Solved

pix506e with VLAN/DMZ configuration

Posted on 2006-11-10
4
530 Views
Last Modified: 2012-06-21
Hi guys! I need help on this one.
I tried to configure a pix 506e with VLAN (dmz). Its look like the configuration is wrong because i can get trhough the internet with from my dmz.
Here's my configuration so u guys can take a look.
Note that
name 70.50.255.0 wffexch reffeer to my pppoe(outside) i'm not sure if i've do it the right way.


PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 dmz security50
enable password tvY0zL7KMQfzjpvE encrypted
passwdrZRDoMxiLb0qZ2 gB encrypted
hostname merciermur
domain-name ************
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 216.226.59.2 Sirsiservice
name 150.147.1.0 SirsiCorpservice
name 192.168.1.251 Web2
name 192.168.1.250 Unicorn
name 70.50.255.0 wffexch
object-group network Sirsi
  network-object SirsiCorpservice 255.255.255.0
  network-object Sirsiservice 255.255.255.255
object-group network serveurinternes
  network-object Unicorn 255.255.255.255
  network-object Web2 255.255.255.255
object-group service TCP_servicesinternes tcp
  port-object eq www
  port-object range 5100 5101
  port-object eq 210
  port-object eq 2200
  port-object eq 3389
access-list outside_access_in permit tcp object-group Sirsi any
access-list outside_access_in permit tcp any eq 3389 interface outside eq 3389
access-list outside_access_in permit tcp any eq 3388 interface outside eq 3388
access-list outside_access_in permit tcp any eq www interface outside eq www
access-list outside_access_in permit tcp any range 5100 5101 interface outside range 5100 5101
access-list outside_access_in permit tcp any eq 2200 interface outside eq 2200
access-list outside_access_in permit tcp any eq 210 interface outside eq 210
access-list outside_access_in permit tcp interface outside host 192.168.2.1
access-list dmz_access_out permit tcp host wffexch any eq www
access-list dmz_access_out permit tcp host wffexch any eq https
access-list dmz_access_out permit tcp host wffexch any eq domain
access-list dmz_access_out permit udp host wffexch any eq domain
pager lines 24
mtu outside 1492
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Sirsiservice 255.255.255.255 outside
pdm location SirsiCorpservice 255.255.255.0 outside
pdm location Unicorn 255.255.255.255 inside
pdm location Web2 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.255 dmz
pdm group Sirsi outside
pdm group serveurinternes inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5100 Unicorn 5100 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5101 Unicorn 5101 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Web2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2200 Unicorn 2200 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 210 Unicorn 210 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Unicorn 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3388 Web2 3389 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.2.0 netmask 255.255.255.0 0 0
static (dmz,outside) 70.50.255.1 192.168.2.1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group dmz_access_out in interface dmz
route outside 0.0.0.0 0.0.0.0 70.50.255.1 1
timeout xlate 3:00:00
timeout conn 6:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Sirsiservice 255.255.255.255 outside
http SirsiCorpservice 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh Sirsiservice 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname  bib123@123.com
vpdn group pppoe_group ppp authentication pap
vpdn username bib123@123.com password *********
dhcpd address 192.168.1.100-192.168.1.245 inside
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcpd domain ************
dhcpd auto_config outside
dhcpd enable inside
username sirsiadmin password 73x.i.cVFuIpu8uz encrypted privilege 15
terminal width 80
Cryptochecksum:6e3cf24b491f658c9965787096f636bb
: end
[OK]


Thanks alot guys!
0
Comment
Question by:dautech
  • 3
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>ip address dmz 192.168.2.1 255.255.255.0
>static (dmz,outside) 70.50.255.1 192.168.2.1 netmask 255.255.255.255 0 0

Can't do that. You can't use a static public IP to your own interface IP..

Start with this:
 no static (dmz,outside) 70.50.255.1 192.168.2.1 netmask 255.255.255.255 0 0
 clear xlate
 nat (dmz) 1 192.168.2.0 255.255.255.0

If you want inside-to-dmz to work, remove this, too:
 >static (inside,dmz) 192.168.1.0 192.168.2.0 netmask 255.255.255.0 0 0
no static (inside,dmz) 192.168.1.0 192.168.2.0 netmask 255.255.255.0 0 0
clear xlate
 \\-- make it same/same
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

