We help IT Professionals succeed at work.

mail/www server setup thru pix

Medium Priority
226 Views
Last Modified: 2012-05-06
Hi,
I've configured a basic pix firewall with two servers on DMZ (1 mail server and another public web server) .... i've configured some generic commands for managing access to/from the dmz to the internet ... just want to know that do i have to add any more specific commands besides these for accessing those two servers or is it all that i've configured below.

static (inside,out) out I.P inside I.P
access-list 1 permit tcp any any
access-list 1 permit udp any any
access-list 1 permit ip any any
access-group 1 in interface dmz

I know its not a good acl , but i have another acl that's very specific to the hosts that i'll be appying.. but with that above config, will I be able to access my mail and web servers fine ? coz i read somewhere that the by default inspect commands in pix sometimes can conflict with accessing mail servers, etc and we need to define extra commands .... ???
Comment
Watch Question

!
!
Here is a brief mock-up
!
!This assumes two interfaces...
!
static (inside,out) tcp 1.1.1.1 25 10.10.10.10 25 netmask 255.255.255.255
static (inside,out) tcp 1.1.1.2 80 10.10.10.20 80 netmask 255.255.255.255
!
access-list out_in permit tcp any host 1.1.1.1 eq http
access-list out_in permit tcp any host 1.1.1.2 eq www
!
access-group out_in in interface out
!
You can apply the same principle for traffic on your DMZ side...also think about your traffic flow from security levels to know which direction to apply your ACLs

Commented:
For static translations not in the dmz:

static(inside,outside)  [public ip of server]  [inside ip of server] netmask 255.255.255.255 0 0
then an access-list permitting the service

e.g.  for mail:
access-list outside_inside permit tcp any host [public ip of server] eq smtp
the bind it to the outside interface:
access-group outside_in in interface outside

for dmz servers:

static(dmz,outside) {public ip of server] [inside ip of server] netmask 255.255.255.00
then you need a static (dmz,inside)
example:


this allows nat  from dmz to inside lan:
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0
this allows traffic from internet to dmz:
access-list outside_int permit tcp any host [public ip of server] eq smtp
then bind access list to dmz interface:
access-group dmz_int in interface dmz

I am enclosing pdf from cisco website with sample config so you have the correct commands and syntax






pix-dmz-mailserver.pdf

Author

Commented:
My DMZ subnet has got a public subnet, no internal I.P for it  ... Based on what you suggested and my limited knowledge, here is what i've configured and question is at the bottom !

static (dmz,outside) 203.38.170.224 203.38.170.224 netmask 255.255.255.240
static (inside,dmz) 172.0.0.0 172.0.0.0 netmask 255.0.0.0
static (dmz,inside) 203.38.170.224 203.38.170.224 netmask 255.255.255.240

global (outside) 1 interface
global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0

access-list 1 permit ip any any
access-list 1 permit tcp any any
access-list 1 permit udp any any
access-group 1 in interface outside
access-group 1 in interface dmz

Will this will work for mail servers, web servers,etc and if outside world would be able to access these servers and inside network too ??? I'm not defining any static from inside to outside/vice versa since nobody wants to access my internal network from the internet, only my internal network wants to access the internet (which will be done thru nat,global commands between inside/outside....

b/w thanks for ur post guyz :)

Commented:
his command will not allow translation to the inside lan network :
static (dmz,outside) 203.38.170.224 203.38.170.224 netmask 255.255.255.240
since both public ip's are in the translation

I have seen configurations where this might work, you will need to test, but the configuration in the article is the standard way to create servers in dmz with outside public ip translated in a translate slot(in pix terminology) to an inside lan address.

Commented:
stick with the cisco doc syntax and you will be good to go. Any problems, let me know and we will troubleshoot

Author

Commented:
Ok ..

I tested
static (dmz,outside) 203.38.170.224 203.38.170.224 netmask 255.255.255.240
and i was able to ping from an outside router to my dmz server .... this effectively means no translation since DMZ server itself has the public I.P ....

I'm just thinking when is it really necessary to allow outside internet to access our LAN and LAn servers ... I mean when our LAN wants to access the outside internet, those nat/global commands would do the job and return traffic would be able to come back to as well ... so am just thinking when is it required to allow static traffic from outside to Inside (Not DMZ) ....

Author

Commented:
In my case where all the servers related to outside world are in DMZ, not in my LAN ...

LAN is strictly for inside clients...That security (inside to LAN clients) am managing by configuring Zone based firewall on my router ....

Commented:
In that case then this statement will work:
static (inside,dmz) 172.0.0.0 172.0.0.0 netmask 255.0.0.0

you will see this in the cisco document also

Author

Commented:
thanks..and lastly, is this ok if i dont use any static commands for outside traffic to inside i.e static (in,out) out I.P in I.P?
What I'm not sure is tht if i only use nat/global commands, then would the return traffic be able to come back without having to use any static command ?

Commented:
the static commands are called static NAT, but in the pix you still require the nat (inside) commands which allows traffic from inside hosts to outside

the static command creates a translation slot to enable inbound and outbound traffic to a specific host specified in the command

hope this clears it all up, but ask away, we like answering questions.

Author

Commented:
So If I use
nat (inside) 1 0 0
global (outside) 1 interface
and ACL permits everything ....

Considering the above 3 commands, I should be ok to send traffic from inside to outside (and recieve the return traffic) but any traffic originating from outside to inside shudnt be able to come in ? Is this Correct ? Unless I need somewhere in the internet to be able to talk to my LAN hosts, then only I would use static ... ? that's the way I understand it ... Am I correct ?
Commented:
Yes

nat (inside) 0 0
global (outside) 1 interface

these allow inside hosts to access the outside
by default, the PIX (and ASA) allow everthing from inside out, unless there is an explicit deny statement

the above two commands constitue PAT (port address translation) meaning many inside hosts are translated to one global (public) address
without the static (inside,outside) translation  (or port forwarding) of a server, it cannot be seen from outside your firewall by internet hosts
Inbound access-lists can offer granular control over what ports and services and protocols to allow in. So the ACL's and the static nat statements allow traffic flow from the less secure (outside) interface to the more secure internal hosts

The purpose of a dmz is to isolate servers from the most secure (security level 100) inside lan. The theory is if they are attacked, the damage is minimized and contained, rather than the servers being behind the firewall in the same subnet as the other lan hosts. Via access lists in the dmz, you can limit traffic or totally block traffic to the internal lan(s)


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Yeah, Now i get it ...
well thanks a lot for ur help ... You've answered all my questions now, thanks :)

Commented:
anytime, keep on asking, it's a learning process for all of us

Author

Commented:
Would really appreciate if you could also reflect your thoughts on the following topic: thanks once agian !  

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24111049.html
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.