ioglyphics
asked on
PIX 515E.....Proper DMZ setup PLEASE! *************3 simple objectives****************.
I have been trouble shooting this for over a week now and I am nearly in tears. I am simply trying to facilitate a DMZ (which is set up) that will allow for..........
1.access to a staging server that our clients could get to our beta version of a web app, and allow us to get to inside our LAN, by the url and not the internal IP that has (or now maybe had)
I know DNS here is the issue but I am certain it is in the PIX and not my DNS servers settings, but I could be wrong
2. ftp
3.front end Exchange server with OWA
I have posted my config here for you to look at.
PIX Version 7.2(2)
!
hostname MatrixFW1
domain-name dms.local
enable password 05HxXdkum7f.9uQg encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 67.103.180.194 255.255.255.192
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
retries 3
timeout 3
name-server 64.105.199.74
name-server 64.105.159.250
name-server 192.168.1.101
domain-name dms.local
object-group service dns tcp
port-object eq domain
object-group service deltek tcp
description deltek frontend
port-object eq 7001
port-object eq 1433
port-object eq www
object-group service TE tcp-udp
description Deltek Frontend
port-object eq 7001
object-group network LAN
network-object 192.168.1.0 255.255.255.0
object-group network DMZ
network-object host 192.168.2.42
network-object host 192.168.2.52
network-object host 67.103.180.198
network-object host 67.103.180.199
access-list Access_in extended permit icmp any host 67.103.180.198
access-list Access_in extended permit ip any host 67.103.180.198
access-list Access_in extended permit tcp any host 67.103.180.198 eq www
access-list Access_in extended permit tcp any host 67.103.180.198 eq https
access-list Access_in extended permit tcp any host 67.103.180.198 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq www
access-list Access_in extended permit tcp any host 67.103.180.197 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq pop3
access-list Access_in extended permit tcp any host 67.103.180.197 eq https
access-list Access_in extended permit tcp any host 67.103.180.197 eq imap4
access-list Access_in extended permit tcp any host 67.103.180.198 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq pptp
access-list Access_in extended permit gre any host 67.103.180.197 log
access-list Access_in extended permit esp any host 67.103.180.197 log
access-list Access_in extended permit udp any host 67.103.180.197 eq isakmp
access-list Access_in extended permit tcp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.197
access-list Access_in extended permit tcp any host 67.103.180.198 eq domain
access-list Access_in extended permit tcp any host 67.103.180.197 eq domain
access-list Access_in extended permit udp any host 67.103.180.198 eq domain
access-list Access_in extended permit udp any host 67.103.180.197 eq domain
access-list Access_in extended permit icmp any host 67.103.180.197
access-list Access_in extended permit icmp any any echo-reply
access-list Access_in extended permit tcp any object-group deltek host 67.103.180.199 object-group deltek
access-list DMZ_access_in extended permit icmp object-group DMZ object-group LAN echo-reply
access-list DMZ_access_in extended permit icmp object-group DMZ interface outside
access-list DMZ_access_in extended permit tcp object-group DMZ eq smtp object-group LAN eq smtp
access-list DMZ_access_in extended permit tcp object-group DMZ eq ftp object-group LAN eq ftp
access-list DMZ_access_in extended permit tcp object-group DMZ eq domain object-group LAN eq domain
access-list DMZ_access_in extended permit tcp object-group DMZ eq www object-group LAN eq www
access-list DMZ_access_in extended permit tcp object-group DMZ object-group deltek object-group LAN object-group deltek
access-list acl_inside_cap extended permit ip any host 192.168.2.42
access-list acl_dmz_cap extended permit ip host 192.168.2.42 any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
no failover
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 67.103.180.195 netmask 255.255.255.255
global (outside) 2 67.103.180.196 netmask 255.255.255.255
global (DMZ) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (DMZ) 2 192.168.2.0 255.255.255.0 dns
static (inside,outside) 67.103.180.197 192.168.1.101 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.199 192.168.2.52 netmask 255.255.255.255
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group Access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 67.103.180.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.2.0 255.255.255.0 DMZ
http 192.168.1.0 255.255.255.0 inside
http 67.103.180.192 255.255.255.192 outside
http 67.103.180.192 255.255.255.192 DMZ
http 67.103.180.192 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 67.103.180.192 255.255.255.192 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 DMZ
