Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

DMZ Configuration in PIX 6.3

Posted on 2009-02-22
6
Medium Priority
?
607 Views
Last Modified: 2012-08-14
I have got to work on already configured PIX and having some issues.

I am not able to ping any host in DMZ from Inside network.

I want to make sure that DMZ can access only mail server inside on port 25.

I want to make sure that INSIDE network is able to access all systems in DMZ without any restriction.

Here attaching the PIX configuration.

sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 LANFAIL security55
enable password Qa6o9KnThJtJOIFC encrypted
passwd xxxxxxxxx encrypted
hostname adxbf01
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list NONAT permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list outside permit tcp any host 196.101.222.197 eq pptp
access-list outside permit gre any host 196.101.222.197
access-list outside permit icmp any any
access-list outside permit tcp any host 196.101.222.202 eq https
access-list outside permit tcp any host 196.101.222.201 eq https
access-list outside permit tcp 10.209.0.0 255.255.0.0 host 196.101.222.197 eq 2000
access-list outside permit udp 10.209.0.0 255.255.0.0 host 196.101.222.197 eq 2000
access-list outside permit tcp any host 196.101.222.196 eq https
access-list outside permit tcp any host 196.101.222.196 eq ssh
access-list outside permit udp any host 196.101.222.196 eq 22
access-list outside permit tcp any host 196.101.222.196 eq 8443
access-list outside permit tcp any host 196.101.222.203 eq smtp
access-list dmz permit udp 10.209.9.0 255.255.255.0 host 10.209.10.250
access-list dmz permit udp 10.209.9.0 255.255.255.0 host 10.209.10.246
access-list dmz permit icmp any any
access-list dmz permit ip any any
access-list dmz permit tcp 10.209.9.0 255.255.255.0 host 10.209.10.167
access-list 180 permit ip 10.209.0.0 255.255.0.0 10.203.10.0 255.255.255.0
access-list 180 permit ip 10.1.0.0 255.255.0.0 10.203.10.0 255.255.255.0
access-list 180 permit ip 10.44.0.0 255.255.0.0 10.203.10.0 255.255.255.0
access-list 190 permit ip 10.209.0.0 255.255.0.0 10.94.10.0 255.255.255.0
access-list 190 permit ip 10.1.0.0 255.255.0.0 10.94.10.0 255.255.255.0
access-list 190 permit ip 10.44.0.0 255.255.0.0 10.94.10.0 255.255.255.0
access-list 104 permit ip 10.209.0.0 255.255.0.0 10.204.2.0 255.255.255.0
access-list 104 permit ip 10.44.0.0 255.255.0.0 10.204.2.0 255.255.255.0
access-list 104 permit ip 10.1.0.0 255.255.0.0 10.204.2.0 255.255.255.0
pager lines 22
logging on
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu intf3 1500
mtu intf4 1500
mtu LANFAIL 1500
ip address outside 196.101.222.253 255.255.255.192
ip address inside 10.209.10.13 255.255.255.0
ip address DMZ 10.209.9.1 255.255.255.0
no ip address intf3
no ip address intf4
ip address LANFAIL 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 196.101.222.252
failover ip address inside 10.209.10.14
failover ip address DMZ 10.209.9.3
no failover ip address intf3
no failover ip address intf4
failover ip address LANFAIL 192.168.100.2
failover link LANFAIL
pdm location 10.209.25.1 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 196.101.222.196
nat (inside) 0 access-list NONAT
nat (inside) 1 10.209.0.0 255.255.0.0 0 0
static (inside,outside) 196.101.222.202 10.209.10.50 netmask 255.255.255.255 0 0
static (inside,outside) 196.101.222.201 10.209.10.209 netmask 255.255.255.255 0 0
static (inside,outside) 196.101.222.197 10.209.10.44 netmask 255.255.255.255 0 0
static (inside,outside) 196.101.222.196 10.209.10.58 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.209.10.250 10.209.10.250 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.209.10.246 10.209.10.246 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.209.10.167 10.209.10.167 netmask 255.255.255.255 0 0
static (DMZ,outside) 196.101.222.203 10.209.9.115 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 196.101.222.193 1
route inside 10.1.0.0 255.255.0.0 10.209.10.5 1
route inside 10.31.0.0 255.255.0.0 10.209.10.5 1
route inside 10.44.0.0 255.255.0.0 10.209.10.5 1
route inside 10.209.5.0 255.255.255.0 10.209.10.1 1
route inside 10.209.8.0 255.255.255.0 10.209.10.1 1
route DMZ 10.209.11.0 255.255.255.0 10.209.9.230 1
route inside 10.209.16.0 255.255.255.0 10.209.16.1 1
route inside 10.209.17.0 255.255.255.0 10.209.17.1 1
route inside 10.209.25.0 255.255.255.0 10.209.10.1 1
route inside 10.209.35.0 255.255.255.0 10.209.35.1 1
route inside 10.209.36.0 255.255.255.0 10.209.36.1 1
route inside 10.209.41.0 255.255.255.0 10.209.10.3 1
route inside 10.209.98.0 255.255.255.0 10.209.10.4 1
route inside 10.209.99.0 255.255.255.0 10.209.10.4 1
route inside 10.209.100.0 255.255.255.0 10.209.10.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server SSL-AUTH protocol radius
aaa-server SSL-AUTH (inside) host 10.209.8.10 timeout 10
http server enable
http 10.209.25.1 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 10.1.1.47
snmp-server host inside 10.209.8.250
snmp-server location Aggreko - Dubai
no snmp-server contact
snmp-server community aggpub
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 80 ipsec-isakmp
crypto map mymap 80 match address 180
crypto map mymap 80 set peer 168.187.199.250
crypto map mymap 80 set transform-set myset
crypto map mymap 90 ipsec-isakmp
crypto map mymap 90 match address 190
crypto map mymap 90 set peer 220.247.197.106
crypto map mymap 90 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 10.209.25.0 255.255.255.0 inside
telnet 10.209.10.0 255.255.255.0 inside
telnet 196.101.222.193 255.255.255.255 DMZ
telnet timeout 60
ssh timeout 5
console timeout 0
username muzammil password cIsDsy8ZNgAEwVhM encrypted privilege 15
terminal width 80
Cryptochecksum:889cee5ab83513119acfa65541b9e2d7
: end

 adxbf01#
0
Comment
Question by:manishchoudhary
  • 3
  • 3
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 23706095
Simply add this:
global (DMZ) 1 interface

That should allow all inside users to connect to servers in the DMZ.
Verify that this works, then we can work on locking down access between dmz and the internal servers that you currently have mapped with statics and a permit ip any any acl which does not restrict ports to just smtp
0
 

Accepted Solution

by:
manishchoudhary earned 0 total points
ID: 23709073
I added following command and still not able to ping servers in DMZ from inside network

global (DMZ) 1 interface

Please let me know.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 23710626
>access-list NONAT permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
This may be overriding
Try this:
access-list NONAT deny ip 10.209.10.0 255.255.255.0 10.209.9.0 255.255.255.0
access-list NONAT permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
0
Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

 

Author Comment

by:manishchoudhary
ID: 23722498
what is the meaning of this access list
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 25337996
What was your solution?
0
 

Author Comment

by:manishchoudhary
ID: 25344471
i don't remember at all what we did.

Regards,
Manish
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question