Link to home
Start Free TrialLog in
Avatar of DHTS
DHTSFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Cannot access Internet via the DMZ on a Cisco Pix 506E

We have managed to create a DMZ on a Cisco Pix 506E (with help from Experts Exchange!), however we cannot seem to access the Internet through the DMZ network where our web servers are hosted. The web servers are using external DNS addresses in there LAN connection properties. Also the DMZ and LAN can access each other, and the LAN can access the web no problem. Our current Cisco config is as follows:

Thanks

Dan

dhts-pix1-uk1(config)# show config
: Saved
: Written by enable_15 at 21:07:50.869 UTC Mon May 25 2009
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname dhts-pix1-uk1
domain-name dhts.co.uk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host 83.x.x.x eq www
access-list 101 permit tcp any host 83.x.x.x eq https
access-list 101 permit tcp any host 83.x.x.x eq 3389
access-list 101 permit tcp any host 83.x.x.x eq pptp
access-list 101 permit tcp any host 83.x.x.x eq 3085
access-list 101 permit tcp any host 83.x.x.x eq www
access-list 101 permit tcp any host 83.x.x.x eq https
access-list 101 permit tcp any host 83.x.x.x eq smtp
access-list 101 permit tcp any host 83.x.x.x eq www
access-list 101 permit tcp any host 83.x.x.x eq https
access-list 101 permit tcp any host 83.x.x.x eq https
access-list 101 permit tcp any host 83.x.x.x eq www
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any echo-reply
access-list 901 permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list 901 permit tcp host 10.20.10.0 host 10.10.0.0 eq www
access-list 901 permit tcp host 10.20.10.0 host 10.10.0.0 eq https
access-list 901 permit tcp host 10.20.10.0 host 10.10.0.0 eq 3085
access-list 901 permit tcp host 10.20.10.0 host 10.10.0.0 eq 9001
access-list 901 permit tcp host 10.20.10.0 host 10.10.0.0 eq 9002
access-list 901 permit tcp host 10.20.10.0 host 10.10.0.0 eq 9003
access-list 901 permit tcp host 10.20.10.0 host 10.10.0.0 eq domain
access-list 801 permit tcp any host 83.x.x.x eq www
access-list 801 permit tcp any host 83.x.x.x eq https
access-list 801 permit tcp any host 83.x.x.x eq 3389
access-list 801 permit tcp any host 83.x.x.x eq 9001
access-list 801 permit tcp any host 83.x.x.x eq 9002
access-list 801 permit tcp any host 83.x.x.x eq 9003
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 83.x.x.x 255.255.255.240
ip address inside 10.10.0.1 255.255.0.0
ip address dmz 10.20.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 10.10.0.0 255.255.0.0 0 0
nat (dmz) 1 10.20.0.0 255.255.0.0 0 0
static (inside,outside) 83.x.x.x 10.10.10.1 netmask 255.255.255.255 0 0
static (inside,outside) 83.x.x.x 10.10.20.2 netmask 255.255.255.255 0 0
static (inside,outside) 83.x.x.x 10.10.30.1 netmask 255.255.255.255 0 0
static (inside,outside) 83.x.x.x 10.10.40.1 netmask 255.255.255.255 0 0
static (inside,outside) 83.x.x.x 10.10.50.2 netmask 255.255.255.255 0 0
static (inside,dmz) 10.10.0.0 10.10.0.0 netmask 255.255.0.0 0 0
static (dmz,outside) 83.x.x.x 10.20.10.13 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 901 in interface dmz
route outside 0.0.0.0 0.0.0.0 83.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:e6e27672aeadc71cd680053c916c0843
dhts-pix1-uk1(config)#

Open in new window

Avatar of Markus Braun
Markus Braun
Flag of Germany image

Hi,

if access-list 901 is the access-list responsible for controlling traffic from the DMZ, i dont see any entry where it allows traffic to go anywhere but your LAN.

its missing e.g. permit tcp host 10.20.10.0 any eq 80 to let that server access www

right now you only allow traffic to go to the LAN because the last line on any access-list is a deny ip any any (yet its not visible)
so you have to add lines to allow the traffic you need
be aware, if you allow the server xxxxx to go to any internet port 80 but you dont want it to go anywhere else, you need deny statements as well, this can get confusing and misconfiguration can happen easily if you are not used to it

here an example

Server 10.200.10.0 is supposed to connect via port 80 and 443 to the internet and to a specific host in the LAN, but nothing else - this would mean


access-list 901 permit tcp host 10.20.10.0 host 10.10.0.0 eq www
access-list 901 permit tcp host 10.20.10.0 host 10.10.0.0 eq https
access-list 901 deny ip host 10.20.10.0 10.10.0.0 255.255.0.0 (blocking LAN access)
now you can add
access-list 901 permit tcp host 10.20.10.0 any eq 80

since the access-list works as first come first serve, you have to be careful in which line you place your denies

it means the first line that matches will be executed and the rest forgotten.

