Avatar of jplagens
jplagens
Flag for United States of America asked on

Setup DMZ access on Pix 515

I'm trying to setup a DMZ on a Pix 515.  Currently the LAN subnet is 192.168.250.X and the DMZ subnet is 172.16.250.x.  There will only be one server in the DMZ and I've assigned it 172.16.250.25.

Any help is appreciated.  Thanks.




PIX Version 7.1(2)
!
hostname PIX515e
domain-name .com
enable password encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address x.xx.xxx.210 255.255.255.240
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.250.2 255.255.255.0
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 172.16.250.1 255.255.255.0
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name .com
object-group service 3COMTCP tcp
 port-object range 1040 1044
 port-object eq www
 port-object range sip 5065
object-group service 3COMUDP udp
 port-object range 2093 2096
 port-object range sip 5065
access-list acl_out extended permit icmp any any echo
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit tcp any host x.xx.xxx.215 object-group 3COMTCP
access-list acl_out extended permit udp any host x.xx.xxx.215 object-group 3COMUDP
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq pop3
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq www
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq https
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 6001
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 6002
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 6004
access-list acl_out extended permit tcp 64.18.0.0 255.255.240.0 host x.xx.xxx.212 eq smtp
access-list acl_out extended permit tcp any host x.xx.xxx.210 eq 3389
access-list acl_out extended permit tcp any eq pptp host x.xx.xxx.212 eq pptp
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 3101
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 8019
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 56719
access-list acl_out extended permit tcp any host x.xx.xxx.212 range 55333 55337
access-list acl_out extended permit tcp any host x.xx.xxx.214 eq ftp
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list nonat extended permit ip 172.16.250.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 102 extended permit ip 192.168.250.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list dmz extended permit ip 192.168.250.0 255.255.255.0 172.16.250.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpnpool 192.168.251.51-192.168.251.100
no failover
asdm image flash:/asdm-512.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 3 x.xx.xxx.215
global (outside) 2 x.xx.xxx.212
global (outside) 4 x.xx.xxx.214
nat (inside) 0 access-list nonat
nat (inside) 2 192.168.250.11 255.255.255.255
nat (inside) 3 192.168.250.49 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 4 172.16.250.25 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 pop3 192.168.250.11 pop3 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 www 192.168.250.11 www netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 https 192.168.250.11 https netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6001 192.168.250.11 6001 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6002 192.168.250.11 6002 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6004 192.168.250.11 6004 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 3389 192.168.250.10 3389 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 smtp 192.168.250.11 smtp netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 pptp 192.168.250.10 pptp netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 3101 192.168.250.10 3101 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 8019 192.168.250.10 8019 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 56719 192.168.250.10 56719 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55333 192.168.250.10 55333 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55334 192.168.250.10 55334 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55335 192.168.250.10 55335 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55336 192.168.250.10 55336 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55337 192.168.250.10 55337 netmask 255.255.255.255
static (inside,outside) x.xx.xxx.215 192.168.250.49 netmask 255.255.255.255
static (dmz,outside) x.xx.xxx.214 172.16.250.25 netmask 255.255.255.255
access-group acl_out in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 x.xx.xxx.209 1
route inside 192.168.0.0 255.255.255.0 192.168.250.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy LLC internal
group-policy LLC attributes
 wins-server value 192.168.250.10
 dns-server value 112392.168.250.10
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value nonat
http server enable
http 192.168.250.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.250.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 192.168.250.200-192.168.250.254 inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
  inspect h323 h225
  inspect h323 ras
  inspect skinny
!
service-policy global_policy global
: end
CiscoRouters

Avatar of undefined
Last Comment
jplagens

8/22/2022 - Mon
chosmer

What part of the access to the DMZ box is not working?
jplagens

ASKER
Basically all of it.  I can't ping the DMZ server from the main server at IP 192.168.250.10 and I cannot access the server remotely.  If the config looks correct then I guess it could be the server.  I'll double check the IP address on the NIC card of the server.
ASKER CERTIFIED SOLUTION
MikeKane

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
jplagens

ASKER
I can't get those suggestions to work.

I'm not sure the static entry is correct.  
"static (inside, dmz)  192.168.250.0 192.168.250.0  netmask 255.255.255.255"

I tried the above one and this one:
static (inside,dmz) 172.16.250.0 192.168.250.0 netmask 255.255.255.0
I also reversed the access-list as requested.

I can remote desktop into the server from the 192.168.250.x lan now, but I still can't ftp into it internally or externally.  This server will be an FTP server.  I tested the FTP server locally and it's listening and connecting correctly.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
chosmer

You can rdp from the inside to the DMZ box, but an FTP Session wont work?

