PIX-515E DMZ Access Lists

I've got a couple servers in a DMZ that need access to a couple servers on the inside and also need to be able to access the outside for DNS lookups and other stuff. I also need inside hosts to be able to access the servers in the DMZ and I will have a couple ports open on the outside to the DMZ. As it stands now, the one server I've been testing with in the DMZ (192.168.3.5) can access one of the servers on the inside but not the other. It also cannot access the outside. So, how can allow the DMZ servers access to everything on the outside without giving them access to everything on the inside? Why can I ping 192.168.3.24 and not .3.10? I can ping .3.10 from the inside.

Here's the relevant parts of my config:


nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet4 dmz security70
 
ip address inside 10.1.1.1 255.255.255.0
 
ip address dmz 192.168.3.1 255.255.255.0
 
 
access-list acl_dmz line 1 permit icmp host 192.168.3.5 host 192.168.3.24
access-list acl_dmz line 2 permit icmp host 192.168.3.5 host 192.168.3.10
access-list acl_dmz line 3 permit tcp host 192.168.3.5 host 192.168.3.24 eq 3306
access-list acl_dmz line 4 permit udp host 192.168.3.5 host 192.168.3.24 eq 3306
access-list acl_dmz line 5 permit tcp host 192.168.3.5 host 192.168.3.24 range 30000 30099
access-list acl_dmz line 6 permit udp host 192.168.3.5 host 192.168.3.24 range 30000 30099
 
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
 
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list nonat
nat (dmz) 1 192.168.3.0 255.255.255.0 0 0
 
global (outside) 1 <ext ip>
global (dmz) 1 192.168.3.100-192.168.3.199
 
static (dmz,outside) <ext ip> 192.168.3.5 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.3.24 10.1.1.24 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.3.10 10.1.1.10 netmask 255.255.255.255 0 0
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0

Open in new window

LVL 1
pnicorpAsked:
Who is Participating?
 
Alan Huseyin KayahanConnect With a Mentor Commented:
Hi pnicorp
      For achieving what you want, you should modify your config as following

access-list acl_dmz line 1 permit icmp host 192.168.3.5 host 192.168.3.24
access-list acl_dmz line 2 permit icmp host 192.168.3.5 host 192.168.3.10
access-list acl_dmz line 3 permit tcp host 192.168.3.5 host 192.168.3.24 eq 3306
access-list acl_dmz line 4 permit udp host 192.168.3.5 host 192.168.3.24 eq 3306
access-list acl_dmz line 5 permit tcp host 192.168.3.5 host 192.168.3.24 range 30000 30099
access-list acl_dmz line 6 permit udp host 192.168.3.5 host 192.168.3.24 range 30000 30099
access-list acl_dmz line 7 deny ip host 192.168.3.5 10.1.1.0 255.255.255.0
access-list acl_dmz line 8 permit tcp host 192.168.3.5 any eq www
access-list acl_dmz line 9 permit udp host 192.168.3.5 any eq dns
access-list acl_dmz line 10 permit tcp host 192.168.3.5 any eq dns

please post your nonat acl for checking the ping issue

Regards
0
 
pnicorpAuthor Commented:
Hmm, that's the config I was afraid of. I have other DMZs as well, do I need to add a deny statement for each of those into this acl?

There's not much interesting in the nonat acl for this dmz, just access for VPN connections really (192.168.5.0/24, 192.168.10.0/24, 10.2.2.0/24)

access-list nonat line 1 permit ip 10.1.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat line 2 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat line 3 permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat line 4 permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat line 5 permit ip 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat line 6 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list nonat line 7 permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0

Open in new window

0
 
Alan Huseyin KayahanCommented:
  Then simply change the deny rule as following

access-list acl_dmz line 7 deny ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0

   Now you dont have to add deny for each. Keep in mind that you should put your every permit rule "before"! the deny rule I suggest


0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Alan Huseyin KayahanCommented:
  Hmm...
   As far as you have the following statement, you can reach 10.1.1.x directly from DMZ. You dont have to NAT the host to an IP in DMZ subnet.
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0
0
 
pnicorpAuthor Commented:
Ok that's what I thought. Is there a reason to do it one way or the other? I kind of inherited this and it was done a long time ago so I'm still trying to figure out the reasoning behind some of the config choices.

As for the ping thing it may not be a PIX issue. I added a "permit icmp host 192.168.3.5 10.1.1.0 255.255.255.0" and I seem to be able to ping all the other systems on the 10.1.1.0 network, just not this one. Yet I can ping it from within that network so I'm a little baffled as to where the problem lies.
0
 
Alan Huseyin KayahanCommented:
      Above static is a kind of exempt NAT. It indicates not to NAT 10.1.1.0 for DMZ network and directly be accessed from DMZ. This means If 192.168.3.88 for example tries to reach a client, for example 10.1.1.50, packet source will be set as 192.168.3.88 and 10.1.1.50 will know that packet is coming from 192.168.3.88.
      And other one is a one-to-one NAT. In this case if 10.1.1.10 from your static entry above, tries to reach 192.168.3.88, original packet source will be kept in translation table of PIX, and packet source will be set as 192.168.3.10 and 192.168.1.88 will know that packet is coming from 192.168.3.10
So, reasoning totaly depends on the architrecture in mind of sescurity admin.
0
 
pnicorpAuthor Commented:
Cool, thanks.
0
All Courses

From novice to tech pro — start learning today.