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns 64.105.199.74 interface outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
ntp server 192.43.244.18 source outside
ntp server 216.200.93.8 source outside prefer
prompt hostname context
Cryptochecksum:e4053622981 d83301200e a24993546a 3
NAT policies on Interface inside:
match ip inside host 192.168.1.101 outside any
static translation to 67.103.180.197
translate_hits = 46190, untranslate_hits = 29608
match ip inside 192.168.1.0 255.255.255.0 DMZ any
static translation to 192.168.1.0
translate_hits = 53, untranslate_hits = 1662
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (67.103.180.195)
translate_hits = 355033, untranslate_hits = 21678
match ip inside 192.168.1.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.1.0 255.255.255.0 DMZ any
dynamic translation to pool 1 (192.168.2.1 [Interface PAT])
translate_hits = 1767, untranslate_hits = 11
NAT policies on Interface DMZ:
match ip DMZ host 192.168.2.42 outside any
static translation to 67.103.180.198
translate_hits = 4836, untranslate_hits = 22524
match ip DMZ host 192.168.2.52 outside any
static translation to 67.103.180.199
translate_hits = 0, untranslate_hits = 475
match ip DMZ 192.168.2.0 255.255.255.0 outside any
dynamic translation to pool 2 (67.103.180.196)
translate_hits = 0, untranslate_hits = 0
match ip DMZ 192.168.2.0 255.255.255.0 DMZ any
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
1.access to a staging server that our clients could get to our beta version of a web app, and allow us to get to inside our LAN, by the url and not the internal IP that has (or now maybe had)
I know DNS here is the issue but I am certain it is in the PIX and not my DNS servers settings, but I could be wrong
2. ftp
3.front end Exchange server with OWA
I have posted my config here for you to look at.
PIX Version 7.2(2)
!
hostname MatrixFW1
domain-name dms.local
enable password 05HxXdkum7f.9uQg encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 67.103.180.194 255.255.255.192
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
retries 3
timeout 3
name-server 64.105.199.74
name-server 64.105.159.250
name-server 192.168.1.101
domain-name dms.local
object-group service dns tcp
port-object eq domain
object-group service deltek tcp
description deltek frontend
port-object eq 7001
port-object eq 1433
port-object eq www
object-group service TE tcp-udp
description Deltek Frontend
port-object eq 7001
object-group network LAN
network-object 192.168.1.0 255.255.255.0
object-group network DMZ
network-object host 192.168.2.42
network-object host 192.168.2.52
network-object host 67.103.180.198
network-object host 67.103.180.199
access-list Access_in extended permit icmp any host 67.103.180.198
access-list Access_in extended permit ip any host 67.103.180.198
access-list Access_in extended permit tcp any host 67.103.180.198 eq www
access-list Access_in extended permit tcp any host 67.103.180.198 eq https
access-list Access_in extended permit tcp any host 67.103.180.198 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq www
access-list Access_in extended permit tcp any host 67.103.180.197 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq pop3
access-list Access_in extended permit tcp any host 67.103.180.197 eq https
access-list Access_in extended permit tcp any host 67.103.180.197 eq imap4
access-list Access_in extended permit tcp any host 67.103.180.198 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq pptp
access-list Access_in extended permit gre any host 67.103.180.197 log
access-list Access_in extended permit esp any host 67.103.180.197 log
access-list Access_in extended permit udp any host 67.103.180.197 eq isakmp
access-list Access_in extended permit tcp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.197
access-list Access_in extended permit tcp any host 67.103.180.198 eq domain
access-list Access_in extended permit tcp any host 67.103.180.197 eq domain
access-list Access_in extended permit udp any host 67.103.180.198 eq domain
access-list Access_in extended permit udp any host 67.103.180.197 eq domain
access-list Access_in extended permit icmp any host 67.103.180.197
access-list Access_in extended permit icmp any any echo-reply
access-list Access_in extended permit tcp any object-group deltek host 67.103.180.199 object-group deltek
access-list DMZ_access_in extended permit icmp object-group DMZ object-group LAN echo-reply
access-list DMZ_access_in extended permit icmp object-group DMZ interface outside
access-list DMZ_access_in extended permit tcp object-group DMZ eq smtp object-group LAN eq smtp
access-list DMZ_access_in extended permit tcp object-group DMZ eq ftp object-group LAN eq ftp
access-list DMZ_access_in extended permit tcp object-group DMZ eq domain object-group LAN eq domain
access-list DMZ_access_in extended permit tcp object-group DMZ eq www object-group LAN eq www
access-list DMZ_access_in extended permit tcp object-group DMZ object-group deltek object-group LAN object-group deltek
