Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to open ports from DMZ interface to INSIDE interface on PIX 515

Posted on 2007-04-04
6
658 Views
Last Modified: 2010-05-18
Probably another simple one for everyone but here we go....
I have a PIX 515e with PIX 7.2(2) and the latest ASDM.
I wish to open ports from my DMZ to my INSIDE interface in order to get my WS_FTP server to pull users from active directory and at this point just to know how to do it. I currently do not have any NAT, Routes, ACLs in my pix for this because at this point i just put everything back to normal and wanted to start fresh.
Thanks in advance!

IP Address:
WS_FTP server internal 10.30.30.15 external 192.168.8.21 on DMZ
AD is internal 10.0.2.13 no external address at this time on INSIDE

I believe that I need all these ports open for this to work
UDP      domain            53
TCP      domain            53
UDP      Kerberos      88
TCP      Kerberos      88
UDP      Time            123
TCP      Kerberos Auth      135
UDP      netbios-ns      137
TCP      netbios-ssn      139
TCP      ldap            389
UDP      ldap            389
TCP      microsoft-ds      445
TCP      ldap to GC      3268

Below is my interface setup:
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.8.254 255.255.255.0
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.2.1 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 10.30.30.1 255.255.255.0
 ospf cost 10
!
interface Ethernet3
 nameif vendor
 security-level 40
 ip address 192.168.1.254 255.255.255.0
 ospf cost 10
!
0
Comment
Question by:richakr
  • 3
  • 2
6 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18855718
Put in these commands to allow the access that you desire:

static (inside,dmz) 10.0.2.13 10.0.2.13 netmask 255.255.255.255           <---allows DMZ hosts to see AD server as it's real IP address
static (dmz,outside) 192.168.8.21 10.30.30.15 netmask 255.255.255.255  <-allows Internet to see the WS_FTP server as 192.168.8.21
access-list acl_outside_in permit tcp any host 192.168.8.21 eq 21           <---allows FTP traffic from the Internet to the WS_FTP server
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 53
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 53
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 88
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 88
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 123
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 135
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 137
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 139
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 389
access-list acl_dmz_in permit udp host 10.30.30.15 host 10.0.2.13 eq 389
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 445
access-list acl_dmz_in permit tcp host 10.30.30.15 host 10.0.2.13 eq 3268
access-list acl_dmz_in deny any 10.0.2.0 255.255.255.0           <----denies any other inbound traffic not explicitly identified above
access-list acl_dmz_in permit ip any any                               <----allows DMZ hosts to get to the Internet...take this out if not desired
access-group acl_dmz_in in interface dmz                             <----applies ACL to the DMZ interface
access-group acl_outside_in in interface outside                  <----applies ACL to the outside interface

This should point you in the right direction...
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18855776
As of now from inside to dmz all the traffic is allowed and you don't need to do anything on that end (Higher security to Lower security)

Now for the machine from dmz to talk to inside you can do nat as below;

static(inside,dmz) 10.0.2.13 10.0.2.13 netmask 255.255.255.255

access-list DMZ-IN permit udp host 10.30.30.15 host 10.0.2.13 eq domain
.... etc.. keep adding for all the services you need so that the ftp server talks to AD server

access-group DMZ-IN in interface dmz

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18855780
oops.. again at the same time!

Cheers,
Rajesh
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 28

Expert Comment

by:batry_boy
ID: 18856896
;-)
0
 

Author Comment

by:richakr
ID: 18896813
Thanks guys sorry rsivanandan but barty just beat you to the punch.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18898815
No issues... :)

Cheers,
Rajesh
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question