Solved

Cisco PIX 515E IOS 8.0 NAT / DMZ / ACL configuration assistance needed !

Posted on 2011-09-07
7
1,085 Views
Last Modified: 2012-05-12
I am in need of configuration assistance for my PIX 515e running the 8.0 version of the ASA IOS

TOPOLOGY IMAGE AT BOTTOM OF THIS POST

I have full connectivity from the inside hosts to the outside internet.
I am NOT able to ping the DMZ interface
I am NOT able to ping the webserver on the DMZ interface
I am NOT able to get to the internet from the webserver
I am NOT able to RDP (port 20000) from the internet to the webserver
I am NOT able to reach the http site on the websever from the internet

I understand that the outside interface has a IP address of 192.168.1.107  please do not ask me to change it, I am NOT able to, besides, it doesnt matter. - Sorry for the bluntness but previously this is what everyone I have asked has focused on.... I want to get to a solution for the problem rather than talk about how I need to contact my ISP and get a static IP address.  I share my ISP Gateway with other businesses and am not able to change the gateway into bridged mode.
I am figuring that there is an ACL NAT or PAT issue, please advise.  

Running Config of the PIX:

PIX Version 8.0(4)32
!
hostname BDFirewall
enable password xxx encrypted
passwd xxx encrypted
names
name 192.168.1.107 OUTSIDE
name 10.1.10.9 INSIDE
name 192.168.100.1 DMZ
name 192.168.100.14 DMZ_HOST
!
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address OUTSIDE 255.255.255.0
!
interface Ethernet1
speed 100
duplex full
nameif INSIDE
security-level 100
ip address INSIDE 255.255.255.0
!
interface Ethernet2
speed 100
duplex full
nameif DMZ
security-level 50
ip address DMZ 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup INSIDE
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp-udp
description Remote Desktop Protocol 20000
port-object eq 20000
object-group network INSIDE
network-object 10.1.20.0 255.255.255.0
object-group network DMZ
network-object 192.168.100.0 255.255.255.0
object-group icmp-type ICMP_INBOUND
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group network OUTSIDE_HOSTS
network-object host OUTSIDE
object-group service WEB tcp
port-object eq www
port-object eq https
object-group service DNS udp
port-object eq domain
access-list nonat_INSIDE-DMZ remark No NAT Needed
access-list nonat_INSIDE-DMZ extended permit ip object-group INSIDE object-group DMZ
access-list outside extended permit udp any object-group OUTSIDE_HOSTS eq domain
access-list outside remark Permitted Inbound Traffic
access-list outside extended permit tcp any object-group OUTSIDE_HOSTS object-group WEB
access-list outside extended permit udp any object-group OUTSIDE_HOSTS
access-list outside extended permit object-group TCPUDP any object-group OUTSIDE_HOSTS object-group RDP
access-list outside extended permit icmp any object-group OUTSIDE_HOSTS object-group ICMP_INBOUND
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list nonat_INSIDE-DMZ
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (DMZ,OUTSIDE) tcp interface www DMZ_HOST www netmask 255.255.255.255
static (DMZ,OUTSIDE) tcp interface https DMZ_HOST https netmask 255.255.255.255
static (DMZ,OUTSIDE) tcp interface 20000 DMZ_HOST 20000 netmask 255.255.255.255
static (DMZ,OUTSIDE) udp interface domain DMZ_HOST domain netmask 255.255.255.255
static (DMZ,OUTSIDE) udp interface 20000 DMZ_HOST 20000 netmask 255.255.255.255
access-group outside in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.1 1
route INSIDE 10.1.20.0 255.255.255.0 10.1.10.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 10.1.20.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 10
ssh 10.1.20.0 255.255.255.0 INSIDE
ssh timeout 10
console timeout 0
management-access INSIDE
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username Matt password xxx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fxxx69
: end
my-pic-new.jpg
0
Comment
Question by:xtantaudio
  • 4
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ok, first thing: seeing the outside ip of the PIX the must be an other device in front of it doing NAT as well. Are the incoming ports open that device? And are those ports forwarded to the outside ip of the PIX?
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 100 total points
Comment Utility
Second thing: I think when you look at the logs on the PIX you will see traffic being blocked from the DMZ to the inside (low security to high security). For starters, create an access list for the DMZ allowing pings to the inside range.
0
 

Author Comment

by:xtantaudio
Comment Utility
here is an update.  

I have solved the issues for remote desktop from the internet into the webserver, as well as RDP from the webserver to the inside network.  

I am also now able to ping all interfaces from all other interfaces !

The next issue is to get domain traffic (port 53) to my inside 10.1.20.12 and 10.1.20.13 servers.  I have the webserver DNS ip addresses set to 10.1.20.13 & 12 so that I can control DNS and so that it can be added as a domain controller, but without the domain traffic being able to make it from the DMZ webserver to the inside network, that will never happen.