access-list acl_inside_cap extended permit ip any host 192.168.2.42
access-list acl_dmz_cap extended permit ip host 192.168.2.42 any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
no failover
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 67.103.180.195 netmask 255.255.255.255
global (outside) 2 67.103.180.196 netmask 255.255.255.255
global (DMZ) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (DMZ) 2 192.168.2.0 255.255.255.0 dns
static (inside,outside) 67.103.180.197 192.168.1.101 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.199 192.168.2.52 netmask 255.255.255.255
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group Access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 67.103.180.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.2.0 255.255.255.0 DMZ
http 192.168.1.0 255.255.255.0 inside
http 67.103.180.192 255.255.255.192 outside
http 67.103.180.192 255.255.255.192 DMZ
http 67.103.180.192 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 67.103.180.192 255.255.255.192 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 DMZ
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns 64.105.199.74 interface outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
ntp server 192.43.244.18 source outside
ntp server 216.200.93.8 source outside prefer
prompt hostname context
Cryptochecksum:e4053622981
NAT policies on Interface inside:
match ip inside host 192.168.1.101 outside any
static translation to 67.103.180.197
translate_hits = 46190, untranslate_hits = 29608
match ip inside 192.168.1.0 255.255.255.0 DMZ any
static translation to 192.168.1.0
translate_hits = 53, untranslate_hits = 1662
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (67.103.180.195)
translate_hits = 355033, untranslate_hits = 21678
match ip inside 192.168.1.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.1.0 255.255.255.0 DMZ any
dynamic translation to pool 1 (192.168.2.1 [Interface PAT])
translate_hits = 1767, untranslate_hits = 11
NAT policies on Interface DMZ:
match ip DMZ host 192.168.2.42 outside any
static translation to 67.103.180.198
translate_hits = 4836, untranslate_hits = 22524
match ip DMZ host 192.168.2.52 outside any
static translation to 67.103.180.199
translate_hits = 0, untranslate_hits = 475
match ip DMZ 192.168.2.0 255.255.255.0 outside any
dynamic translation to pool 2 (67.103.180.196)
translate_hits = 0, untranslate_hits = 0
match ip DMZ 192.168.2.0 255.255.255.0 DMZ any
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
lrmoore,
One other requirement I didn't mention because I didn't know it was an issue is web access to host IN the DMZ. I can't seem to configure the proper rule to achieve this. Each time I set up what I think is write it stops web access to the LAN???? Help with this would be greateful, eveything else you suggested worked.
ioglyphics
One other requirement I didn't mention because I didn't know it was an issue is web access to host IN the DMZ. I can't seem to configure the proper rule to achieve this. Each time I set up what I think is write it stops web access to the LAN???? Help with this would be greateful, eveything else you suggested worked.
ioglyphics
It looks like you have the required entries:
Let's take publiw www server .198 as example:
//--Static XLATE to public IP - check
>static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255
//--Permit tcp/80 inbound to public IP - check
>access-list Access_in extended permit tcp any host 67.103.180.198 eq www
//--Acl actually applied to interface - check
>access-group Access_in in interface outside
Those should be all you need to get traffic IN to the server. Now let's examine what can go OUT of the DMZ to outside:
//--Is www traffic from host 192.168.2.42 allowed "in" on the DMZ interface?
//-- If you added this as in my example, the answer is yes
>access-list DMZ_access_in extended permit tcp object-group DMZ eq www any
//-- is the proper server in this group? Yes
object-group network DMZ
network-object host 192.168.2.42 <==
Does this server have the proper default gateway assigned?
Are you trying to access this server by Public IP from OUTside the network? - If all above conditions check out, then you should be able to.
Are you trying to access this server by Public IP from INside the network? - you can't and this is a design feature of the PIX.
Can you post your current running config, and what exact commands that you try to enter when it stops web access to the LAN?
Let's take publiw www server .198 as example:
//--Static XLATE to public IP - check
>static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255
//--Permit tcp/80 inbound to public IP - check
>access-list Access_in extended permit tcp any host 67.103.180.198 eq www
//--Acl actually applied to interface - check
>access-group Access_in in interface outside
Those should be all you need to get traffic IN to the server. Now let's examine what can go OUT of the DMZ to outside:
//--Is www traffic from host 192.168.2.42 allowed "in" on the DMZ interface?
