Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to access inside server from DMZ http Pix 6.3

Posted on 2011-02-10
21
Medium Priority
?
495 Views
Last Modified: 2012-05-11
Experts

I have a web server in my dmz that is needing to connect to an inside db server via http.  Im trying to connect to this server by calling it from a web browser for WCF IIS hos service with no luck.  Im need some help please ASAP

Thanks

0
Comment
Question by:tljones00
  • 13
  • 8
21 Comments
 
LVL 5

Author Comment

by:tljones00
ID: 34865057
Do i need to add a static (dmz,inside) 30.30.30.0 30.30.30.0 netmask 255.255.255.0 0 0 to get to the inside from dmz?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34865871
You need both an acl and a static

inside DB host = 20.20.20.20
dmz webserver host = 30.30.30.30

static (inside,dmz) 20.20.20.20 20.20.20.20 netmask 255.255.255.255

access-list DMZ_in permit tcp host 30.30.30.30 host 20.20.20.20 eq 80
access-list DMZ_in deny ip 30.30.30.0 255.255.255.0 host 20.20.20.20
access-list DMZ_in permit ip 30.30.30.0 255.255.255.0 any
access-group DMZ_in in interface dmz
0
 
LVL 5

Author Comment

by:tljones00
ID: 34865959
I currently have a static (inside,dmz) 10.0.1.0 10.0.1.0 255.255.255.0 0 0    which gets me to the dmz from the inside which you solved for me earlier in the week.

I do not have a  access-group fromdmz in interface dmz b/c it stops my outbound internet traffic from dmz server.  Im a bit confused on how to make this work.  

i also have access-list fromDMZ permit icmp any any

access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any eq www    not sure this line does anything.

are the access-list DMZ_in permit    different from access-list fromDMZ permit in interface dmz?  Im struggling to follow.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 34866069
OK, since you have the static, we need to allow traffic from the DMZ to the inside, but only to a specific host, and then deny all other traffic to the inside, then allow everything else.

//-- allow dmz host to internal db server
access-list fromDMZ permit tcp host 30.30.30.30 host 10.0.1.20 eq www

//-- deny any further connectivity between dmz and inside
access-list fromDMZ deny ip 30.30.30.0 255.255.255.0 10.1.1.0 255.255.255.0

//-- allow DNS, ICMP and tcp from the DMZ hosts out to the world
//-- if  you don't put in the above deny statement, this global permit would make the inside wide open
//-- to the DMZ. Defeats the whole purpose of a DMZ
access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any
access-list fromDMZ permit udp 30.30.30.0 255.255.255.0 any eq domain
access-list fromDMZ permit icmp 30.30.30.0 255.255.255.0 any

That ACL will break connectivity to DMZ hosts from inside, unless you NAT them to the dmz interface, so add this:
global 1 (dmz) interface
0
 
LVL 5

Author Comment

by:tljones00
ID: 34866198
will doing any of the following break my inside lan NAT for general internet usage for my users?
0
 
LVL 5

Author Comment

by:tljones00
ID: 34866212
can i post my config so you can see what i have it will be sanitized
0
 
LVL 5

Author Comment

by:tljones00
ID: 34866263
here is my config before i do anything that you said to do:

PIX Version 6.3(5)145
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50


access-list ininside permit icmp any any
access-list ininside permit ip any any
access-list ininside permit esp any any
access-list ininside permit gre any any
access-list ininside permit tcp any any eq telnet
access-list natzero permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outsidein permit icmp any any
access-list outsidein permit tcp host xxxxxxx 10.0.1.0 255.255.255.0 eq 1433
access-list outsidein permit tcp host xxxxxxx 10.0.1.0 255.255.255.0 eq 1434
access-list outsidein permit tcp host xxxxxxx 10.0.1.0 255.255.255.0 eq 1490
access-list outsidein permit tcp any host xx.xx.xx.xx eq www
access-list outsidein permit esp any any
access-list outsidein permit gre any any
access-list outsidein permit tcp any host 69.199.xx.xx eq www
access-list split permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_20 permit icmp xx.xx.xx.x 255.255.255.0 xxx.xxx.x.
x 255.255.0.0
access-list INTERNET1 deny ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list INTERNET1 deny ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list INTERNET1 deny ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list INTERNET1 permit ip 10.0.1.0 255.255.255.0 any
access-list NAT-xxx permit ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list NAT-xxx permit ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list NAT-xxx permit ip 10.0.1.0 255.255.255.0 xxx.xxx.0.0 255.255.0.0
access-list VPN-xxx permit ip host xx.xxx.xx.xx xxx.xxx.0.0 255.255.0.0
access-list VPN-xxx permit ip host xx.xxx.xx.xx xxx.xxx.0.0 255.255.0.0
access-list VPN-xxx permit ip host xx.xxx.xx.xx xxx.xxx.0.0 255.255.0.0
access-list fromDMZ permit icmp any any
access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any eq domain
pager lines 24
icmp permit any echo-reply outside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 69.xxx.xx.xx 255.255.255.240
ip address inside 10.0.1.245 255.255.255.0
ip address dmz 30.30.30.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm

failover timeout 0:00:00

arp timeout 14400
global (outside) 1 69.199.xx.xx
global (outside) 2 69.199.xx.xx
nat (inside) 0 access-list natzero
nat (inside) 2 access-list NAT-xxx 0 0
nat (inside) 1 access-list INTERNET1 0 0
static (inside,outside) 69.xx.xx.xx xxxxxxx netmask 255.255.255.255 0 0
static (inside,dmz) 10.0.1.0 10.0.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) 69.199.xx.xx 30.30.30.2 dns netmask 255.255.255.255 0 0
access-group outsidein in interface outside
access-group ininside in interface inside
route outside 0.0.0.0 0.0.0.0 69.xxx.xx.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.0.1.130 c:\TFTP-root
floodguard enabletelnet 10.0.1.251 255.255.255.255 inside
telnet 10.0.1.58 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 10.0.1.10-10.0.1.199 inside
dhcpd dns 10.0.1.220 10.0.1.200
dhcpd lease 36000
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:76745cadd5876353f4418403864e165e
cisco#
0
 
