Access to DMZ from Remote VPN Network
I have two Pix 515e firewalls with a VPN allowing access to their respective inside networks. Both networks are part of the same AD. On one of my Pix's I have a DMZ port with a web server. I would like to have my remote site access the DMZ through the tunnel. My IP structure is as follows:
Pix 1 with DMZ:
Inside Interface: 172.16.0.0/255.255.252.0
DMZ Interface: 172.16.12.0/255.255.252.0
Pix 2:
Inside Interface: 172.16.4.0/255.255.252.0
Pix 1's inside network can access the DMZ just fine with the STATIC command.
How do I tell the inside network of Pix 2 to find the DMZ network?
Thanks in advance.
Pix 1 with DMZ:
Inside Interface: 172.16.0.0/255.255.252.0
DMZ Interface: 172.16.12.0/255.255.252.0
Pix 2:
Inside Interface: 172.16.4.0/255.255.252.0
Pix 1's inside network can access the DMZ just fine with the STATIC command.
How do I tell the inside network of Pix 2 to find the DMZ network?
Thanks in advance.
ASKER
Here is Pix 1 Config:
: Saved
:
PIX Version 7.2(2)
!
hostname PiX01
domain-name mydomain.local
enable password dbXGu/pAyWxhIUm3 encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif Outside
security-level 0
ip address 142.x.x.x 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.252.0
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 172.16.12.1 255.255.252.0
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name acs.local
access-list inbound extended permit tcp any any eq https
access-list inbound extended permit tcp any any eq pop3
access-list inbound extended permit tcp any any eq 3390
access-list inbound extended permit tcp any any eq 3399
access-list inbound extended permit tcp any any eq www
access-list inbound extended permit tcp any any eq ssh
access-list inside_20_cryptomap extended permit ip 172.16.0.0 255.255.252.0 172.16.4.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.252.0 172.16.4.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip any 172.12.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.4.0 255.255.252.0 172.16.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip any 172.16.8.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 172.16.0.0 255.255.252.0 172.16.4.0 255.255.252.0
access-list Administration_splitTunnel
access-list DefaultRAGroup_splitTunnel
access-list Remote_Users_splitTunnelAc
access-list RemoteUsers_splitTunnelAcl
pager lines 24
logging enable
logging timestamp
logging emblem
logging trap warnings
logging asdm informational
logging from-address sysmonfw@mydomain.com
logging recipient-address monitor@mydomain.com level errors
logging host inside 172.16.0.10 format emblem
logging permit-hostdown
mtu Outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpnpool 172.12.0.1-172.12.0.199 mask 255.255.252.0
ip local pool VPNPoolUsers 172.16.8.0-172.16.8.254 mask 255.255.252.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,Outside) tcp interface pop3 172.16.0.20 pop3 netmask 255.255.255.255
static (inside,Outside) tcp interface https 172.16.0.20 https netmask 255.255.255.255
static (inside,Outside) tcp interface 3390 172.16.0.10 3390 netmask 255.255.255.255
static (inside,Outside) tcp interface 3399 172.16.2.118 3399 netmask 255.255.255.255
static (inside,Outside) tcp interface www 172.16.0.5 www netmask 255.255.255.255
static (inside,Outside) tcp interface ssh 172.16.0.5 ssh netmask 255.255.255.255
static (inside,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.248.0
access-group inbound in interface Outside
route Outside 0.0.0.0 0.0.0.0 142.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy RemoteUsers internal
group-policy RemoteUsers attributes
dns-server value 172.16.0.10 172.16.4.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteUsers_splitTunnelAcl
default-domain value acs.local
username me password g3xotlbp8UluwnJX encrypted privilege 0
username me attributes
vpn-group-policy RemoteUsers
username admin password wm1QIrSnDfMaU.2q encrypted privilege 15
http server enable
http 172.16.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map Outside_dyn_map 40 set pfs
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 60 set pfs
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 40 set pfs
crypto dynamic-map inside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set pfs
crypto map Outside_map 20 set peer 142.x.x.x
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable Outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
address-pool VPNPoolUsers
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group 142.x.x.x type ipsec-l2l
tunnel-group 142.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group RemoteUsers type ipsec-ra
tunnel-group RemoteUsers general-attributes
address-pool VPNPoolUsers
default-group-policy RemoteUsers
tunnel-group RemoteUsers ipsec-attributes
pre-shared-key *
telnet 172.16.0.0 255.255.252.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 7200
!