but whats the host 10.10.0.0 doing in your access-l with the mask 255.255.0.0
that would mean it can only access the network address?????
if you want the server to access you complete LAN its like that (host means a mask of 255.255.255.255)

access-list 901 permit tcp host 10.20.10.0 10.10.0.0 255.255.0.0 eq www
access-list 901 permit tcp host 10.20.10.0 10.10.0.0 255.255.0.0 eq https
access-list 901 deny ip host 10.20.10.0 10.10.0.0 255.255.0.0 (blocking LAN access)
now you can add
access-list 901 permit tcp host 10.20.10.0 any eq 80

so if the server tries to access anything in your LAN with ports other then 80 and 443 the 3rd access list would block that
but if it goes anywhere else, the 4th will allow it

did i explain it correctly? i know it can be hard to grasp at first as its a little confusing

btw, it would be better to use named access-lists instead of just numbers

example



access-list LANOUT (for outgoing LAN)
access-list INCOMING (for incoming WAN)
access-list DMZ (for your DMZ stuff)

it makes it easier to look at the access-l and not mix things up accidentally

also,


you dont need

access-list 901 permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0

as LAN with security level 100 is always allowed to go to lower security levels, such as your DMZ with 50

but you are also missing a LAN access-list, meaning you are completely open from the LAN outgoing, and so will be any virus and trojan

might want to consider that
Avatar of DHTS

ASKER

Hi Shirkan

Thanks for you response much appreciated. I need to try and get my head around your examples.

The LAN is allowed out to the web by default but you saying I need to add outoing access-lists for the DMZ, is this because of the security level assigned to the DMZ vlan?

I would like my web servers in the dmz to have web acess (www and https) and to respond to www, https, dns and 9001. I would also like them to have access to the private lan via ports www, https, dns, 3085 (both ways), 9001, 9002 and 9003 both ways. are you saying that the dmz connects to the web via private lan?

access-list 101 is the LAN access-list does this not by default block all incoming traffic thats not specified in the access-list 101?

Im going to re-write the access-lists based on your examples and also use names instead of numbers, i will post the updated list.

Many thanks

dan
Hi,

the access-list 101 controls your incoming connections from the WAN and thats because of the access-group 101 in interface outside

i would change it to something like access-list INCOMING so its more visible to what it does

access-list 901 controls your DMZ traffic which right now it only permits traffic to the LAN

access-list 801 does not do anything

i am a little confused about your host entries

your DMZ network is 10.20.0.0/16  yet you allow only the server with the IP 10.2010.0 to access your LAN
is that correct?
if you want your DMZ to access your LAN then there should not be HOST in the access-list as it defines one single host only

lets say you want the whole DMZ to access everything on your LAN with specific ports - it will look like that

access-list 901 permit tcp 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0 eq www
access-list 901 permit tcp 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0 eq https
access-list 901 permit tcp 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0 eq 3085
access-list 901 permit tcp 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0 eq 9001
access-list 901 permit tcp 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0 eq 9002
access-list 901 permit tcp 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0 eq 9003
access-list 901 permit udp 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0 eq domain
(DNS queries are UDP by the way)

now you wanna block all other access to the LAN
access-list 901 deny ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

now you allow access to any which is of course the internet
access-list 901 permit tcp 10.20.0.0 255.255.0.0 any eq www
access-list 901 permit tcp 10.20.0.0 255.255.0.0 any eq https

the access-list does only what is defined, meaning what matches, so at the end it basically is a hidden deny ip any any

the incoming traffic is defined by your access-list 101 and the static commands

since you dont have a LAN access list, the inside interface (level 100) has default permission to go to the DMZ (level 50) until you make another access-list to manage the traffic from the LAN

access-lists become only active AFTER you assign them an interface with the access-group command







Avatar of DHTS

ASKER

Hi

Wow thanks its all works now...genius!

Do you think I need a deny access-list in 101, why by default does access-list 101 allow traffic out but the 901 (dmz) doesnt (sorry if i sound thick!).

Also im not sure i understand what is a LAN access-list, is this not 101?

Ill award the points to you.

Thanks

Dan
no no no, access-l 101 does not allow traffic out by default

look at the access-group commands in your config

these assign the access-list to whichever interface you want it to

there is no default access list

the access-list 101 you assigned to interface outside
access-group 101 in interface outside

thus making it the access-list that controls the incoming traffic from the internet or better your outside interface

basically

on your outside interface you manage what comes into your network
on the other interfaces your manage what leaves your network
(thats in your case, in different circumstances that may not apply)

the command access-group 101 in interface outside

that "in" means traffic going into the interface

which if its the outside interface, traffic comes from internet and goes into the outside interface

from the LAN point of view, traffic comes from the LAN, and goes into the interface

one has to understand traffic flow first and how it is processed, which can be confusing.

btw, reply traffic is always allowed in your case, thats why you have a stateful firewall, it know if you allow the traffic outgoing, then there must be an answer that has to come back in

so all u need to be concerned is who starts the traffic, like if your server in the DMZ wants to connect to the LAN, you have to allow it in the DMZ interface to get out, but you dont have to do anything for the return traffic to get back in

i am glad everything works for you now
oh, the LAN access-l ist just the one you designate to your inside interface - 101 is just the name of the access-list - you can name it pretty much whatever u want

ASKER CERTIFIED SOLUTION
Avatar of Markus Braun
Markus Braun
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of DHTS

ASKER

Great thanks for your help.

Learning more all the time!

Dan
Avatar of DHTS

ASKER

Thanks
Dan