Link to home
Start Free TrialLog in
Avatar of tljones00
tljones00

asked on

How to access inside server from DMZ http Pix 6.3

Experts

I have a web server in my dmz that is needing to connect to an inside db server via http.  Im trying to connect to this server by calling it from a web browser for WCF IIS hos service with no luck.  Im need some help please ASAP

Thanks

Avatar of tljones00
tljones00

ASKER

Do i need to add a static (dmz,inside) 30.30.30.0 30.30.30.0 netmask 255.255.255.0 0 0 to get to the inside from dmz?
Avatar of Les Moore
You need both an acl and a static

inside DB host = 20.20.20.20
dmz webserver host = 30.30.30.30

static (inside,dmz) 20.20.20.20 20.20.20.20 netmask 255.255.255.255

access-list DMZ_in permit tcp host 30.30.30.30 host 20.20.20.20 eq 80
access-list DMZ_in deny ip 30.30.30.0 255.255.255.0 host 20.20.20.20
access-list DMZ_in permit ip 30.30.30.0 255.255.255.0 any
access-group DMZ_in in interface dmz
I currently have a static (inside,dmz) 10.0.1.0 10.0.1.0 255.255.255.0 0 0    which gets me to the dmz from the inside which you solved for me earlier in the week.

I do not have a  access-group fromdmz in interface dmz b/c it stops my outbound internet traffic from dmz server.  Im a bit confused on how to make this work.  

i also have access-list fromDMZ permit icmp any any

access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any eq www    not sure this line does anything.

are the access-list DMZ_in permit    different from access-list fromDMZ permit in interface dmz?  Im struggling to follow.
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
will doing any of the following break my inside lan NAT for general internet usage for my users?
can i post my config so you can see what i have it will be sanitized
here is my config before i do anything that you said to do:

PIX Version 6.3(5)145
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50


access-list ininside permit icmp any any
access-list ininside permit ip any any
access-list ininside permit esp any any
access-list ininside permit gre any any
access-list ininside permit tcp any any eq telnet
access-list natzero permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outsidein permit icmp any any
access-list outsidein permit tcp host xxxxxxx 10.0.1.0 255.255.255.0 eq 1433
access-list outsidein permit tcp host xxxxxxx 10.0.1.0 255.255.255.0 eq 1434
access-list outsidein permit tcp host xxxxxxx 10.0.1.0 255.255.255.0 eq 1490
access-list outsidein permit tcp any host xx.xx.xx.xx eq www
access-list outsidein permit esp any any
access-list outsidein permit gre any any
access-list outsidein permit tcp any host 69.199.xx.xx eq www
access-list split permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_20 permit icmp xx.xx.xx.x 255.255.255.0 xxx.xxx.x.
x 255.255.0.0
access-list INTERNET1 deny ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list INTERNET1 deny ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list INTERNET1 deny ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list INTERNET1 permit ip 10.0.1.0 255.255.255.0 any
access-list NAT-xxx permit ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list NAT-xxx permit ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list NAT-xxx permit ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list VPN-xxx permit ip host xx.xxx.xx.xx xxx.xxx.0.0 255.255.0.0
access-list VPN-xxx permit ip host xx.xxx.xx.xx xxx.xxx.0.0 255.255.0.0
access-list VPN-xxx permit ip host xx.xxx.xx.xx xxx.xxx.0.0 255.255.0.0
access-list fromDMZ permit icmp any any
access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any eq domain
pager lines 24
icmp permit any echo-reply outside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 69.xxx.xx.xx 255.255.255.240
ip address inside 10.0.1.245 255.255.255.0
ip address dmz 30.30.30.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm

failover timeout 0:00:00

arp timeout 14400
global (outside) 1 69.199.xx.xx
global (outside) 2 69.199.xx.xx
nat (inside) 0 access-list natzero
nat (inside) 2 access-list NAT-xxx 0 0
nat (inside) 1 access-list INTERNET1 0 0
static (inside,outside) 69.xx.xx.xx xxxxxxx netmask 255.255.255.255 0 0
static (inside,dmz) 10.0.1.0 10.0.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) 69.199.xx.xx 30.30.30.2 dns netmask 255.255.255.255 0 0
access-group outsidein in interface outside
access-group ininside in interface inside
route outside 0.0.0.0 0.0.0.0 69.xxx.xx.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.0.1.130 c:\TFTP-root
floodguard enabletelnet 10.0.1.251 255.255.255.255 inside
telnet 10.0.1.58 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 10.0.1.10-10.0.1.199 inside
dhcpd dns 10.0.1.220 10.0.1.200
dhcpd lease 36000
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:76745cadd5876353f4418403864e165e
cisco#
when i add the first line of access-list fromDMZ permit host 30.30.30.2 host 10.0.1.193 eq www
the pix takes it but does not allow the traffic.  I did not do the deny ip line yet or anything else that you said as im doing them one step at a time.  By entering the first line will that allow my access?
if i add the line of access-list fromDMZ permit tcp host 30.30.30.2 host 10.0.1.193 eq www    
and then add line access-group fromDMZ in interface dmz   it works and allows the traffic to the inside specific host.  
By doing that i shuts off my outbound internet traffic from dmz.  
Do i still need to apply a deny statement from my dmz to inside even though i just opened it for that one dmz host to the one host on the inside?  or does this expose my internal network
If i have to use the access-group line is there to still get the internet to work going outbound from dmz for updates
Experts

Can you comfirm that the access-list fromDMZ permit tcp host 30.30.30.2 host to 10.0.2.193 eq http  is safe to use.  Will i need to put in a deny statement for all other dmz traffic to inside to prevent a security breach to the inside or is this locked down enough through one host to the inside host server.

I will be working on this tonight as well so any help i can get on this would be greatly appreciated
Thanks
You don't have the access-list fromDMZ applied to the interface

access-group fromDMZ in interface dmz

If it was not all safe to use, I would not have suggested it.
If you want it to work, please follow the exact instructions that I have provided above.
i put in what you said but the last line which was the global 1(DMZ) interface line b/c i still have connectivity to the dmz.  Was line was to break the inside to dmz?  

Forgive me i was not trying to suggest that you did not know what your talking about.  i know you really good with the pix.  I was just trying to learn as i go with each line and what it was telling me and was unsure.
Without that new global, this line:
 >access-list fromDMZ deny ip 30.30.30.0 255.255.255.0 10.1.1.0 255.255.255.0

could prevent the dmz hosts from responding to the internal systems. As long as you still have connectivity without it, then all should be OK.  If you have problems shortly, then go ahead and add it then.
will i ever be able to add a line that will also let me hit the internet from that dmz server since i applied that access-group in interface dmz?
I only have one server in my dmz at this time but is there a way to test to make sure the deny statement is working as it should?   I will be awarding you the points with an a tonight or tommorrow
These two lines should allow full internet access for the DMZ hosts

access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any
access-list fromDMZ permit udp 30.30.30.0 255.255.255.0 any eq domain

I would add the following also:
nat (dmz) 1 0 0 0

what does the nat (dmz) 1 0 0 0    do for me?
It provides reuired dynamic NAT for the DMZ hosts to go out to the internet
it seems to hit the internet before i put in the nat (dmz) 1 0 0 0  
Only the host with the static can get out. If you have any other hosts in the dmz, you will need the nat statement.
This one is OK.
>static (dmz,outside) 69.199.xx.xx 30.30.30.2 dns netmask 255.255.255.255
here is what i have that seems to be working.  Did i put everything in the right order?  I really appricate all of your help and explaing what each statement is telling me.   BTW  why did the eq www line change from http to www?  Does the pix see them as the same?  I wanted http instead of www.   Also is there a link that can help me understand more about the deny statements?

static (inside,dmz) 10.0.1.0 10.0.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) 69.xxx.xx.xx 30.30.30.2 dns netmask 255.255.255.255 0 0
access-list fromDMZ permit icmp any any
access-list fromDMZ permit tcp host 30.30.30.2 host 10.0.1.67 eq 1433
access-list fromDMZ permit tcp host 30.30.30.2 host 10.0.1.193 eq www
access-list fromDMZ deny ip 30.30.30.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any
access-list fromDMZ permit udp 30.30.30.0 255.255.255.0 any eq domain
access-group fromDMZ in interface dmz
>I wanted http instead of www
The PIX/ASA automatically changes the port number to www in this case. Nothing you can do.

Glad you got it sorted.
Most any good read on Cisco acl primers will help you understand access-lists. Just remember that ALL acls (in Cisco world) have the following in common:
1. Always processed top down until first match (never "best match")
2. Always include a hidden (implicit) "deny all" at the end, so you need the permit any to be before the deny all.

Use "show access-list" to see hits on the acl entries (hitcount xxx) for troubleshooting
Try to put the most used/most hits as close to the top as you can for faster top-down processing.