz,outside) 70.50.255.1 192.168.2.1 netmask 255.255.255.255 0 0

Can't do that. You can't use a static public IP to your own interface IP..

Start with this:
 no static (dmz,outside) 70.50.255.1 192.168.2.1 netmask 255.255.255.255 0 0
 clear xlate
 nat (dmz) 1 192.168.2.0 255.255.255.0

If you want inside-to-dmz to work, remove this, too:
 >static (inside,dmz) 192.168.1.0 192.168.2.0 netmask 255.255.255.0 0 0
no static (inside,dmz) 192.168.1.0 192.168.2.0 netmask 255.255.255.0 0 0
clear xlate
 \\-- make it same/same
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

0
 
LVL 1

Author Comment

by:dautech
ID: 17921827
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 dmz security50
enable password tvY0zpL7KMQfzjvE encrypted
passwd rZRDoLb0qZMxi2gB encrypted
hostname merciermur
domain-name blehr.qc.ca
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 216.226.59.2 Sirsiservice
name 150.147.1.0 SirsiCorpservice
name 192.168.1.251 Web2
name 192.168.1.250 Unicorn
name 192.168.0.0 wffexch
object-group network Sirsi
  network-object SirsiCorpservice 255.255.255.0
  network-object Sirsiservice 255.255.255.255
object-group network serveurinternes
  network-object Unicorn 255.255.255.255
  network-object Web2 255.255.255.255
object-group service TCP_servicesinternes tcp
  port-object eq www
  port-object range 5100 5101
  port-object eq 210
  port-object eq 2200
  port-object eq 3389
access-list outside_access_in permit tcp object-group Sirsi any
access-list outside_access_in permit tcp any eq 3389 interface outside eq 3389
access-list outside_access_in permit tcp any eq 3388 interface outside eq 3388
access-list outside_access_in permit tcp any eq www interface outside eq www
access-list outside_access_in permit tcp any range 5100 5101 interface outside range 5100 5101
access-list outside_access_in permit tcp any eq 2200 interface outside eq 2200
access-list outside_access_in permit tcp any eq 210 interface outside eq 210
access-list outside_access_in permit tcp interface outside host 192.168.2.1
access-list dmz_access_out permit tcp interface outside any eq www
access-list dmz_access_out permit tcp interface outside any eq https
access-list dmz_access_out permit tcp interface outside any eq domain
access-list dmz_access_out permit udp interface outside any eq domain
access-list dmz_access_out permit icmp interface inside any
pager lines 24
mtu outside 1492
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Sirsiservice 255.255.255.255 outside
pdm location SirsiCorpservice 255.255.255.0 outside
pdm location Unicorn 255.255.255.255 inside
pdm location Web2 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.255 dmz
pdm location 192.168.1.1 255.255.255.255 dmz
pdm location 255.255.255.255 255.255.255.255 dmz
pdm group Sirsi outside
pdm group serveurinternes inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 192.168.2.0 255.255.255.0 0 0
nat (dmz) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5100 Unicorn 5100 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5101 Unicorn 5101 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Web2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2200 Unicorn 2200 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 210 Unicorn 210 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Unicorn 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3388 Web2 3389 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group dmz_access_out in interface dmz
route outside 0.0.0.0 0.0.0.0 70.50.255.1 1
timeout xlate 3:00:00
timeout conn 6:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Sirsiservice 255.255.255.255 outside
http SirsiCorpservice 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh Sirsiservice 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname bibl6780@bleh.com
vpdn group pppoe_group ppp authentication pap
vpdn username bibl6780@bleh.com password *********
dhcpd address 192.168.1.100-192.168.1.245 inside
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcpd domain bibliothequedemercier.qc.ca
dhcpd auto_config outside
dhcpd enable inside
username sirsiadmin password 73x.i.cVFuIpu8uz encrypted privilege 15
terminal width 80


--------------------------------------------------------

hi!
Thank you for your help lrmoore, but it doesnt work :( I've made some change on the configuration, and added those u suggest me. Can You try to figure out why i can't ping anything expect from is own interface?

All i want is to be able to ping the dmz from the inside and the outside, and i don't want the dmz to ping the inside - but the dmz need the full internet access.

Correct me if i'm missing something, but with the pix, i don't need a switch to make the VLAN work right?

Right now my physical installation look like this.


                               PPOE
                                   | -> ethernet 0
                               pix 506
                                   |
                                   | -> Ethernet 1
                                3com switch
                                /               \
                               /                  \ DLINK 192.168.2.2
                              /                         \3com switch
            192.168.1.0 inside                           | DMZ

is it ok? :P

i've no problem with adding another 500 point to this question. i really need this to be working for monday morning.

again,
I need the dmz to be able to access internet, and to be able to access 192.168.1.250 and .251 .

The inside/outside config was already made. So it's already suppose to work. I've to work on the DMZ thing only.

Thanks to all of you!

_Dautech_
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17922080
>i don't need a switch to make the VLAN work
Your switches absolutely must support VLANs and the link between the switch and the PIX must be a trunk port.
Looking at your diagram, I don't think it's going to work unless the 3Com-->Dlink-->3Com --DMZ combination all support VLAN's, all see the same VLAN3 that you've configured the PIX to see.  At the very least, the 3Com connected to the PIX has to support VLAN's and the Dlink connects to a port in VLAN3.

>All i want is to be able to ping the dmz from the inside and the outside,
>static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
>and i don't want the dmz to ping the inside
>I need the dmz to be able to access internet, and to be able to access 192.168.1.250 and .251 .

The static is the first part. ICMP Echo-replies are blocked by default so you have to add an access-list
>access-group dmz_access_out in interface dmz

Let's start over with a new acl for the dmz interface
  no access-group dmz_access_out in interface dmz

  access-list dmz_traf permit icmp any any echo-reply  <== response to ping from inside/outside
  access-list dmz_traf deny icmp any any echo            <== cannot ping inside
  access-list dmz_traf permit ip any host 192.168.1.250
  access-list dmz_traf permit ip any host 192.168.1.251
  access-list dmz_traf deny ip any 192.168.1.0 255.255.255.0
  access-list dmz_traf permit ip any any                     <== allow everything else
  access-group dmz_traf in interface dmz

>I need the dmz to be able to access internet
These two items are all you need for the dmz to get to the internet, assuming that all hosts in that dmz have their default gateway set to the ip address of the dmz interface on the pix - 192.168.2.1
  global (outside) 1 interface
  nat (dmz) 1 192.168.2.0 255.255.255.0 0 0

Can you ping 192.168.2.1 from any dmz host?
You cannot ping 192.168.2.1 from inside host. Ever. This is by design of the PIX
You'll never be able ping dmz interface from outside. Only if you set up a 1-1 nat public ip to an inside host and allow icmp through the outside_in acl can you ping an internal host on the dmz.

>access-list outside_access_in permit tcp interface outside host 192.168.2.1
Remove this entry. It is incorrect.

You need a static xlate for any host on the DMZ to be accessible from the Internet:
  static (inside,dmz) tcp interface http 192.168.2.100 http netmask 255.255.255.255
  access-list outside_access_in permit tcp any interface outside eq http

All www traffic to the outside IP will be redirected to inside host 192.168.2.100 . . .
 




0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17922082
>i've no problem with adding another 500 point to this question
500 is the max. Don't worry about it...

0

Featured Post

Report: Liquid Web beats Amazon, Rackspace & More

A study by performance analyst firm Cloud Spectator finds that Liquid Web beats rivals Amazon, Rackspace and DigitalOcean when it comes to website and cloud application performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question