The ASDM Gives me a message of :

eny inbound UDP from DMZ_HOST/49188 to 10.1.20.12/53 due to DNS Query


Here is the updated running-config:

PIX Version 8.0(4)32
!
hostname BDFirewall
enable password xxx encrypted
passwd xxx encrypted
names
name 192.168.1.107 OUTSIDE
name 10.1.10.9 INSIDE
name 192.168.100.1 DMZ
name 192.168.100.14 DMZ_HOST
!
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address OUTSIDE 255.255.255.0
!
interface Ethernet1
speed 100
duplex full
nameif INSIDE
security-level 100
ip address INSIDE 255.255.255.0
!
interface Ethernet2
speed 100
duplex full
nameif DMZ
security-level 50
ip address DMZ 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup INSIDE
dns domain-lookup DMZ
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp-udp
description Remote Desktop Protocol 20000
port-object eq 20000
object-group network INSIDE
network-object 10.1.20.0 255.255.255.0
network-object 10.1.10.0 255.255.255.0
object-group network DMZ
network-object 192.168.100.0 255.255.255.0
object-group icmp-type ICMP_INBOUND
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo
object-group network OUTSIDE_HOSTS
network-object host OUTSIDE
object-group service WEB tcp
port-object eq www
port-object eq https
object-group service DNS tcp-udp
port-object eq domain
object-group service Standard_RDP tcp
port-object eq 3389
object-group network DM_INLINE_NETWORK_1
network-object 10.1.10.0 255.255.255.0
network-object host INSIDE
network-object 10.1.20.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.100.0 255.255.255.0
network-object host DMZ
access-list nonat_INSIDE-DMZ remark No NAT Needed
access-list nonat_INSIDE-DMZ extended permit ip object-group INSIDE object-group DMZ
access-list outside remark Permitted Inbound Traffic
access-list outside extended permit tcp any object-group OUTSIDE_HOSTS object-group WEB
access-list outside remark Remote Desktop
access-list outside extended permit object-group TCPUDP any object-group OUTSIDE_HOSTS object-group RDP
access-list outside remark ICMP Permitted Traffic
access-list outside extended permit icmp any object-group OUTSIDE_HOSTS object-group ICMP_INBOUND
access-list outside remark Permitted Inbound Traffic
access-list outside remark Remote Desktop
access-list outside remark ICMP Permitted Traffic
access-list outside remark Permitted Inbound Traffic
access-list outside remark Remote Desktop
access-list outside remark ICMP Permitted Traffic
access-list nat_DMZ-OUTSIDE remark NAT Needed
access-list nat_DMZ-OUTSIDE extended permit ip object-group DMZ any
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_1 object-group Standard_RDP
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list nonat_INSIDE-DMZ
nat (INSIDE) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 access-list nat_DMZ-OUTSIDE
static (DMZ,OUTSIDE) tcp interface www DMZ_HOST www netmask 255.255.255.255
static (DMZ,OUTSIDE) tcp interface https DMZ_HOST https netmask 255.255.255.255
static (DMZ,OUTSIDE) tcp interface 20000 DMZ_HOST 20000 netmask 255.255.255.255
static (DMZ,OUTSIDE) tcp interface domain DMZ_HOST domain netmask 255.255.255.255
static (DMZ,OUTSIDE) udp interface 20000 DMZ_HOST 20000 netmask 255.255.255.255
access-group outside in interface OUTSIDE
access-group DMZ_access_in in interface DMZ
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.1 1
route INSIDE 10.1.20.0 255.255.255.0 10.1.10.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 10.1.20.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 10
ssh 10.1.20.0 255.255.255.0 INSIDE
ssh timeout 10
console timeout 0
management-access INSIDE
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username Matt password xxx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxx
: end
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Accepted Solution

by:
xtantaudio earned 0 total points
Comment Utility
I have resolved the issue with an access-list command permitting the port 53 traffic from the DMZ interface to the Inside interface and then adding the

same-security-traffic permit intra-interface

in the configure terminal mode

Communication between the DMZ and the DNS Servers is complete and the ability to add the webserver as a domain controller is completed.  I am no longer seeing the udp blocked message in the ASDM log.
0
 

Author Closing Comment

by:xtantaudio
Comment Utility
My last post is the resolution to the abiity for the firewall to allow for communication back to the interface that suplied the information.  Also the access-list for the forwarding of port 52 information allows for the data to be passed to the inside DMZ servers.
0
 

Author Comment

by:xtantaudio
Comment Utility
My last post is the resolution to the abiity for the firewall to allow for communication back to the interface that suplied the information.  Also the access-list for the forwarding of port 52 information allows for the data to be passed to the inside DMZ servers
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Good morning. Glad to see you were able to figure it out.
Thx for the points.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now