[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1761
  • Last Modified:

Sonicwall TZ190 Enhanced 3.8 OS behind PIX 515e

We have a Sonicwall TZ190 with the Lan Configured for subnet 10.20.x.x and the OPT LAN configured for 10.30.x.x network with a WAN ip of 10.10.10.4. The WAN interface is connected to a Switch with IP address 10.10.30.2. I have opened up all Ports from the WAN side to the LAN Subnets and shutdown the Content Filtering service on the TZ190.

The 10.10.x.x network is where our PIX 515e firewall  is located with the inside interface set to 10.10.10.2 and it is our internet firewall. All of our PC's on the 10.10.x.x network are able to get to any web sites  but our 10.20.x.x & 10.30.x.x networked PC's can only get to very few websites. The 10.10.x.x network is where our IT and admin staff are located and they can get to the 10.20 & 10.30 networks.

Everything seems to work except the problem getting to web sites. Do I need to do something on the PIX to allow the 10.20 & 10.30 network to access web sites?  Also, the Sonicwall is setup with NAT enabled.

Any assistance would be greatly appreciated and never forgotten.


Thanks,


0
cpmnet
Asked:
cpmnet
  • 4
  • 4
1 Solution
 
from_expCommented:
i suppose you want your sonicwall to have nat disabled, and your pix should be configured to do nat for all your subnets.
what is the routing table on pix?
can you post your pix config here, please?
0
 
cpmnetAuthor Commented:
Here is the PIX config -

 
: Saved
: Written by enable_15 at 13:58:12.716 PST Thu Jan 24 2008
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security75
enable password kWMVI8smzAHRBwFS encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Core-PIX
domain-name mydomain.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.5 Mountainhouse
name 192.168.1.4 MHDealers
name 192.168.1.2 TestWebserver
name 10.10.80.6 Websense
name 10.10.100.15 RemoteAccess
name 10.10.10.5 Watchguard-SSL
name 10.10.140.0 WatchGuardAssign
name 10.10.0.0 Main
name 10.10.70.22 GrpwisePO
name 88.208.x.x PPTPaccess
name 10.10.70.2 GrpwiseGWIA
name 10.10.70.10 GrpwiseWebAccess
name 10.20.0.0 P1Chamber
name 192.168.1.6 BusnssCollabSrvr
name 12.129.20.0 FB-1
name 10.30.0.0 P1UtilityControl
name 63.241.x.x FB-4
name 216.32.x.x FB-12
name 12.129.199.61 FB-2
name 213.244.x.x FB-10
name 216.32.x.x FB-11
name 207.46.x.x FB-7
name 213.199.x.x FB-9
name 12.129.219.155 FB-3
name 206.16.x.x FB-6
name 207.46.x.x FB-8
name 65.55.x.x FB-5
name 70.89.x.x Ascent
object-group network Internal
  description Internal Servers and Workstations
  network-object Main 255.255.0.0
  network-object 10.10.10.2 255.255.255.255
object-group network FrontBridge
  description Front Bridge Mail Servers (Incoming)
  network-object FB-2 255.255.255.255
  network-object FB-3 255.255.255.255
  network-object FB-6 255.255.255.255
  network-object FB-1 255.255.255.0
  network-object FB-4 255.255.255.0
  network-object FB-5 255.255.255.192
  network-object FB-7 255.255.255.192
  network-object FB-8 255.255.255.0
  network-object FB-9 255.255.255.0
  network-object FB-10 255.255.255.0
  network-object FB-11 255.255.255.0
  network-object FB-12 255.255.255.0
object-group service DMZ_WebTraffic_Outbound tcp
  description Manage DMZ Outbound Traffic. Domain (), HTTP (80), HTTPS (443)
  port-object eq www
  port-object eq https
  port-object eq domain
object-group service FTP tcp
  description FTP (221), FTP (21), FTP (6000-7000)
  port-object eq ftp
  port-object eq 221
  port-object range 6000 7000
object-group service HTTP-HTTPS tcp
  description HTTP (80), HTTPS (443)
  port-object eq www
  port-object eq https
object-group service GrpwisePO tcp
  description GroupWise Full Client (Port 1677) for the POA (Caching or On-Line from the GW Client)
  port-object eq 1677
object-group service GrpwiseGWIA tcp
  description GroupWise Messenger is (Port 8300). Imap4 (Port 143 & SSL 993) and Pop3 (Port 110 & SSL 995) Access for