//-- If you added this as in my example, the answer is yes
>access-list DMZ_access_in extended permit tcp object-group DMZ eq www any
//-- is the proper server in this group? Yes
object-group network DMZ
network-object host 192.168.2.42 <==
Does this server have the proper default gateway assigned?
Are you trying to access this server by Public IP from OUTside the network? - If all above conditions check out, then you should be able to.
Are you trying to access this server by Public IP from INside the network? - you can't and this is a design feature of the PIX.
Can you post your current running config, and what exact commands that you try to enter when it stops web access to the LAN?
ASKER
when I am logged into the server I can not browse the web or ping any external host (i.e. 4.2.2.2) as I can from my LAN. I need to have access to the web from the server. If you could, please check this link to see if you can reach it: http://demo.dmsva.com/prisms/login.cfm
As of last week we could get to this from OUTside our LAN. Prior to that and I am not sure why or who changed it, only one of to NIC's in the host were enabled, and it's IP address was set with the public IP 67.103.180.198, which resolved to the link I asked you to check. It makes since to me that you would not be able to reach it, because the domain name in the URL in question is set to the public IP, 67.103.180.198
I support a bunch of developers that have never had a LAN Admin, and they all still have free access to the servers for now. I can get to the URL internally now because the IP in use on the only enabled NIC is the private address 192.168.2.42. I posted the config, and I did apply all your suggestions.
The IP setting on the host in question(which I guess is wrong) is...
IP - 192.168.2.42
SM - 255.255.255.0
DG - 192.168.2.1
Two things....
1. "global (DMZ) 1 interface" still shows up in the config, though I removed it by entering "no" in front of this command. Is there anything else I need to do to get rid of it? When I run "no global (DMZ) 1 interface" it gives an ERROR stating that it doesn't exist.
2. Is there anything wrong with having muliti honed machines in the DMZ, one have the public and the other having a private IP? I was informed that his can cause a loop, but in past experience I have seen boxes in a DMZ set up this way? Basically my question really is, what IP address has to be on the one NIC in a host located in the DMZ if it only has one NIC or is two NIC's needed one with the Public and the other with the Private IP addesses?
++++++++++++++++++++++++++ ++++++++++ ++++++++++ ++++++++++ ++++++++++ +
PIX Version 7.2(2)
!
hostname MatrixFW1
domain-name dms.local
enable password 05HxXdkum7f.9uQg encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 67.103.180.194 255.255.255.192
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
retries 3
timeout 3
name-server 64.105.199.74
name-server 64.105.159.250
name-server 192.168.1.101
domain-name dms.local
object-group service dns tcp
port-object eq domain
object-group service deltek tcp
description deltek frontend
port-object eq 7001
port-object eq 1433
port-object eq www
object-group service TE tcp-udp
description Deltek Frontend
port-object eq 7001
object-group network LAN
network-object 192.168.1.0 255.255.255.0
object-group network DMZ
network-object host 192.168.2.42
network-object host 192.168.2.52
network-object host 67.103.180.198
network-object host 67.103.180.199
access-list Access_in extended permit icmp any host 67.103.180.198
access-list Access_in extended permit ip any host 67.103.180.198
access-list Access_in extended permit tcp any host 67.103.180.198 eq www
access-list Access_in extended permit tcp any host 67.103.180.198 eq https
access-list Access_in extended permit tcp any host 67.103.180.198 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq www
access-list Access_in extended permit tcp any host 67.103.180.197 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq pop3
access-list Access_in extended permit tcp any host 67.103.180.197 eq https
access-list Access_in extended permit tcp any host 67.103.180.197 eq imap4
access-list Access_in extended permit tcp any host 67.103.180.198 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq pptp
access-list Access_in extended permit gre any host 67.103.180.197 log
access-list Access_in extended permit esp any host 67.103.180.197 log
access-list Access_in extended permit udp any host 67.103.180.197 eq isakmp
access-list Access_in extended permit tcp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.197
access-list Access_in extended permit tcp any host 67.103.180.198 eq domain
access-list Access_in extended permit tcp any host 67.103.180.197 eq domain
access-list Access_in extended permit udp any host 67.103.180.198 eq domain
access-list Access_in extended permit udp any host 67.103.180.197 eq domain
access-list Access_in extended permit icmp any host 67.103.180.197
access-list Access_in extended permit icmp any any echo-reply
access-list Access_in extended permit tcp any object-group deltek host 67.103.180.199 object-group deltek
