Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 218
  • Last Modified:

mail/www server setup thru pix

Hi,
I've configured a basic pix firewall with two servers on DMZ (1 mail server and another public web server) .... i've configured some generic commands for managing access to/from the dmz to the internet ... just want to know that do i have to add any more specific commands besides these for accessing those two servers or is it all that i've configured below.

static (inside,out) out I.P inside I.P
access-list 1 permit tcp any any
access-list 1 permit udp any any
access-list 1 permit ip any any
access-group 1 in interface dmz

I know its not a good acl , but i have another acl that's very specific to the hosts that i'll be appying.. but with that above config, will I be able to access my mail and web servers fine ? coz i read somewhere that the by default inspect commands in pix sometimes can conflict with accessing mail servers, etc and we need to define extra commands .... ???
0
nabeel92
Asked:
nabeel92
  • 7
  • 7
1 Solution
 
ciscoml320Commented:
!
!
Here is a brief mock-up
!
!This assumes two interfaces...
!
static (inside,out) tcp 1.1.1.1 25 10.10.10.10 25 netmask 255.255.255.255
static (inside,out) tcp 1.1.1.2 80 10.10.10.20 80 netmask 255.255.255.255
!
access-list out_in permit tcp any host 1.1.1.1 eq http
access-list out_in permit tcp any host 1.1.1.2 eq www
!
access-group out_in in interface out
!
You can apply the same principle for traffic on your DMZ side...also think about your traffic flow from security levels to know which direction to apply your ACLs
0
 
bignewfCommented:
For static translations not in the dmz:

static(inside,outside)  [public ip of server]  [inside ip of server] netmask 255.255.255.255 0 0
then an access-list permitting the service

e.g.  for mail:
access-list outside_inside permit tcp any host [public ip of server] eq smtp
the bind it to the outside interface:
access-group outside_in in interface outside

for dmz servers:

static(dmz,outside) {public ip of server] [inside ip of server] netmask 255.255.255.00
then you need a static (dmz,inside)
example:


this allows nat  from dmz to inside lan:
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0
this allows traffic from internet to dmz:
access-list outside_int permit tcp any host [public ip of server] eq smtp
then bind access list to dmz interface:
access-group dmz_int in interface dmz

I am enclosing pdf from cisco website with sample config so you have the correct commands and syntax






pix-dmz-mailserver.pdf
0
 
nabeel92Author Commented:
My DMZ subnet has got a public subnet, no internal I.P for it  ... Based on what you suggested and my limited knowledge, here is what i've configured and question is at the bottom !

static (dmz,outside) 203.38.170.224 203.38.170.224 netmask 255.255.255.240
static (inside,dmz) 172.0.0.0 172.0.0.0 netmask 255.0.0.0
static (dmz,inside) 203.38.170.224 203.38.170.224 netmask 255.255.255.240

global (outside) 1 interface
global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0

access-list 1 permit ip any any
access-list 1 permit tcp any any
access-list 1 permit udp any any
access-group 1 in interface outside
access-group 1 in interface dmz

Will this will work for mail servers, web servers,etc and if outside world would be able to access these servers and inside network too ??? I'm not defining any static from inside to outside/vice versa since nobody wants to access my internal network from the internet, only my internal network wants to access the internet (which will be done thru nat,global commands between inside/outside....

b/w thanks for ur post guyz :)
0
The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

 
bignewfCommented:
his command will not allow translation to the inside lan network :
static (dmz,outside) 203.38.170.224 203.38.170.224 netmask 255.255.255.240
since both public ip's are in the translation

I have seen configurations where this might work, you will need to test, but the configuration in the article is the standard way to create servers in dmz with outside public ip translated in a translate slot(in pix terminology) to an inside lan address.
0
 
bignewfCommented:
stick with the cisco doc syntax and you will be good to go. Any problems, let me know and we will troubleshoot
0
 
nabeel92Author Commented:
Ok ..

I tested
static (dmz,outside) 203.38.170.224 203.38.170.224 netmask 255.255.255.240
and i was able to ping from an outside router to my dmz server .... this effectively means no translation since DMZ server itself has the public I.P ....

I'm just thinking when is it really necessary to allow outside internet to access our LAN and LAn servers ... I mean when our LAN wants to access the outside internet, those nat/global commands would do the job and return traffic would be able to come back to as well ... so am just thinking when is it required to allow static traffic from outside to Inside (Not DMZ) ....

0
 
nabeel92Author Commented:
In my case where all the servers related to outside world are in DMZ, not in my LAN ...

LAN is strictly for inside clients...That security (inside to LAN clients) am managing by configuring Zone based firewall on my router ....
0
 
bignewfCommented:
In that case then this statement will work:
static (inside,dmz) 172.0.0.0 172.0.0.0 netmask 255.0.0.0

you will see this in the cisco document also
0
 
nabeel92Author Commented:
thanks..and lastly, is this ok if i dont use any static commands for outside traffic to inside i.e static (in,out) out I.P in I.P?
What I'm not sure is tht if i only use nat/global commands, then would the return traffic be able to come back without having to use any static command ?
0
 
bignewfCommented:
the static commands are called static NAT, but in the pix you still require the nat (inside) commands which allows traffic from inside hosts to outside

the static command creates a translation slot to enable inbound and outbound traffic to a specific host specified in the command

hope this clears it all up, but ask away, we like answering questions.
0
 
nabeel92Author Commented:
So If I use
nat (inside) 1 0 0
global (outside) 1 interface
and ACL permits everything ....

Considering the above 3 commands, I should be ok to send traffic from inside to outside (and recieve the return traffic) but any traffic originating from outside to inside shudnt be able to come in ? Is this Correct ? Unless I need somewhere in the internet to be able to talk to my LAN hosts, then only I would use static ... ? that's the way I understand it ... Am I correct ?
0
 
bignewfCommented:
Yes

nat (inside) 0 0
global (outside) 1 interface

these allow inside hosts to access the outside
by default, the PIX (and ASA) allow everthing from inside out, unless there is an explicit deny statement

the above two commands constitue PAT (port address translation) meaning many inside hosts are translated to one global (public) address
without the static (inside,outside) translation  (or port forwarding) of a server, it cannot be seen from outside your firewall by internet hosts
Inbound access-lists can offer granular control over what ports and services and protocols to allow in. So the ACL's and the static nat statements allow traffic flow from the less secure (outside) interface to the more secure internal hosts

The purpose of a dmz is to isolate servers from the most secure (security level 100) inside lan. The theory is if they are attacked, the damage is minimized and contained, rather than the servers being behind the firewall in the same subnet as the other lan hosts. Via access lists in the dmz, you can limit traffic or totally block traffic to the internal lan(s)


0
 
nabeel92Author Commented:
Yeah, Now i get it ...
well thanks a lot for ur help ... You've answered all my questions now, thanks :)
0
 
bignewfCommented:
anytime, keep on asking, it's a learning process for all of us
0
 
nabeel92Author Commented:
Would really appreciate if you could also reflect your thoughts on the following topic: thanks once agian !  

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24111049.html
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now