Solved

How to access inside server from DMZ http Pix 6.3

Posted on 2011-02-10
21
468 Views
Last Modified: 2012-05-11
Experts

I have a web server in my dmz that is needing to connect to an inside db server via http.  Im trying to connect to this server by calling it from a web browser for WCF IIS hos service with no luck.  Im need some help please ASAP

Thanks

0
Comment
Question by:tljones00
  • 13
  • 8
21 Comments
 
LVL 5

Author Comment

by:tljones00
ID: 34865057
Do i need to add a static (dmz,inside) 30.30.30.0 30.30.30.0 netmask 255.255.255.0 0 0 to get to the inside from dmz?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34865871
You need both an acl and a static

inside DB host = 20.20.20.20
dmz webserver host = 30.30.30.30

static (inside,dmz) 20.20.20.20 20.20.20.20 netmask 255.255.255.255

access-list DMZ_in permit tcp host 30.30.30.30 host 20.20.20.20 eq 80
access-list DMZ_in deny ip 30.30.30.0 255.255.255.0 host 20.20.20.20
access-list DMZ_in permit ip 30.30.30.0 255.255.255.0 any
access-group DMZ_in in interface dmz
0
 
LVL 5

Author Comment

by:tljones00
ID: 34865959
I currently have a static (inside,dmz) 10.0.1.0 10.0.1.0 255.255.255.0 0 0    which gets me to the dmz from the inside which you solved for me earlier in the week.

I do not have a  access-group fromdmz in interface dmz b/c it stops my outbound internet traffic from dmz server.  Im a bit confused on how to make this work.  

i also have access-list fromDMZ permit icmp any any

access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any eq www    not sure this line does anything.

are the access-list DMZ_in permit    different from access-list fromDMZ permit in interface dmz?  Im struggling to follow.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 34866069
OK, since you have the static, we need to allow traffic from the DMZ to the inside, but only to a specific host, and then deny all other traffic to the inside, then allow everything else.

//-- allow dmz host to internal db server
access-list fromDMZ permit tcp host 30.30.30.30 host 10.0.1.20 eq www

//-- deny any further connectivity between dmz and inside
access-list fromDMZ deny ip 30.30.30.0 255.255.255.0 10.1.1.0 255.255.255.0

//-- allow DNS, ICMP and tcp from the DMZ hosts out to the world
//-- if  you don't put in the above deny statement, this global permit would make the inside wide open
//-- to the DMZ. Defeats the whole purpose of a DMZ
access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any
access-list fromDMZ permit udp 30.30.30.0 255.255.255.0 any eq domain
access-list fromDMZ permit icmp 30.30.30.0 255.255.255.0 any

That ACL will break connectivity to DMZ hosts from inside, unless you NAT them to the dmz interface, so add this:
global 1 (dmz) interface
0
 
LVL 5

Author Comment

by:tljones00
ID: 34866198
will doing any of the following break my inside lan NAT for general internet usage for my users?
0
 
LVL 5

Author Comment

by:tljones00
ID: 34866212
can i post my config so you can see what i have it will be sanitized
0
 
LVL 5

Author Comment

by:tljones00
ID: 34866263
here is my config before i do anything that you said to do:

PIX Version 6.3(5)145
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50


access-list ininside permit icmp any any
access-list ininside permit ip any any
access-list ininside permit esp any any
access-list ininside permit gre any any
access-list ininside permit tcp any any eq telnet
access-list natzero permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outsidein permit icmp any any
access-list outsidein permit tcp host xxxxxxx 10.0.1.0 255.255.255.0 eq 1433
access-list outsidein permit tcp host xxxxxxx 10.0.1.0 255.255.255.0 eq 1434
access-list outsidein permit tcp host xxxxxxx 10.0.1.0 255.255.255.0 eq 1490
access-list outsidein permit tcp any host xx.xx.xx.xx eq www
access-list outsidein permit esp any any
access-list outsidein permit gre any any
access-list outsidein permit tcp any host 69.199.xx.xx eq www
access-list split permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_20 permit icmp xx.xx.xx.x 255.255.255.0 xxx.xxx.x.
x 255.255.0.0
access-list INTERNET1 deny ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list INTERNET1 deny ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list INTERNET1 deny ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list INTERNET1 permit ip 10.0.1.0 255.255.255.0 any
access-list NAT-xxx permit ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list NAT-xxx permit ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list NAT-xxx permit ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list VPN-xxx permit ip host xx.xxx.xx.xx xxx.xxx.0.0 255.255.0.0
access-list VPN-xxx permit ip host xx.xxx.xx.xx xxx.xxx.0.0 255.255.0.0
access-list VPN-xxx permit ip host xx.xxx.xx.xx xxx.xxx.0.0 255.255.0.0
access-list fromDMZ permit icmp any any
access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any eq domain
pager lines 24
icmp permit any echo-reply outside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 69.xxx.xx.xx 255.255.255.240
ip address inside 10.0.1.245 255.255.255.0
ip address dmz 30.30.30.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm

failover timeout 0:00:00

arp timeout 14400
global (outside) 1 69.199.xx.xx
global (outside) 2 69.199.xx.xx
nat (inside) 0 access-list natzero
nat (inside) 2 access-list NAT-xxx 0 0
nat (inside) 1 access-list INTERNET1 0 0
static (inside,outside) 69.xx.xx.xx xxxxxxx netmask 255.255.255.255 0 0
static (inside,dmz) 10.0.1.0 10.0.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) 69.199.xx.xx 30.30.30.2 dns netmask 255.255.255.255 0 0
access-group outsidein in interface outside
access-group ininside in interface inside
route outside 0.0.0.0 0.0.0.0 69.xxx.xx.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.0.1.130 c:\TFTP-root
floodguard enabletelnet 10.0.1.251 255.255.255.255 inside
telnet 10.0.1.58 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 10.0.1.10-10.0.1.199 inside
dhcpd dns 10.0.1.220 10.0.1.200
dhcpd lease 36000
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:76745cadd5876353f4418403864e165e
cisco#
0
 