access-list DMZ_access_in extended permit icmp object-group DMZ object-group LAN echo-reply
access-list DMZ_access_in extended permit icmp object-group DMZ interface outside
access-list DMZ_access_in extended permit tcp object-group DMZ eq smtp object-group LAN eq smtp
access-list DMZ_access_in extended permit tcp object-group DMZ eq ftp object-group LAN eq ftp
access-list DMZ_access_in extended permit tcp object-group DMZ eq domain object-group LAN eq domain
access-list DMZ_access_in extended permit tcp object-group DMZ eq www object-group LAN eq www
access-list DMZ_access_in extended permit tcp object-group DMZ object-group deltek object-group LAN object-group deltek
access-list acl_inside_cap extended permit ip any host 192.168.2.42
access-list acl_dmz_cap extended permit ip host 192.168.2.42 any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
no failover
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 67.103.180.195 netmask 255.255.255.255
global (outside) 2 67.103.180.196 netmask 255.255.255.255
global (DMZ) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (DMZ) 2 192.168.2.0 255.255.255.0 dns
static (inside,outside) 67.103.180.197 192.168.1.101 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.199 192.168.2.52 netmask 255.255.255.255
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group Access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 67.103.180.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.2.0 255.255.255.0 DMZ
http 192.168.1.0 255.255.255.0 inside
http 67.103.180.192 255.255.255.192 outside
http 67.103.180.192 255.255.255.192 DMZ
http 67.103.180.192 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 67.103.180.192 255.255.255.192 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 DMZ
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns 64.105.199.74 interface outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
ntp server 192.43.244.18 source outside
ntp server 216.200.93.8 source outside prefer
prompt hostname context
Cryptochecksum:e4053622981 d83301200e a24993546a 3
As of last week we could get to this from OUTside our LAN. Prior to that and I am not sure why or who changed it, only one of to NIC's in the host were enabled, and it's IP address was set with the public IP 67.103.180.198, which resolved to the link I asked you to check. It makes since to me that you would not be able to reach it, because the domain name in the URL in question is set to the public IP, 67.103.180.198
I support a bunch of developers that have never had a LAN Admin, and they all still have free access to the servers for now. I can get to the URL internally now because the IP in use on the only enabled NIC is the private address 192.168.2.42. I posted the config, and I did apply all your suggestions.
The IP setting on the host in question(which I guess is wrong) is...
IP - 192.168.2.42
SM - 255.255.255.0
DG - 192.168.2.1
Two things....
1. "global (DMZ) 1 interface" still shows up in the config, though I removed it by entering "no" in front of this command. Is there anything else I need to do to get rid of it? When I run "no global (DMZ) 1 interface" it gives an ERROR stating that it doesn't exist.
2. Is there anything wrong with having muliti honed machines in the DMZ, one have the public and the other having a private IP? I was informed that his can cause a loop, but in past experience I have seen boxes in a DMZ set up this way? Basically my question really is, what IP address has to be on the one NIC in a host located in the DMZ if it only has one NIC or is two NIC's needed one with the Public and the other with the Private IP addesses?
++++++++++++++++++++++++++
PIX Version 7.2(2)
!
hostname MatrixFW1
domain-name dms.local
enable password 05HxXdkum7f.9uQg encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 67.103.180.194 255.255.255.192
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
retries 3
timeout 3
name-server 64.105.199.74
name-server 64.105.159.250
name-server 192.168.1.101
domain-name dms.local
object-group service dns tcp
port-object eq domain
object-group service deltek tcp
description deltek frontend
port-object eq 7001
port-object eq 1433
port-object eq www
object-group service TE tcp-udp
description Deltek Frontend
port-object eq 7001
object-group network LAN
network-object 192.168.1.0 255.255.255.0
object-group network DMZ
network-object host 192.168.2.42
network-object host 192.168.2.52
network-object host 67.103.180.198
network-object host 67.103.180.199
access-list Access_in extended permit icmp any host 67.103.180.198
access-list Access_in extended permit ip any host 67.103.180.198
access-list Access_in extended permit tcp any host 67.103.180.198 eq www
access-list Access_in extended permit tcp any host 67.103.180.198 eq https
access-list Access_in extended permit tcp any host 67.103.180.198 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq www
access-list Access_in extended permit tcp any host 67.103.180.197 eq smtp
access-list Access_in extended permit tcp any host 67.103.180.197 eq pop3
access-list Access_in extended permit tcp any host 67.103.180.197 eq https
