pix 515e DMZ

Discussion in 'Cisco' started by geewiz, May 21, 2007.

  1. geewiz

    geewiz Guest

    This is a well worn problem, but I am not picking up the tricks which
    allow traffic to the dmz. I want to allow

    primary allow
    1) www/https from anything outside to the dmz
    2) ssh from the inside to the webserver
    3) 53/udp from webserver to known external dns hosts
    4) 123/udp from webserver to known external ntp hosts

    secondary allow
    1) ssh from a defined source to the webserver
    2) ssh from a defined source to a specific internal host, 192.168.0.21

    here's my current config
    : Saved
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security30
    enable password 7HdMXPMNkRbJ1zyt encrypted
    passwd XOqQSgghqw/XrF5S encrypted
    hostname ***name***
    domain-name r3g.net
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.0.15 **insidehost**
    name xx.xx.239.23 firewall
    name 192.168.10.1 service
    name 192.168.10.3 webserver
    access-list service permit tcp any host firewall eq www
    access-list service permit tcp any host firewall eq https
    access-list service permit icmp any interface dmz
    access-list outside permit udp host 10.100.192.1 host firewall eq
    bootpc
    access-list outside permit tcp any host webserver eq www
    access-list outside permit tcp any host webserver eq https
    access-list outside permit icmp any any echo-reply
    access-list outside permit icmp any any unreachable
    access-list outside permit icmp any any time-exceeded
    pager lines 24
    logging on
    logging timestamp
    logging standby
    logging buffered debugging
    logging trap notifications
    logging facility 19
    logging host inside **iinsidehost**
    icmp permit any echo-reply outside
    icmp permit any time-exceeded outside
    icmp permit any unreachable outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside firewall 255.255.255.192
    ip address inside network 255.255.255.0
    ip address dmz service 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    no pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.0.0 255.255.255.0 0 0
    access-group outside in interface outside
    route outside 0.0.0.0 0.0.0.0 xx.xx.239.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    snmp-server host inside **insidehost**
    snmp-server location ccna_closet
    snmp-server enable traps
    tftp-server inside **insidehost** /pix
    floodguard enable
    telnet timeout 5
    ssh 192.168.0.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 0

    terminal width 80
    Cryptochecksum:ff291fef2f248d7dd0ae1e442a17df6c
    : end
     
    geewiz, May 21, 2007
    #1
    1. Advertising

  2. Dnia 2007-05-21 06:11 geewiz napisał(a):
    > This is a well worn problem, but I am not picking up the tricks which
    > allow traffic to the dmz. I want to allow
    >
    > primary allow
    > 1) www/https from anything outside to the dmz
    > 2) ssh from the inside to the webserver
    > 3) 53/udp from webserver to known external dns hosts
    > 4) 123/udp from webserver to known external ntp hosts
    >
    > secondary allow
    > 1) ssh from a defined source to the webserver
    > 2) ssh from a defined source to a specific internal host, 192.168.0.21
    >
    > [...]

    Because traffic from interface with lower security level can't flow to
    interface with higher security level by default. You must create
    access-list to allow them so You did. Your access-list 'outside'
    permit tcp connections (OSI model layer 4), but You forgot to
    permit ip protocol (OSI model layer 3).

    Try insert this one:
    access-list outside line 1 permit ip any host webserver

    Now try to do else :)
     
    Remigiusz Kosztowny, May 21, 2007
    #2
    1. Advertising

  3. geewiz

    Hoffa Guest

    On 21 Maj, 12:37, Remigiusz Kosztowny <> wrote:
    > Dnia 2007-05-21 06:11 geewiz napisał(a):> This is a well worn problem, but I am not picking up the tricks which
    > > allow traffic to the dmz. I want to allow

    >
    > > primary allow
    > > 1) www/https from anything outside to the dmz
    > > 2) ssh from the inside to the webserver
    > > 3) 53/udp from webserver to known external dns hosts
    > > 4) 123/udp from webserver to known external ntp hosts

    >
    > > secondary allow
    > > 1) ssh from a defined source to the webserver
    > > 2) ssh from a defined source to a specific internal host, 192.168.0.21

    >
    > > [...]