0
 
LVL 1

Author Comment

by:dautech
Comment Utility
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 dmz security50
enable password tvY0zpL7KMQfzjvE encrypted
passwd rZRDoLb0qZMxi2gB encrypted
hostname merciermur
domain-name blehr.qc.ca
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 216.226.59.2 Sirsiservice
name 150.147.1.0 SirsiCorpservice
name 192.168.1.251 Web2
name 192.168.1.250 Unicorn
name 192.168.0.0 wffexch
object-group network Sirsi
  network-object SirsiCorpservice 255.255.255.0
  network-object Sirsiservice 255.255.255.255
object-group network serveurinternes
  network-object Unicorn 255.255.255.255
  network-object Web2 255.255.255.255
object-group service TCP_servicesinternes tcp
  port-object eq www
  port-object range 5100 5101
  port-object eq 210
  port-object eq 2200
  port-object eq 3389
access-list outside_access_in permit tcp object-group Sirsi any
access-list outside_access_in permit tcp any eq 3389 interface outside eq 3389
access-list outside_access_in permit tcp any eq 3388 interface outside eq 3388
access-list outside_access_in permit tcp any eq www interface outside eq www
access-list outside_access_in permit tcp any range 5100 5101 interface outside range 5100 5101
access-list outside_access_in permit tcp any eq 2200 interface outside eq 2200
access-list outside_access_in permit tcp any eq 210 interface outside eq 210
access-list outside_access_in permit tcp interface outside host 192.168.2.1
access-list dmz_access_out permit tcp interface outside any eq www
access-list dmz_access_out permit tcp interface outside any eq https
access-list dmz_access_out permit tcp interface outside any eq domain
access-list dmz_access_out permit udp interface outside any eq domain
access-list dmz_access_out permit icmp interface inside any
pager lines 24
mtu outside 1492
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Sirsiservice 255.255.255.255 outside
pdm location SirsiCorpservice 255.255.255.0 outside
pdm location Unicorn 255.255.255.255 inside
pdm location Web2 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.255 dmz
pdm location 192.168.1.1 255.255.255.255 dmz
pdm location 255.255.255.255 255.255.255.255 dmz
pdm group Sirsi outside
pdm group serveurinternes inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 192.168.2.0 255.255.255.0 0 0
nat (dmz) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5100 Unicorn 5100 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5101 Unicorn 5101 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Web2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2200 Unicorn 2200 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 210 Unicorn 210 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Unicorn 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3388 Web2 3389 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group dmz_access_out in interface dmz
route outside 0.0.0.0 0.0.0.0 70.50.255.1 1
timeout xlate 3:00:00
timeout conn 6:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Sirsiservice 255.255.255.255 outside
http SirsiCorpservice 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh Sirsiservice 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname bibl6780@bleh.com
vpdn group pppoe_group ppp authentication pap
vpdn username bibl6780@bleh.com password *********
dhcpd address 192.168.1.100-192.168.1.245 inside
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcpd domain bibliothequedemercier.qc.ca
dhcpd auto_config outside
dhcpd enable inside
username sirsiadmin password 73x.i.cVFuIpu8uz encrypted privilege 15
terminal width 80


--------------------------------------------------------

hi!
Thank you for your help lrmoore, but it doesnt work :( I've made some change on the configuration, and added those u suggest me. Can You try to figure out why i can't ping anything expect from is own interface?

All i want is to be able to ping the dmz from the inside and the outside, and i don't want the dmz to ping the inside - but the dmz need the full internet access.

Correct me if i'm missing something, but with the pix, i don't need a switch to make the VLAN work right?

Right now my physical installation look like this.


                               PPOE
                                   | -> ethernet 0
                               pix 506
                                   |
                                   | -> Ethernet 1
                                3com switch
                                /               \
                               /                  \ DLINK 192.168.2.2
                              /                         \3com switch
            192.168.1.0 inside                           | DMZ

is it ok? :P

i've no problem with adding another 500 point to this question. i really need this to be working for monday morning.

again,
I need the dmz to be able to access internet, and to be able to access 192.168.1.250 and .251 .

The inside/outside config was already made. So it's already suppose to work. I've to work on the DMZ thing only.

Thanks to all of you!

_Dautech_
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
>i don't need a switch to make the VLAN work
Your switches absolutely must support VLANs and the link between the switch and the PIX must be a trunk port.
Looking at your diagram, I don't think it's going to work unless the 3Com-->Dlink-->3Com --DMZ combination all support VLAN's, all see the same VLAN3 that you've configured the PIX to see.  At the very least, the 3Com connected to the PIX has to support VLAN's and the Dlink connects to a port in VLAN3.

>All i want is to be able to ping the dmz from the inside and the outside,
>static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
>and i don't want the dmz to ping the inside
>I need the dmz to be able to access internet, and to be able to access 192.168.1.250 and .251 .

The static is the first part. ICMP Echo-replies are blocked by default so you have to add an access-list
>access-group dmz_access_out in interface dmz

Let's start over with a new acl for the dmz interface
  no access-group dmz_access_out in interface dmz

  access-list dmz_traf permit icmp any any echo-reply  <== response to ping from inside/outside
  access-list dmz_traf deny icmp any any echo            <== cannot ping inside
  access-list dmz_traf permit ip any host 192.168.1.250
  access-list dmz_traf permit ip any host 192.168.1.251
  access-list dmz_traf deny ip any 192.168.1.0 255.255.255.0
  access-list dmz_traf permit ip any any                     <== allow everything else
  access-group dmz_traf in interface dmz

>I need the dmz to be able to access internet
These two items are all you need for the dmz to get to the internet, assuming that all hosts in that dmz have their default gateway set to the ip address of the dmz interface on the pix - 192.168.2.1
  global (outside) 1 interface
  nat (dmz) 1 192.168.2.0 255.255.255.0 0 0

Can you ping 192.168.2.1 from any dmz host?
You cannot ping 192.168.2.1 from inside host. Ever. This is by design of the PIX
You'll never be able ping dmz interface from outside. Only if you set up a 1-1 nat public ip to an inside host and allow icmp through the outside_in acl can you ping an internal host on the dmz.

>access-list outside_access_in permit tcp interface outside host 192.168.2.1
Remove this entry. It is incorrect.

You need a static xlate for any host on the DMZ to be accessible from the Internet:
  static (inside,dmz) tcp interface http 192.168.2.100 http netmask 255.255.255.255
  access-list outside_access_in permit tcp any interface outside eq http

All www traffic to the outside IP will be redirected to inside host 192.168.2.100 . . .
 




0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>i've no problem with adding another 500 point to this question
500 is the max. Don't worry about it...

0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now