LVL 5

Author Comment

by:tljones00
ID: 34866593
when i add the first line of access-list fromDMZ permit host 30.30.30.2 host 10.0.1.193 eq www
the pix takes it but does not allow the traffic.  I did not do the deny ip line yet or anything else that you said as im doing them one step at a time.  By entering the first line will that allow my access?
0
 
LVL 5

Author Comment

by:tljones00
ID: 34866922
if i add the line of access-list fromDMZ permit tcp host 30.30.30.2 host 10.0.1.193 eq www    
and then add line access-group fromDMZ in interface dmz   it works and allows the traffic to the inside specific host.  
By doing that i shuts off my outbound internet traffic from dmz.  
Do i still need to apply a deny statement from my dmz to inside even though i just opened it for that one dmz host to the one host on the inside?  or does this expose my internal network
If i have to use the access-group line is there to still get the internet to work going outbound from dmz for updates
0
 
LVL 5

Author Comment

by:tljones00
ID: 34867179
Experts

Can you comfirm that the access-list fromDMZ permit tcp host 30.30.30.2 host to 10.0.2.193 eq http  is safe to use.  Will i need to put in a deny statement for all other dmz traffic to inside to prevent a security breach to the inside or is this locked down enough through one host to the inside host server.

I will be working on this tonight as well so any help i can get on this would be greatly appreciated
Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34867991
You don't have the access-list fromDMZ applied to the interface

access-group fromDMZ in interface dmz

If it was not all safe to use, I would not have suggested it.
If you want it to work, please follow the exact instructions that I have provided above.
0
 
LVL 5

Author Comment

by:tljones00
ID: 34868108
i put in what you said but the last line which was the global 1(DMZ) interface line b/c i still have connectivity to the dmz.  Was line was to break the inside to dmz?  

Forgive me i was not trying to suggest that you did not know what your talking about.  i know you really good with the pix.  I was just trying to learn as i go with each line and what it was telling me and was unsure.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34868123
Without that new global, this line:
 >access-list fromDMZ deny ip 30.30.30.0 255.255.255.0 10.1.1.0 255.255.255.0

could prevent the dmz hosts from responding to the internal systems. As long as you still have connectivity without it, then all should be OK.  If you have problems shortly, then go ahead and add it then.
0
 
LVL 5

Author Comment

by:tljones00
ID: 34868134
will i ever be able to add a line that will also let me hit the internet from that dmz server since i applied that access-group in interface dmz?
I only have one server in my dmz at this time but is there a way to test to make sure the deny statement is working as it should?   I will be awarding you the points with an a tonight or tommorrow
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34868225
These two lines should allow full internet access for the DMZ hosts

access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any
access-list fromDMZ permit udp 30.30.30.0 255.255.255.0 any eq domain

I would add the following also:
nat (dmz) 1 0 0 0

0
 
LVL 5

Author Comment

by:tljones00
ID: 34868306
what does the nat (dmz) 1 0 0 0    do for me?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34868339
It provides reuired dynamic NAT for the DMZ hosts to go out to the internet
0
 
LVL 5

Author Comment

by:tljones00
ID: 34868400
it seems to hit the internet before i put in the nat (dmz) 1 0 0 0  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34870861
Only the host with the static can get out. If you have any other hosts in the dmz, you will need the nat statement.
This one is OK.
>static (dmz,outside) 69.199.xx.xx 30.30.30.2 dns netmask 255.255.255.255
0
 
LVL 5

Author Comment

by:tljones00
ID: 34871620
here is what i have that seems to be working.  Did i put everything in the right order?  I really appricate all of your help and explaing what each statement is telling me.   BTW  why did the eq www line change from http to www?  Does the pix see them as the same?  I wanted http instead of www.   Also is there a link that can help me understand more about the deny statements?

static (inside,dmz) 10.0.1.0 10.0.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) 69.xxx.xx.xx 30.30.30.2 dns netmask 255.255.255.255 0 0
access-list fromDMZ permit icmp any any
access-list fromDMZ permit tcp host 30.30.30.2 host 10.0.1.67 eq 1433
access-list fromDMZ permit tcp host 30.30.30.2 host 10.0.1.193 eq www
access-list fromDMZ deny ip 30.30.30.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list fromDMZ permit tcp 30.30.30.0 255.255.255.0 any
access-list fromDMZ permit udp 30.30.30.0 255.255.255.0 any eq domain
access-group fromDMZ in interface dmz
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34875568
>I wanted http instead of www
The PIX/ASA automatically changes the port number to www in this case. Nothing you can do.

Glad you got it sorted.
Most any good read on Cisco acl primers will help you understand access-lists. Just remember that ALL acls (in Cisco world) have the following in common:
1. Always processed top down until first match (never "best match")
2. Always include a hidden (implicit) "deny all" at the end, so you need the permit any to be before the deny all.

Use "show access-list" to see hits on the acl entries (hitcount xxx) for troubleshooting
Try to put the most used/most hits as close to the top as you can for faster top-down processing.
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question