Did you try removing the " inspect ftp " from the
policy-map global_policy
 class inspection_default ?

jplagens

ASKER
Yes I just took out the inspect ftp command and still nothing.  Seems as if I can only RDP into the server.  From the FTP server I can ping out to IP addresses, but not hostnames.  I've attached an updated config file.

PIX Version 7.1(2)
!
hostname HPI-PIX515e
domain-name com
enable password encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address x.xx.xxx.210 255.255.255.240
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.250.2 255.255.255.0
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 172.16.250.1 255.255.255.0
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name com
object-group service 3COMTCP tcp
 port-object range 1040 1044
 port-object eq www
 port-object range sip 5065
object-group service 3COMUDP udp
 port-object range 2093 2096
 port-object range sip 5065
access-list acl_out extended permit icmp any any echo
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit tcp any host x.xx.xxx.215 object-group 3COMTCP
access-list acl_out extended permit udp any host x.xx.xxx.215 object-group 3COMUDP
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq pop3
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq www
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq https
access-list acl_out extended permit tcp 64.18.0.0 255.255.240.0 host x.xx.xxx.212 eq smtp
access-list acl_out extended permit tcp any host x.xx.xxx.210 eq 3389
access-list acl_out extended permit tcp any eq pptp host x.xx.xxx.212 eq pptp
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 3101
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 8019
access-list acl_out extended permit tcp any host x.xx.xxx.212 eq 56719
access-list acl_out extended permit tcp any host x.xx.xxx.212 range 55333 55337
access-list acl_out extended permit tcp any host x.xx.xxx.214 eq ftp
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.250.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list nonat extended permit ip 172.16.250.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 extended permit ip 192.168.250.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 102 extended permit ip 192.168.250.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list dmz extended permit icmp any any echo
access-list dmz extended permit icmp any any echo-reply
access-list dmz extended permit ip 172.16.250.0 255.255.255.0 192.168.250.0 255.
255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpnpool 192.168.251.51-192.168.251.100
no failover
asdm image flash:/asdm-512.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 3 x.xx.xxx.215
global (outside) 2 x.xx.xxx.212
global (outside) 4 x.xx.xxx.214
nat (inside) 0 access-list nonat
nat (inside) 2 192.168.250.11 255.255.255.255
nat (inside) 3 192.168.250.49 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 4 172.16.250.25 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 pop3 192.168.250.11 pop3 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 www 192.168.250.11 www netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 https 192.168.250.11 https netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6001 192.168.250.11 6001 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6002 192.168.250.11 6002 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 6004 192.168.250.11 6004 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 3389 192.168.250.10 3389 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 smtp 192.168.250.11 smtp netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 pptp 192.168.250.10 pptp netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 3101 192.168.250.10 3101 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 8019 192.168.250.10 8019 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 56719 192.168.250.10 56719 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55333 192.168.250.10 55333 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55334 192.168.250.10 55334 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55335 192.168.250.10 55335 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55336 192.168.250.10 55336 netmask 255.255.255.255
static (inside,outside) tcp x.xx.xxx.212 55337 192.168.250.10 55337 netmask 255.255.255.255
static (inside,outside) x.xx.xxx.215 192.168.250.49 netmask 255.255.255.255
static (dmz,outside) x.xx.xxx.214 172.16.250.25 netmask 255.255.255.255
static (inside,dmz) 172.16.250.0 192.168.250.0 netmask 255.255.255.0
access-group acl_out in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 x.xx.xxx.209 1
route inside 192.168.0.0 255.255.255.0 192.168.250.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy LC internal
group-policy LC attributes
 wins-server value 192.168.250.10
 dns-server value 192.168.250.10
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value nonat
http server enable
http 192.168.250.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.250.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 192.168.250.200-192.168.250.254 inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
  inspect h323 h225
  inspect h323 ras
  inspect skinny
!
service-policy global_policy global
Cryptochecksum:92421944ee0f7c6d2e1278ce643823cc
: end
chosmer

Can you temporarily park a machine on your DMZ at IP Add 172.16.250.24 Mask 255.255.255.0 and see if you can ftp to it by IP?

Also, Is your ftp server set to use an external dns or a 192.168.250.x one?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
chosmer

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
jplagens

ASKER
This is at a client's site, so I can't just show up and start experimenting.  I'm pretty sure the DMZ is working correctly now.  Since I could RDP into the server internally, I opened up port 3389 externally and I can also RDP into the server with no problems.  The issue seems to be with the FTP server.

It's one of those deals where they want to save money and think they can do it themselves.  They insisted on setting up the FTP server and only wanted me to look at the PIX.  I'm not sure if the Pix worked how I originally had it, but with the changes everyone suggested I feel it's working now.

I'll keep everyone posted.  Hopefully they'll let me setup the FTP site correctly for them and quit cheaping out.
Thanks again!

jplagens

ASKER
Thanks for the help.  These suggestions got the DMZ working correctly.