    >
    > Because traffic from interface with lower security level can't flow to
    > interface with higher security level by default. You must create
    > access-list to allow them so You did. Your access-list 'outside'
    > permit tcp connections (OSI model layer 4), but You forgot to
    > permit ip protocol (OSI model layer 3).
    >
    > Try insert this one:
    > access-list outside line 1 permit ip any host webserver
    >
    > Now try to do else :)


    You are partly correct, traffic from lower sec level cannot flow to
    higher sec level without proper configuration.
    However the suggestion that the problem can be solved by adding a
    permit IP line in addition to permit TCP is just plain wrong. This
    will not solve the problem but instead open a bigger "hole" that
    needed in the firewall. Permit TCP is the way to go, I've used this
    approach hundreds of time for all sorts of applications. HTTP/80,
    HTTPS/443, FTP it all works. A proper example to allow everyone to
    access a web server would be permit tcp any "web server public IP" eq
    www.
    The main addition here is however a static entry. A line that maps an
    external IP to an IP on the DMZ. Example static (DMZ,INTERNET) "Public
    IP", "DMZ IP"

    The static and the permit tcp rule will do the trick if the server is
    set up right.

    Regards
    Fredrik
     
    Hoffa, May 21, 2007
    #3
  4. Dnia 2007-05-21 15:26 Hoffa napisał(a):
    [...]
    > However the suggestion that the problem can be solved by adding a
    > permit IP line in addition to permit TCP is just plain wrong. This

    [...]
    Of course, I have knew it but have no time to correct myself. I'm so
    sorry, my first reply was a little stupid :)

    Geewiz, try this one (I wrote it from my head, without testing):
    > 1) www/https from anything outside to the dmz

    ! access-list to allow NAT from dmz host(s) to outside
    access-list DMZ permit ip host 192.168.10.3 any
    nat (dmz) 2 access-list DMZ
    ! static to nat from outside to dmz
    ! xx.xx.239.yy is a public IP, Your webserver from outside
    static (dmz,outside) tcp xx.xx.239.yy 80 192.168.10.3 80
    static (dmz,outside) tcp xx.xx.239.yy 443 192.168.10.3 443

    ! permit for access from outside to dmz
    access-list IN_OUTSIDE permit tcp any host xx.xx.239.yy eq 80
    access-list IN_OUTSIDE permit tcp any host xx.xx.239.yy eq 443

    Regards,
    R.
     
    Remigiusz Kosztowny, May 21, 2007
    #4
  5. geewiz

    geewiz Guest

    On May 21, 9:36 am, Remigiusz Kosztowny <> wrote:
    > Dnia 2007-05-21 15:26 Hoffa napisa (a):
    > [...]> However the suggestion that the problem can be solved by adding a
    > > permit IP line in addition to permit TCP is just plain wrong. This

    >
    > [...]
    > Of course, I have knew it but have no time to correct myself. I'm so
    > sorry, my first reply was a little stupid :)
    >
    > Geewiz, try this one (I wrote it from my head, without testing):> 1) www/https from anything outside to the dmz
    >
    > ! access-list to allow NAT from dmz host(s) to outside
    > access-list DMZ permit ip host 192.168.10.3 any
    > nat (dmz) 2 access-list DMZ
    > ! static to nat from outside to dmz
    > ! xx.xx.239.yy is a public IP, Your webserver from outside
    > static (dmz,outside) tcp xx.xx.239.yy 80 192.168.10.3 80
    > static (dmz,outside) tcp xx.xx.239.yy 443 192.168.10.3 443
    >
    > ! permit for access from outside to dmz
    > access-list IN_OUTSIDE permit tcp any host xx.xx.239.yy eq 80
    > access-list IN_OUTSIDE permit tcp any host xx.xx.239.yy eq 443
    >
    > Regards,
    > R.


    Thanks! I got it working for a short while until three brief power
    outages seem to have dorked with something. All interfaces seem to be
    working except for the one path from world into DMZ. Internal out to
    world works. Internal to DMZ works. Very puzzling.
     
    geewiz, Jun 13, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joko Kendil

    PIX 515E with DMZ

    Joko Kendil, Feb 18, 2004, in forum: Cisco
    Replies:
    1
    Views:
    721
    Erik Tamminga
    Feb 22, 2004
  2. Tom
    Replies:
    1
    Views:
    1,316
    Walter Roberson
    Nov 20, 2004
  3. JohnC
    Replies:
    2
    Views:
    2,593
    JohnC
    Dec 1, 2004
  4. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,968
    Walter Roberson
    Sep 25, 2005
  5. Jack
    Replies:
    0
    Views:
    739
Loading...

Share This Page