Solved

How to open ports from DMZ interface to INSIDE interface on PIX 515

Posted on 2007-04-04
6
664 Views
Last Modified: 2010-05-18
Probably another simple one for everyone but here we go....
I have a PIX 515e with PIX 7.2(2) and the latest ASDM.
I wish to open ports from my DMZ to my INSIDE interface in order to get my WS_FTP server to pull users from active directory and at this point just to know how to do it. I currently do not have any NAT, Routes, ACLs in my pix for this because at this point i just put everything back to normal and wanted to start fresh.
Thanks in advance!

IP Address:
WS_FTP server internal 10.30.30.15 external 192.168.8.21 on DMZ
AD is internal 10.0.2.13 no external address at this time on INSIDE

I believe that I need all these ports open for this to work
UDP      domain            53
TCP      domain            53
UDP      Kerberos      88
TCP      Kerberos      88
UDP      Time            123
TCP      Kerberos Auth      135
UDP      netbios-ns      137
TCP      netbios-ssn      139
TCP      ldap            389
UDP      ldap            389
TCP      microsoft-ds      445
TCP      ldap to GC      3268

Below is my interface setup:
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.8.254 255.255.255.0
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.2.1 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 10.30.30.1 255.255.255.0
 ospf cost 10
!
interface Ethernet3
 nameif vendor
 security-level 40
 ip address 192.168.1.254 255.255.255.0
 ospf cost 10
!
0
Comment
Question by:richakr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18855718
Put in these commands to allow the access that you desire:

static (inside,dmz) 10.0.2.13 10.0.2.13 netmask 255.255.255.255           <---allows DMZ hosts to see AD server as it's real IP address
static (dmz,outside) 192.168.8.21 10.30.30.15 netmask 255.255.255.255  <-allows Internet to see the WS_FTP server as 192.168.8.21
access-list acl_outside_in permit tcp any host 192.168.8.21 eq 21           <---allows FTP traffic from the Internet to the WS_FTP server
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 53
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 53
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 88
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 88
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 123
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 135
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 137
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 139
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 389
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 389
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 445
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 3268
access-list acl_dmz_in deny any 10.0.2.0 255.255.255.0           <----denies any other inbound traffic not explicitly identified above
access-list acl_dmz_in permit ip any any                               <----allows DMZ hosts to get to the Internet...take this out if not desired
access-group acl_dmz_in in interface dmz                             <----applies ACL to the DMZ interface
access-group acl_outside_in in interface outside                  <----applies ACL to the outside interface

This should point you in the right direction...
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18855776
As of now from inside to dmz all the traffic is allowed and you don't need to do anything on that end (Higher security to Lower security)

Now for the machine from dmz to talk to inside you can do nat as below;

static(inside,dmz) 10.0.2.13 10.0.2.13 netmask 255.255.255.255

access-list DMZ-IN permit udp host 10.30.30.15 host 10.0.2.13 eq domain
.... etc.. keep adding for all the services you need so that the ftp server talks to AD server

access-group DMZ-IN in interface dmz

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18855780
oops.. again at the same time!

Cheers,
Rajesh
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 28

Expert Comment

by:batry_boy
ID: 18856896
;-)
0
 

Author Comment

by:richakr
ID: 18896813
Thanks guys sorry rsivanandan but barty just beat you to the punch.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18898815
No issues... :)

Cheers,
Rajesh
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question