Solved

How to open ports from DMZ interface to INSIDE interface on PIX 515

Posted on 2007-04-04
6
663 Views
Last Modified: 2010-05-18
Probably another simple one for everyone but here we go....
I have a PIX 515e with PIX 7.2(2) and the latest ASDM.
I wish to open ports from my DMZ to my INSIDE interface in order to get my WS_FTP server to pull users from active directory and at this point just to know how to do it. I currently do not have any NAT, Routes, ACLs in my pix for this because at this point i just put everything back to normal and wanted to start fresh.
Thanks in advance!

IP Address:
WS_FTP server internal 10.30.30.15 external 192.168.8.21 on DMZ
AD is internal 10.0.2.13 no external address at this time on INSIDE

I believe that I need all these ports open for this to work
UDP      domain            53
TCP      domain            53
UDP      Kerberos      88
TCP      Kerberos      88
UDP      Time            123
TCP      Kerberos Auth      135
UDP      netbios-ns      137
TCP      netbios-ssn      139
TCP      ldap            389
UDP      ldap            389
TCP      microsoft-ds      445
TCP      ldap to GC      3268

Below is my interface setup:
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.8.254 255.255.255.0
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.2.1 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 10.30.30.1 255.255.255.0
 ospf cost 10
!
interface Ethernet3
 nameif vendor
 security-level 40
 ip address 192.168.1.254 255.255.255.0
 ospf cost 10
!
0
Comment
Question by:richakr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18855718
Put in these commands to allow the access that you desire:

static (inside,dmz) 10.0.2.13 10.0.2.13 netmask 255.255.255.255           <---allows DMZ hosts to see AD server as it's real IP address
static (dmz,outside) 192.168.8.21 10.30.30.15 netmask 255.255.255.255  <-allows Internet to see the WS_FTP server as 192.168.8.21
access-list acl_outside_in permit tcp any host 192.168.8.21 eq 21           <---allows FTP traffic from the Internet to the WS_FTP server
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 53
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 53
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 88
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 88
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 123
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 135
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 137
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 139
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 389
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 389
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 445
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 3268
access-list acl_dmz_in deny any 10.0.2.0 255.255.255.0           <----denies any other inbound traffic not explicitly identified above
access-list acl_dmz_in permit ip any any                               <----allows DMZ hosts to get to the Internet...take this out if not desired
access-group acl_dmz_in in interface dmz                             <----applies ACL to the DMZ interface
access-group acl_outside_in in interface outside                  <----applies ACL to the outside interface

This should point you in the right direction...
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18855776
As of now from inside to dmz all the traffic is allowed and you don't need to do anything on that end (Higher security to Lower security)

Now for the machine from dmz to talk to inside you can do nat as below;

static(inside,dmz) 10.0.2.13 10.0.2.13 netmask 255.255.255.255

access-list DMZ-IN permit udp host 10.30.30.15 host 10.0.2.13 eq domain
.... etc.. keep adding for all the services you need so that the ftp server talks to AD server

access-group DMZ-IN in interface dmz

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18855780
oops.. again at the same time!

Cheers,
Rajesh
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 28

Expert Comment

by:batry_boy
ID: 18856896
;-)
0
 

Author Comment

by:richakr
ID: 18896813
Thanks guys sorry rsivanandan but barty just beat you to the punch.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18898815
No issues... :)

Cheers,
Rajesh
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question