LVL 5

Author Comment

by:tljones00
ID: 34866593
when i add the first line of access-list fromDMZ permit host 30.30.30.2 host 10.0.1.193 eq www
the pix takes it but does not allow the traffic.  I did not do the deny ip line yet or anything else that you said as im doing them one step at a time.  By entering the first line will that allow my access?
0
 
LVL 5

Author Comment

by:tljones00
ID: 34866922
if i add the line of access-list fromDMZ permit tcp host 30.30.30.2 host 10.0.1.193 eq www    
and then add line access-group fromDMZ in interface dmz   it works and allows the traffic to the inside specific host.  
By doing that i shuts off my outbound internet traffic from dmz.  
Do i still need to apply a deny statement from my dmz to inside even though i just opened it for that one dmz host to the one host on the inside?  or does this expose my internal network
If i have to use the access-group line is there to still get the internet to work going outbound from dmz for updates
0
 
LVL 5

Author Comment

by:tljones00
ID: 34867179
Experts

Can you comfirm that the access-list fromDMZ permit tcp host 30.30.30.2 host to 10.0.2.193 eq http  is safe to use.  Will i need to put in a deny statement for all other dmz traffic to inside to prevent a security breach to the inside or is this locked down enough through one host to the inside host server.

I will be working on this tonight as well so any help i can get on this would be greatly appreciated
Thanks
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 79

Expert Comment

by:lrmoore
ID: 34867991
You don't have the access-list fromDMZ applied to the interface

access-group fromDMZ in interface dmz

If it was not all safe to use, I would not have suggested it.
If you want it to work, please follow the exact instructions that I have provided above.
0
 
LVL 5

Author Comment

by:tljones00
ID: 34868108
i put in what you said but the last line which was the global 1(DMZ) interface line b/c i still have connectivity to the dmz.  Was line was to break the inside to dmz?  

Forgive me i was not trying to suggest that you did not know what your talking about.  i know you really good with the pix.  I was just trying to learn as i go with each line and what it was telling me and was unsure.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34868123
Without that new global, this line:
 >access-list fromDMZ deny ip 30.30.30.0 255.255.255.0 10.1.1.0 255.255.255.0

could prevent the dmz hosts from responding to the internal systems. As long as you still have connectivity without it, then all should be OK.  If you have problems shortly, then go ahead and add it then.
0
 
LVL 5

Author Comment

by:tljones00
ID: 34868134
will i ever be able to add a line that will also let me hit the internet from that dmz server since i applied that access-group in interface dmz?
I only have one server in my dmz at this time but is there a way to test to make sure the deny statement is working as it should?   I will be awarding you the points with an a tonight or tommorrow
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34868225
These two lines should allow full internet access for the DMZ hosts

access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any
access-list fromDMZ permit udp 30.30.30.0 255.255.255.0 any eq domain

I would add the following also:
nat (dmz) 1 0 0 0

0
 
LVL 5

Author Comment

by:tljones00
ID: 34868306
what does the nat (dmz) 1 0 0 0    do for me?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34868339
It provides reuired dynamic NAT for the DMZ hosts to go out to the internet
0
 
LVL 5

Author Comment

by:tljones00
ID: 34868400
it seems to hit the internet before i put in the nat (dmz) 1 0 0 0  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34870861
Only the host with the static can get out. If you have any other hosts in the dmz, you will need the nat statement.
This one is OK.
>static (dmz,outside) 69.199.xx.xx 30.30.30.2 dns netmask 255.255.255.255
0
 
LVL 5

Author Comment

by:tljones00
ID: 34871620
here is what i have that seems to be working.  Did i put everything in the right order?  I really appricate all of your help and explaing what each statement is telling me.   BTW  why did the eq www line change from http to www?  Does the pix see them as the same?  I wanted http instead of www.   Also is there a link that can help me understand more about the deny statements?

static (inside,dmz) 10.0.1.0 10.0.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) 69.xxx.xx.xx 30.30.30.2 dns netmask 255.255.255.255 0 0
access-list fromDMZ permit icmp any any
access-list fromDMZ permit tcp host 30.30.30.2 host 10.0.1.67 eq 1433
access-list fromDMZ permit tcp host 30.30.30.2 host 10.0.1.193 eq www
access-list fromDMZ deny ip 30.30.30.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any
access-list fromDMZ permit udp 30.30.30.0 255.255.255.0 any eq domain
access-group fromDMZ in interface dmz
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34875568
>I wanted http instead of www
The PIX/ASA automatically changes the port number to www in this case. Nothing you can do.

Glad you got it sorted.
Most any good read on Cisco acl primers will help you understand access-lists. Just remember that ALL acls (in Cisco world) have the following in common:
1. Always processed top down until first match (never "best match")
2. Always include a hidden (implicit) "deny all" at the end, so you need the permit any to be before the deny all.

Use "show access-list" to see hits on the acl entries (hitcount xxx) for troubleshooting
Try to put the most used/most hits as close to the top as you can for faster top-down processing.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now