!
!
smtp-server 172.16.0.20
prompt hostname context
Cryptochecksum:ce08de9d4df
: end
Here is Pix 2:
: Saved
:
PIX Version 7.2(2)
!
hostname PiX02
domain-name mydomain.local
enable password dbXGu/pAyWxhIUm3 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 142.x.x.x 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.4.1 255.255.252.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name mydomain.local
access-list outside_20_cryptomap extended permit ip 172.16.4.0 255.255.252.0 172.16.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 172.16.4.0 255.255.252.0 172.16.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.252.0 172.16.4.0 255.255.252.0
access-list inbound extended permit tcp any any eq 3940
access-list outside_access_in extended permit tcp any any eq 3940
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 142.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password wm1QIrSnDfMaU.2q encrypted privilege 15
http server enable
http 172.16.4.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 142.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 142.x.x.x type ipsec-l2l
tunnel-group 142.x.x.x ipsec-attributes
pre-shared-key *
telnet 172.16.4.0 255.255.252.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
prompt hostname context
Cryptochecksum:1c6b558da24
: end
[OK]
: Saved
:
PIX Version 7.2(2)
!
hostname PiX01
domain-name mydomain.local
enable password dbXGu/pAyWxhIUm3 encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif Outside
security-level 0
ip address 142.x.x.x 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.252.0
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 172.16.12.1 255.255.252.0
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name acs.local
access-list inbound extended permit tcp any any eq https
access-list inbound extended permit tcp any any eq pop3
access-list inbound extended permit tcp any any eq 3390
access-list inbound extended permit tcp any any eq 3399
access-list inbound extended permit tcp any any eq www
access-list inbound extended permit tcp any any eq ssh
access-list inside_20_cryptomap extended permit ip 172.16.0.0 255.255.252.0 172.16.4.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.252.0 172.16.4.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip any 172.12.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.4.0 255.255.252.0 172.16.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip any 172.16.8.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 172.16.0.0 255.255.252.0 172.16.4.0 255.255.252.0
access-list Administration_splitTunnel
access-list DefaultRAGroup_splitTunnel
access-list Remote_Users_splitTunnelAc
access-list RemoteUsers_splitTunnelAcl
pager lines 24
logging enable
logging timestamp
logging emblem
logging trap warnings
logging asdm informational
logging from-address sysmonfw@mydomain.com
logging recipient-address monitor@mydomain.com level errors
logging host inside 172.16.0.10 format emblem
logging permit-hostdown
mtu Outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpnpool 172.12.0.1-172.12.0.199 mask 255.255.252.0
ip local pool VPNPoolUsers 172.16.8.0-172.16.8.254 mask 255.255.252.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,Outside) tcp interface pop3 172.16.0.20 pop3 netmask 255.255.255.255
static (inside,Outside) tcp interface https 172.16.0.20 https netmask 255.255.255.255
static (inside,Outside) tcp interface 3390 172.16.0.10 3390 netmask 255.255.255.255
static (inside,Outside) tcp interface 3399 172.16.2.118 3399 netmask 255.255.255.255
static (inside,Outside) tcp interface www 172.16.0.5 www netmask 255.255.255.255
static (inside,Outside) tcp interface ssh 172.16.0.5 ssh netmask 255.255.255.255
static (inside,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.248.0
access-group inbound in interface Outside
route Outside 0.0.0.0 0.0.0.0 142.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy RemoteUsers internal
group-policy RemoteUsers attributes
dns-server value 172.16.0.10 172.16.4.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteUsers_splitTunnelAcl
default-domain value acs.local
username me password g3xotlbp8UluwnJX encrypted privilege 0
username me attributes
vpn-group-policy RemoteUsers
username admin password wm1QIrSnDfMaU.2q encrypted privilege 15
http server enable
http 172.16.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map Outside_dyn_map 40 set pfs
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 60 set pfs
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 40 set pfs
crypto dynamic-map inside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set pfs
crypto map Outside_map 20 set peer 142.x.x.x
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable Outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
address-pool VPNPoolUsers
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group 142.x.x.x type ipsec-l2l
tunnel-group 142.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group RemoteUsers type ipsec-ra
tunnel-group RemoteUsers general-attributes
address-pool VPNPoolUsers
default-group-policy RemoteUsers
tunnel-group RemoteUsers ipsec-attributes
pre-shared-key *
telnet 172.16.0.0 255.255.252.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 7200
!
