Setup Of pix firewall 515e and sonicwall TZ 170

I have this current setup, I found it unsecure, please correct my setup of my Access Rules and configuration.

Access Rules for Pix515e: as follows
-from any------citrix(dmz)---------service (chargen,http,1494,2598,443)
-from any------(exchange)--------service(http,https,imap4,login,pop3,443,6001--6004,smtp)
--from any------(webserver)------service(http,https)
-from any--------(sonical wall_)-------all services(any)

access rules for sonic wall:
-from any------citrix(dmz)---------service (,http,1494,2598,443)
-from any------(exchange)--------service(http,https,imap4,login,pop3,443,,smtp,dns)
there is no rules for webserver because i place it in the internal lan and i connect direclty to the pix to the interanal port of the pix.

please give me the best setup with details and be specific to do it right,
-supply and correct my access rules in box pix and sonicwall
-where to place the webserver (proberly between pix and sonic wall )and what is the access rules for it ,both pix and sonic wall to connect to the internal database and go internet live.

citrix(placed in the internal network) :is presentation server 4.0 i host multiple applications running on the internal network.
exchange(placed in the internal network) :is exchange 2003 connected to 2 domain controller .
webserver(placed in the internal network): hosts a webpage connected to my internal database.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

>I have this current setup, I found it unsecure,
How so?

It sounds like you are looking for a complete re-design.

I'm confused why there are two firewalls at all.  The TZ170 can handle everything, including a second WAN connection, since you are placing your public servers on the LAN.

What function does the PIX serve?  Why a DMZ to another router before the LAN?

I'm not a PIX person, so I can answer to any of that.  I do have TZ170.  There is a WAN, LAN, and a DMZ/OPTion port.  You can do what you need with one firewall.

As for a specific configuration with rules...that would be hours of back and forth design and consultation, including remote access to configure and test specific rules.  That's something outside the bounds of a public forum.

A lot will depend on the following:

- how many WAN connections?
- how many public IP addresses?
- how many LAN/VLAN?
- are you using object-based rules? (recommended)

In addition, things to consider are what exact services are necessary to open to the public.  On an Exchange server, you don't need POP, IMAP, SMTP, etc.  HTTP/HTTPS should be sufficient.  Allowing POP enables user to take mail quickly outside your corporate domain.  SMTP allows them to send mail from your domain without the same monitoring/archiving as an Exchange client.

But it all depends on how many services you are trying to provide.

If it were me, I'd draw each server with tags for the services needed for WAN and the services for LAN users.  Tag your internet connections with service type and public IP addresses available.

Then, write down any DNS records that correspond to those IP addresses (you can have more than one).

These will help you map out the firewall configuration.  Routing rules will be important if you have more than one WAN connection.
i_harfoushAuthor Commented:
Dear Sir,thanks for your fast reply.
-why there is 2 firewalls,?
because i read in a prevouis article that when i need to host webserver connected to database, i have to place the webserver between 2 firewalls and open tcp port sql to database server.
-I didnt understand wat u mean by  object based rules?
-it is a simple configuration.
i have 3 servers  nated to  public Ip's:
citrix,exchange 2003( connected to domain controller), webserver.(all the 3 servers placed in the internal lan)
I have one internal lan =192.169.100.x
external=83.96.34.z( i buy from my isp 32 real ip's , currently using 3 for my servers, and one for my computer and one for sonic wall)
my isp dns records (but i am not using)=
Sir just draw for me the Diagram and the Appropriate access rules(ports-services) and where to place the servers?and i will do the rest.
thanks in advance,
any details i will give it to you,
>-it is a simple configuration

No, it's not really.  Especially when you add an extra firewall in the mix just because you read it in an article.  Honestly, if it was simple, you wouldn't be asking for help.

>just draw for me the Diagram and the Appropriate access rules(ports-services) and where to place the servers?and i will do the rest.

Do you have someone on-site with experience?  I think that giving you advice like this has a great potential to "break" what's not broken already.  If this is a live production environment, that has serious consequences.