Blackberry Internet Server.
  port-object eq 8300
  port-object eq imap4
  port-object range 993 993
object-group service MHDealers tcp
  description FTP (221), FTP (21), HTTP (80), HTTPS (443), FTP (6000-7000), SMTP (25)
  port-object eq ftp
  port-object range 6000 7000
  port-object eq 221
  port-object eq https
  port-object eq www
  port-object eq smtp
object-group service MuddyVPN tcp
  description PPTP (1723), GRE (47)
  port-object eq pptp
  port-object range 47 47
object-group service GrpwiseWebAccess tcp
  description GrpwiseWebAccess - Web/HTTP (Port 80) & Secure Web/HTTPS (Port 443)
  port-object eq www
  port-object eq https
object-group service BusinessCollaborationServer tcp
  description HTTP (80), HTTPS (443), FTP (221), SMTP (25)
  port-object eq https
  port-object eq www
  port-object range 221 221
  port-object eq smtp
access-list outside_access_in remark SSH access to Watchguard SSL
access-list outside_access_in permit tcp any host 65.122.x.x eq https
access-list outside_access_in remark SSH Mgt access to Watchguard SSL from NDM
access-list outside_access_in deny tcp host Ascent host 65.122.x.x eq 9001
access-list outside_access_in remark SMTP mail delivery from Front Bridge
access-list outside_access_in permit tcp object-group FrontBridge host 65.122.x.x
access-list outside_access_in remark Permit All ICMP traffic and Echo's
access-list outside_access_in permit icmp any any
access-list outside_access_in remark Muddyboots
access-list outside_access_in permit gre any any
access-list outside_access_in remark Muddyboots
access-list outside_access_in permit tcp any object-group MuddyVPN any object-group MuddyVPN
access-list outside_access_in remark Internal OFD Web Site (MH-Dealers)
access-list outside_access_in remark HTTP/HTTPS
access-list outside_access_in remark FTP - Port 221 6000-7000
access-list outside_access_in remark SMTP
access-list outside_access_in permit tcp any host 65.122.x.x object-group MHDealers
access-list outside_access_in permit tcp any host 65.122.x.x object-group HTTP-HTTPS
access-list outside_access_in remark Allow GW Messenger Traffic
access-list outside_access_in deny tcp host Ascent host 65.122.x.x
access-list outside_access_in remark Grpwise Full Client Access (Port 1677)
access-list outside_access_in remark
access-list outside_access_in remark Allow GW Messenger Traffic
access-list outside_access_in permit tcp any host 65.122.x.x object-group GrpwisePO
access-list outside_access_in remark Allow ICMP Traffic and ECHO's
access-list outside_access_in remark MountainHouse.com
access-list outside_access_in remark Internal OFD Web Site (Mountainhouse)
access-list outside_access_in remark HTTP/HTTPS
access-list outside_access_in permit tcp any host 65.122.x.x object-group MHDealers
access-list outside_access_in remark FTP - Port 221 6000-7000
access-list outside_access_in permit tcp any host 65.122.x.x object-group BusinessCollaborationServer
access-list outside_access_in remark SMTP
access-list outside_access_in remark MarineCuisine.us
access-list outside_access_in remark HTTP, HTTPS, FTP, SMTP
access-list outside_access_in permit tcp any host 65.122.181.97 object-group GrpwiseGWIA
access-list outside_access_in remark Allow ICMP Traffic and Echo's
access-list outside_access_in permit tcp any host 65.122.x.x object-group HTTP-HTTPS
access-list outside_access_in remark Internal OFD Web Site (MH-Dealers) SMTP
access-list outside_access_in remark Grpwise Full Client Access (Port 1677).
access-list outside_access_in remark
access-list outside_access_in remark Internal OFD Web Site (MH-Dealers) HTTPS
access-list outside_access_in remark Allow HTTP/HTTPS
access-list outside_access_in remark Allow HTTP/HTTPS
access-list outside_access_in remark Allow HTTP/HTTPS Traffic
access-list outside_access_in remark Allow HTTP/HTTPS Traffic
access-list outside_access_in remark Allow HTTP/HTTPS Traffic
access-list outside_access_in remark Internal OFD Web Site (MtnHouse) Retail - HTTP
access-list outside_access_in remark Internal OFD Web Site (MtnHouse) Retail - HTTPS
access-list outside_access_in remark Internal OFD Web Site (MH-Dealers) SMTP
access-list outside_access_in remark Allow HTTP / HTTPS Traffic
access-list outside_access_in remark Internal OFD Web Site (Testserver)
access-list outside_access_in remark Allow SMTP traffic
access-list outside_access_in remark Internal OFD Web Site (MH-Dealers) SMTP
access-list outside_access_in remark
access-list outside_access_in remark
access-list outside_access_in remark
access-list outside_access_in remark
access-list outside_access_in remark Allow HTTP / HTTPS Traffic
access-list outside_access_in remark Internal OFD Web Site (MH-Dealers) HTTP
access-list outside_access_in remark Web Access (Port 443-SSL and Port 80-Non SSL), GW Messenger (Port 8300-SSL).
access-list outside_access_in remark Brian Travelling - NDM
access-list outside_access_in remark Port 1677 for GW POA (Grpwise Full Client).
access-list outside_access_in remark Web Access (Port 443-SSL and Port 80-Non SSL), GW Messenger (Port 8300-SSL)
access-list outside_access_in remark Grpwise Web Access (Port 80 & Port 443 Secure)
access-list outside_access_in remark Grpwise Messenger (Port 8300)
access-list outside_access_in remark Grpwise Web Access (Port 80 and Port 443 secure)
access-list outside_access_in remark Grpwise Messenger Access (Port 8300)
access-list outside_access_in remark Grpwise Web Access (Port 80 and Port 443 secure)
access-list outside_access_in remark Grpwise Messenger Access (Port 8300)
access-list outside_access_in remark
access-list outside_access_in remark
access-list outside_access_in remark MarineCuisine.us
access-list outside_access_in remark MarineCuisine.us