access-list Access_in extended permit tcp any host 67.103.180.197 eq imap4
access-list Access_in extended permit tcp any host 67.103.180.198 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq ssh
access-list Access_in extended permit tcp any host 67.103.180.197 eq pptp
access-list Access_in extended permit gre any host 67.103.180.197 log
access-list Access_in extended permit esp any host 67.103.180.197 log
access-list Access_in extended permit udp any host 67.103.180.197 eq isakmp
access-list Access_in extended permit tcp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.198
access-list Access_in extended permit udp any host 67.103.180.197
access-list Access_in extended permit tcp any host 67.103.180.198 eq domain
access-list Access_in extended permit tcp any host 67.103.180.197 eq domain
access-list Access_in extended permit udp any host 67.103.180.198 eq domain
access-list Access_in extended permit udp any host 67.103.180.197 eq domain
access-list Access_in extended permit icmp any host 67.103.180.197
access-list Access_in extended permit icmp any any echo-reply
access-list Access_in extended permit tcp any object-group deltek host 67.103.180.199 object-group deltek
access-list DMZ_access_in extended permit icmp object-group DMZ object-group LAN echo-reply
access-list DMZ_access_in extended permit icmp object-group DMZ interface outside
access-list DMZ_access_in extended permit tcp object-group DMZ eq smtp object-group LAN eq smtp
access-list DMZ_access_in extended permit tcp object-group DMZ eq ftp object-group LAN eq ftp
access-list DMZ_access_in extended permit tcp object-group DMZ eq domain object-group LAN eq domain
access-list DMZ_access_in extended permit tcp object-group DMZ eq www object-group LAN eq www
access-list DMZ_access_in extended permit tcp object-group DMZ object-group deltek object-group LAN object-group deltek
access-list acl_inside_cap extended permit ip any host 192.168.2.42
access-list acl_dmz_cap extended permit ip host 192.168.2.42 any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
no failover
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 67.103.180.195 netmask 255.255.255.255
global (outside) 2 67.103.180.196 netmask 255.255.255.255
global (DMZ) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (DMZ) 2 192.168.2.0 255.255.255.0 dns
static (inside,outside) 67.103.180.197 192.168.1.101 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.198 192.168.2.42 netmask 255.255.255.255
static (DMZ,outside) 67.103.180.199 192.168.2.52 netmask 255.255.255.255
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group Access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 67.103.180.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.2.0 255.255.255.0 DMZ
http 192.168.1.0 255.255.255.0 inside
http 67.103.180.192 255.255.255.192 outside
http 67.103.180.192 255.255.255.192 DMZ
http 67.103.180.192 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 67.103.180.192 255.255.255.192 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 DMZ
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns 64.105.199.74 interface outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
ntp server 192.43.244.18 source outside
ntp server 216.200.93.8 source outside prefer
prompt hostname context
Cryptochecksum:e4053622981
The web site works fine.
This looks like the old config that should not work.
In order to browse the internet from the server console, we need to allow that out via the access-list:
add the following:
access-list DMZ_access_in extended permit tcp object-group DMZ any eq www
access-list DMZ_access_in extended permit tcp object-group DMZ any eq https
access-list DMZ_access_in extended permit udp object-group DMZ any eq domain
This looks like the old config that should not work.
In order to browse the internet from the server console, we need to allow that out via the access-list:
add the following:
access-list DMZ_access_in extended permit tcp object-group DMZ any eq www
access-list DMZ_access_in extended permit tcp object-group DMZ any eq https
access-list DMZ_access_in extended permit udp object-group DMZ any eq domain
>Is there anything wrong with having muliti honed machines in the DMZ,
Yes, it defeats the whole purpose of having a DMZ - that is to have an actual firewall between the DMZ machines and the internal network. When dual-homed, If any DMZ machine is compromised, so is your entire internal network.
My advice - don't do it.
Yes, it defeats the whole purpose of having a DMZ - that is to have an actual firewall between the DMZ machines and the internal network. When dual-homed, If any DMZ machine is compromised, so is your entire internal network.
My advice - don't do it.
ASKER
Everything WORKS!
Thanks again lrmoore!
Good advice on the multi honed question. All my requirements are met so there is no need for me to implement any work around.
Thanks again lrmoore!
Good advice on the multi honed question. All my requirements are met so there is no need for me to implement any work around.
Glad to hear it!
- Cheers!
<8-}
- Cheers!
<8-}
ASKER
Thanks,
ioglyphics