!
!
smtp-server 172.16.0.20
prompt hostname context
Cryptochecksum:ce08de9d4df
: end
Here is Pix 2:
: Saved
:
PIX Version 7.2(2)
!
hostname PiX02
domain-name mydomain.local
enable password dbXGu/pAyWxhIUm3 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 142.x.x.x 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.4.1 255.255.252.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name mydomain.local
access-list outside_20_cryptomap extended permit ip 172.16.4.0 255.255.252.0 172.16.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 172.16.4.0 255.255.252.0 172.16.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.252.0 172.16.4.0 255.255.252.0
access-list inbound extended permit tcp any any eq 3940
access-list outside_access_in extended permit tcp any any eq 3940
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 142.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password wm1QIrSnDfMaU.2q encrypted privilege 15
http server enable
http 172.16.4.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 142.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 142.x.x.x type ipsec-l2l
tunnel-group 142.x.x.x ipsec-attributes
pre-shared-key *
telnet 172.16.4.0 255.255.252.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
prompt hostname context
Cryptochecksum:1c6b558da24
: end
[OK]
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Batry Boy! Works Great!
Excellent...glad to help!
ASKER
Does this prevent the DMZ from accessing my remote network? I can open the question again to give you more points.
Which network do you mean by remote?
ASKER
172.16.4.0/22, I would prefer to not have the 172.16.12.0/22 network be able to directly access it as it is to be a DMZ on a less secure network.
Unfortunately, it does allow the DMZ to initiate traffic directly to the remote network. I understand your concern, however.
You could always modify the PIX 1 outside interface ACL to allow any IP traffic sourced from the PIX 2 PAT address of 142.x.x.x, but the traffic will not be encrypted. However, it will fix the problem of the DMZ being able to directly access the remote network.
There is another way to do it, by disabling the "sysopt connection permit-vpn" command on PIX1. By default this command is enabled which allows any VPN traffic to bypass interface ACL checks. If you turned this off, then your VPN traffic would be subject to the same ACL checks that normal unencrypted traffic is subjected to. However, this will get a little messy because you will also have to consider your PIX 1 inside network to PIX 2 inside network traffic in this as well. You could seriously mess up your VPN tunnel traffic if you're not careful.
You could always modify the PIX 1 outside interface ACL to allow any IP traffic sourced from the PIX 2 PAT address of 142.x.x.x, but the traffic will not be encrypted. However, it will fix the problem of the DMZ being able to directly access the remote network.
There is another way to do it, by disabling the "sysopt connection permit-vpn" command on PIX1. By default this command is enabled which allows any VPN traffic to bypass interface ACL checks. If you turned this off, then your VPN traffic would be subject to the same ACL checks that normal unencrypted traffic is subjected to. However, this will get a little messy because you will also have to consider your PIX 1 inside network to PIX 2 inside network traffic in this as well. You could seriously mess up your VPN tunnel traffic if you're not careful.
ASKER
Thanks...I will decide on my path.
crypto ACL's
NAT
routing
1. Make sure that source network 172.16.4.0/22 with destination network 172.16.12.0/22 is in the crypto ACL for the L2L VPN tunnel on PIX 2. Make sure it is also in the crypto ACL on PIX 1, but in reverse order for the source and destination, i.e. source is 172.16.12.0/22 and destination is 172.16.4.0/22.
2. Make sure that your NAT exemption commands on each PIX cover the above traffic.
3. Make sure that there are not any conflicting routes that direct traffic from 172.16.4.0/22 destined for 172.16.12.0/22 to some other place other than PIX 2. Do the same on PIX 1 for traffic from 172.16.12.0/22 going to 172.16.4.0/22.
It would probably help to see both PIX configs, but this should get you started down the path.