access-list outside_access_in remark MarineCuisine.us
access-list outside_access_in remark
access-list outside_access_in remark Grpwise Webaccess Port 80 & 443
access-list inside_access_in remark Default allow
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging timestamp
logging console notifications
logging host inside RemoteAccess
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 65.122.x.x 255.255.255.240
ip address inside 10.10.10.2 255.255.0.0
ip address DMZ 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 65.122.x.x 255.255.255.255 outside
pdm location 65.122.x.x 255.255.255.255 outside
pdm location 65.122.x.x 255.255.255.255 outside
pdm location 65.122.x.x 255.255.255.255 outside
pdm location 65.122.x.x 255.255.255.255 outside
pdm location 65.122.x.x 255.255.255.255 outside
pdm location 65.122.x.x 255.255.255.255 outside
pdm location 65.122.x.x 255.255.255.255 outside
pdm location 65.122.x.x 255.255.255.255 outside
pdm location 65.122.x.x 255.255.255.255 outside
pdm location 65.122.x.x 255.255.255.255 outside
pdm location 65.122.x.x 255.255.255.255 outside
pdm location RemoteAccess 255.255.255.255 inside
pdm location FB-2 255.255.255.255 outside
pdm location Websense 255.255.255.255 inside
pdm location TestWebserver 255.255.255.255 DMZ
pdm location 10.0.0.0 255.0.0.0 inside
pdm location MHDealers 255.255.255.255 DMZ
pdm location Mountainhouse 255.255.255.255 DMZ
pdm location 207.46.x.x 255.255.255.255 outside
pdm location Ascent 255.255.255.255 outside
pdm location WatchGuardAssign 255.255.255.0 inside
pdm location Watchguard-SSL 255.255.255.255 inside
pdm location 65.55.x.x 255.255.255.255 outside
pdm location 12.129.20.19 255.255.255.255 outside
pdm location FB-3 255.255.255.255 outside
pdm location 63.241.x.x 255.255.255.255 outside
pdm location FB-6 255.255.255.255 outside
pdm location 207.46.x.x 255.255.255.255 outside
pdm location 213.199.x.x 255.255.255.255 outside
pdm location 213.244.x.x 255.255.255.255 outside
pdm location GrpwisePO 255.255.255.255 inside
pdm location Main 255.255.255.0 inside
pdm location 216.32.x.x 255.255.255.255 outside
pdm location 216.32.x.x 255.255.255.255 outside
pdm location PPTPaccess 255.255.255.255 outside
pdm location GrpwiseGWIA 255.255.255.255 inside
pdm location GrpwiseWebAccess 255.255.255.255 inside
pdm location 65.122.x.x 255.255.255.255 inside
pdm location P1Chamber 255.255.0.0 inside
pdm location P1UtilityControl 255.255.0.0 inside
pdm location BusnssCollabSrvr 255.255.255.255 DMZ
pdm location FB-1 255.255.255.0 outside
pdm location FB-4 255.255.255.0 outside
pdm location FB-8 255.255.255.0 outside
pdm location FB-9 255.255.255.0 outside
pdm location FB-10 255.255.255.0 outside
pdm location FB-11 255.255.255.0 outside
pdm location FB-12 255.255.255.0 outside
pdm location FB-5 255.255.255.192 outside
pdm location FB-7 255.255.255.192 outside
pdm group Internal inside
pdm group FrontBridge outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 65 interface
global (inside) 1 10.10.110.3-10.20.255.254
nat (inside) 65 Main 255.255.0.0 0 0
nat (DMZ) 65 192.168.1.0 255.255.255.0 0 0
static (outside,inside) GrpwiseGWIA 65.122.x.x netmask 255.255.255.255 0 0
static (inside,outside) 65.122.x.x GrpwiseGWIA netmask 255.255.255.255 0 0
static (inside,outside) 65.122.x.x RemoteAccess netmask 255.255.255.255 0 0
static (outside,inside) RemoteAccess 65.122.x.x netmask 255.255.255.255 0 0
static (outside,DMZ) TestWebserver 65.122.x.x netmask 255.255.255.255 0 0
static (DMZ,outside) 65.122.x.x TestWebserver netmask 255.255.255.255 0 0
static (DMZ,outside) 65.122.x.x MHDealers netmask 255.255.255.255 0 0
static (outside,DMZ) MHDealers 65.122.x.x netmask 255.255.255.255 0 0
static (DMZ,outside) 65.122.x.x Mountainhouse netmask 255.255.255.255 0 0
static (outside,DMZ) Mountainhouse 65.122.x.x netmask 255.255.255.255 0 0
static (outside,inside) Watchguard-SSL 65.122.x.x netmask 255.255.255.255 0 0
static (inside,outside) 65.122.x.x Watchguard-SSL netmask 255.255.255.255 0 0
static (outside,inside) GrpwisePO 65.122.x.x netmask 255.255.255.255 0 0
static (inside,outside) 65.122.x.x GrpwisePO netmask 255.255.255.255 0 0
static (DMZ,outside) 65.122.x.x BusnssCollabSrvr netmask 255.255.255.255 0 0
static (outside,DMZ) BusnssCollabSrvr 65.122.x.x netmask 255.255.255.255 0 0
static (inside,outside) 65.122.x.x GrpwiseWebAccess netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
outbound  10 permit P1Chamber 255.255.0.0 1-65535 tcp
outbound  10 permit P1Chamber 255.255.0.0 1-65535 udp
route outside 0.0.0.0 0.0.0.0 65.122.x.x 1
route inside P1Chamber 255.255.0.0 10.10.10.4 1
route inside P1UtilityControl 255.255.0.0 10.10.10.4 1
route outside PPTPaccess 255.255.255.255 65.122.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host Websense timeout 5 protocol TCP version 1
url-cache dst 128KB
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-deny
ntp server 192.43.244.18 source outside prefer
ntp server 207.46.130.100 source outside
ntp server 131.107.1.10 source outside
ntp server 129.6.15.29 source outside
ntp server 129.6.15.28 source outside
http server enable
http Ascent 255.255.255.255 outside
http Main 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp inside
sysopt noproxyarp DMZ
telnet timeout 5
ssh Ascent 255.255.255.255 outside
ssh Main 255.255.0.0 inside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username admin password 7J.peyvoCbfQxaMn encrypted privilege 15
url-block url-mempool 3000
url-block url-size 4
terminal width 80
banner exec Warning!  Unauthorized access to this device is illegal.  Violators will be prosecuted.
banner login Warning!  Unauthorized access to this device is illegal.  Violators will be prosecuted.
Cryptochecksum:837f673addb150462423cb5bb3e0eceb
0
 
