PIX-515E DMZ Access Lists

I've got a couple servers in a DMZ that need access to a couple servers on the inside and also need to be able to access the outside for DNS lookups and other stuff. I also need inside hosts to be able to access the servers in the DMZ and I will have a couple ports open on the outside to the DMZ. As it stands now, the one server I've been testing with in the DMZ (192.168.3.5) can access one of the servers on the inside but not the other. It also cannot access the outside. So, how can allow the DMZ servers access to everything on the outside without giving them access to everything on the inside? Why can I ping 192.168.3.24 and not .3.10? I can ping .3.10 from the inside.

Here's the relevant parts of my config:


nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet4 dmz security70
 
ip address inside 10.1.1.1 255.255.255.0
 
ip address dmz 192.168.3.1 255.255.255.0
 
 
access-list acl_dmz line 1 permit icmp host 192.168.3.5 host 192.168.3.24
access-list acl_dmz line 2 permit icmp host 192.168.3.5 host 192.168.3.10
access-list acl_dmz line 3 permit tcp host 192.168.3.5 host 192.168.3.24 eq 3306
access-list acl_dmz line 4 permit udp host 192.168.3.5 host 192.168.3.24 eq 3306
access-list acl_dmz line 5 permit tcp host 192.168.3.5 host 192.168.3.24 range 30000 30099
access-list acl_dmz line 6 permit udp host 192.168.3.5 host 192.168.3.24 range 30000 30099
 
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
 
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list nonat
nat (dmz) 1 192.168.3.0 255.255.255.0 0 0
 
global (outside) 1 <ext ip>
global (dmz) 1 192.168.3.100-192.168.3.199
 
static (dmz,outside) <ext ip> 192.168.3.5 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.3.24 10.1.1.24 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.3.10 10.1.1.10 netmask 255.255.255.255 0 0
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0

Open in new window

LVL 1
pnicorpAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan Huseyin KayahanCommented:
Hi pnicorp
      For achieving what you want, you should modify your config as following

access-list acl_dmz line 1 permit icmp host 192.168.3.5 host 192.168.3.24
access-list acl_dmz line 2 permit icmp host 192.168.3.5 host 192.168.3.10
access-list acl_dmz line 3 permit tcp host 192.168.3.5 host 192.168.3.24 eq 3306
access-list acl_dmz line 4 permit udp host 192.168.3.5 host 192.168.3.24 eq 3306
access-list acl_dmz line 5 permit tcp host 192.168.3.5 host 192.168.3.24 range 30000 30099
access-list acl_dmz line 6 permit udp host 192.168.3.5 host 192.168.3.24 range 30000 30099
access-list acl_dmz line 7 deny ip host 192.168.3.5 10.1.1.0 255.255.255.0
access-list acl_dmz line 8 permit tcp host 192.168.3.5 any eq www
access-list acl_dmz line 9 permit udp host 192.168.3.5 any eq dns
access-list acl_dmz line 10 permit tcp host 192.168.3.5 any eq dns

please post your nonat acl for checking the ping issue

Regards
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pnicorpAuthor Commented:
Hmm, that's the config I was afraid of. I have other DMZs as well, do I need to add a deny statement for each of those into this acl?

There's not much interesting in the nonat acl for this dmz, just access for VPN connections really (192.168.5.0/24, 192.168.10.0/24, 10.2.2.0/24)

access-list nonat line 1 permit ip 10.1.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat line 2 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat line 3 permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat line 4 permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat line 5 permit ip 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat line 6 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list nonat line 7 permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0

Open in new window

0
Alan Huseyin KayahanCommented:
  Then simply change the deny rule as following

access-list acl_dmz line 7 deny ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0

   Now you dont have to add deny for each. Keep in mind that you should put your every permit rule "before"! the deny rule I suggest


0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Alan Huseyin KayahanCommented:
  Hmm...
   As far as you have the following statement, you can reach 10.1.1.x directly from DMZ. You dont have to NAT the host to an IP in DMZ subnet.
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0
0
pnicorpAuthor Commented:
Ok that's what I thought. Is there a reason to do it one way or the other? I kind of inherited this and it was done a long time ago so I'm still trying to figure out the reasoning behind some of the config choices.

As for the ping thing it may not be a PIX issue. I added a "permit icmp host 192.168.3.5 10.1.1.0 255.255.255.0" and I seem to be able to ping all the other systems on the 10.1.1.0 network, just not this one. Yet I can ping it from within that network so I'm a little baffled as to where the problem lies.
0
Alan Huseyin KayahanCommented:
      Above static is a kind of exempt NAT. It indicates not to NAT 10.1.1.0 for DMZ network and directly be accessed from DMZ. This means If 192.168.3.88 for example tries to reach a client, for example 10.1.1.50, packet source will be set as 192.168.3.88 and 10.1.1.50 will know that packet is coming from 192.168.3.88.
      And other one is a one-to-one NAT. In this case if 10.1.1.10 from your static entry above, tries to reach 192.168.3.88, original packet source will be kept in translation table of PIX, and packet source will be set as 192.168.3.10 and 192.168.1.88 will know that packet is coming from 192.168.3.10
So, reasoning totaly depends on the architrecture in mind of sescurity admin.
0
pnicorpAuthor Commented:
Cool, thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.