You have some design issues to overcome, as well as some building of knowledge.  If you've got the TZ170 and you don't know what objects are...that's a whole other lesson in how the SonicWall Enhanced OS works.

You've got two firewalls with the same LAN interface, one of which has its WAN hooked up to the DMZ of the other.

Like I said...not sure why you have two routers when one would do just fine with a DMZ.
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

i_harfoushAuthor Commented:
thanks Sir,
pix 515e:
3 ports
translation Rules
DMZ--sonicwall 192.168.111.a----outside-->83.96.34.a
DMZ---exchange 192.168.111.c---outside--->83.96.34.c
DMZ---webserver192.168.100.d(skipping sonic wall, i connect it direclty on the internal port of pix)--outside--->83.96.34.e
dmz--->my ip address----------------outside--->83.96.34.f
inside----inside-----dmz---same as original address
inside---inside---outside--same as origianl address.
access rules:
exchange --permit from dmz to outside any tcp
citrix --permit from dmz to outside any tcp
sonicwall --permit from dmz to outside any tcp-udp icmp-ip
-from any------>citrix(dmz)---------service (chargen,http,1494,2598,443)
-from any------>(exchange)dmz--------service(http,https,imap4,login,pop3,443,6001--6004,smtp)
--from any------>(webserver)dmz------service(http,https)
-from any-------->(sonical wall_)dmz-------all services(any)
-deny  any -------->interface outside-----any

sonic wall
optional---not assigned-----------
------------------access rules
from dmz------citrix---------service (,http,1494,2598,443)
-from dmz------(exchange)--------service(http,https,imap4,login,pop3,443,,smtp,dns)
citrix(private)--------->citrix public
exchage(private)----->citrix publci

all the clients their defualt gateway is the sonic wall
excpet webserver his defualt gate way is the pix internal port

any questions i am ready to answer

Why don't you try simplifying the design?  I still don't understand why you are using two firewalls to create a DMZ, when you already have a firewall with DMZ functions built-in (TZ170).


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
i_harfoushAuthor Commented:
sir give me the approperiat rules from dmz to internal
i have already citrix and exchange rules i dont know
can u please write the rules from dmz to internal and from outside to dmz
You'll need to learn about objects.  If you open ports from zone to zone, you give up control.  For instance:

source > destination - traffic - rule


DMZ > LAN - SQL - allow
...this is not very restrictive.  Any object in the DMZ can send traffic to any LAN object over the ports for SQL.

web server > database server - SQL - allow
...this is better, because any other SQL traffic is blocked


...this opens the firewall unnecessarily

LAN workstations > SBS server - HTTP, HTTPS - allow
LAN scanner > SBS server - SMTP - allow

Does that make sense?  Have you read about creating objects?  For individual equipment, groups of objects, grouping of services, etc.
i_harfoushAuthor Commented:
yes yes you mean address objects in networks---for ips or services this is for sure..
the diagram is good but could you please write the full solution
because i get the idea....and what about citrix because it is launcing outlook and many applications
Does anyone outside the office need access ot the Citrix server?  If so, you could put it on the LAN with NAT to the WAN.  Or, leave it in the DMZ, and create routes/rules so that it can access LAN servers and printers, or other resources.

I can't write up a complete solution for you.  As I said, that's several hours of working blind...which could easily turn into several days of support or configuration.  As the administrator or contractor, that's what you're getting paid for.
i_harfoushAuthor Commented:
so u advise me to leave to citrix and exchange in lan and keep the webserver in dmz?
i_harfoushAuthor Commented:
us because the outside people are accessing internal forms
Why would you put the Exchange server back on the LAN?  I only suggested putting the Citrix server back into the LAN.
i_harfoushAuthor Commented:
Dear Sir,
I did what you suggest to me, for exchange access rule from external to Dmz (, http ,https ) is enough, what about smtp and pop?
thanks for your patience and ur cooporation i realy appreciate
i_harfoushAuthor Commented:
still I need the access rules for exchange
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.