from_expCommented:
hi!
I suppose, if you disable nat on sonicwall, you need to add on cisco:
ip route 10.20.0.0 255.255.0.0 10.10.10.1
ip route 10.30.0.0 255.255.0.0 10.10.10.4

0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
cpmnetAuthor Commented:
We currently have these routes on the PIX:

ip route 10.20.0.0 255.255.0.0 10.10.10.4
ip route 10.30.0.0 255.255.0.0 10.10.10.4

so I guess the next thing is to setup our TZ190 in transparent mode or bridge mode and change our 10.20 & 10.30 networks too 10.10.30.x & 10.10.40.x. or something within the same subnet of 10.10.x.x.

Do we set the default route for these networks to 10.10.10.2 which is our PIX?




0
 
from_expCommented:
hi!
i suppose, not to change ip addresses for networks behind sonicwall. do not use bridge funtion on it. just disable nat to have plain routing between subnets
0
 
cpmnetAuthor Commented:
The Sonicwall defaults config is NAT enabled. I disabled NAT and tha took care of it.


Thanks for your help

0
 
from_expCommented:
haven't got the idea why the question should be closed by moderator, not by the normal procedure.
still do not have objections here if asker wants to save his point in such a way.

P.S.
to my mind if asker supposes qustion is only 125 points (assuming asker accepted answer with A: 125*A=500), then it should be placed with 125 points, not with 500 (to attract attention) and then refund 3/4rd

from_exp
0
 
cpmnetAuthor Commented:
Thanks again for your help.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now