how to config 515-e-dmz dmz routes & ACL?

Discussion in 'Cisco' started by JohnC, Dec 5, 2004.

  1. JohnC

    JohnC Guest

    pix501 to pix515e-dmz to 4700 to internetworks

    dmz is on third interface in 515e-dmz.

    I am unlcear as how to config the dmz. I also have public addresses on the
    dmz segment, but from what I have read, I think I can leave all of the
    public address in one segment 255.255.255.240 instead of subnetting further
    to 225.255.255.248 and just nat address to the dmz.

    What do you suggest on the pix 515e-dmz config?
    thanks,
    John

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ-intf2 security4
    enable password xxx encrypted
    passwd xxx encrypted
    hostname xxx
    domain-name xxx.com
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside_access_in permit icmp any any
    access-list outside_access_in permit tcp any eq pcanywhere-data any eq
    pcanywhere-data
    access-list outside_access_in permit udp any eq pcanywhere-status any eq
    pcanywhere-status
    access-list outside_access_in permit tcp any eq pptp any eq pptp
    access-list outside_access_in permit udp any eq 1723 any eq 1723
    access-list outside_access_in remark UDP 500
    access-list outside_access_in permit udp any eq isakmp any eq isakmp
    access-list outside_access_in remark IP Protocol ESP 50
    access-list outside_access_in permit esp any any
    access-list outside_access_in permit tcp any eq 137 any
    access-list outside_access_in permit udp any eq netbios-ns any
    access-list outside_access_in remark SNTP
    access-list outside_access_in permit tcp any eq 123 any
    access-list outside_access_in remark SNTP
    access-list outside_access_in permit udp any eq ntp any
    access-list outside_access_in permit udp any any eq 4500
    access-list inside_outbound_nat0_acl permit ip any 192.x.x.44
    255.255.255.252
    access-list outside_cryptomap_dyn_20 permit ip any 192.x.x.44
    255.255.255.252
    access-list 101 permit ip 192.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
    access-list inside_access_in remark allow any outbound tcp
    access-list inside_access_in permit tcp any any
    access-list inside_access_in remark permit any outbound udp
    access-list inside_access_in permit udp any any
    access-list inside_access_in remark enable any outbound ip
    access-list inside_access_in permit ip any any
    pager lines 24
    logging on
    logging timestamp
    logging console informational
    logging buffered informational
    logging trap informational
    logging history informational
    logging device-id string xxx
    logging host inside 192.x.x.161 format emblem
    mtu outside 1500
    mtu inside 1500
    mtu DMZ-intf2 1500
    ip address outside 69.x.x.82 255.255.255.248
    ip address inside 192.x.x.1 255.255.255.0
    ip address DMZ-intf2 69.x.x.89 255.255.255.248
    ip verify reverse-path interface outside
    ip verify reverse-path interface DMZ-intf2
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 200
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 69.x.x5.81 1
    route inside 192.x.x.0 255.255.255.0 192.x.x.2 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authorization command LOCAL
    http server enable
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet timeout 5
    ssh timeout 60
    management-access inside
    console timeout 30
    dhcpd auto_config outside
    terminal width 80
     
    JohnC, Dec 5, 2004
    #1
    1. Advertisements

  2. John,

    I'm not 100% sure what you're asking.

    The very easiest way to configure a pix, if you're not used to it, is to
    use the PDM web interface.

    The dmz is a seperate network hanginf off the side of the firewall and
    needs to be treated as such, i.e., have it's own subnet. If you want to
    advertise boxes on there to the internet, then put in static nats to
    your public range and open the relevant ports.

    Hope this is of some help.
    LH
     
    Leigh Harrison, Dec 5, 2004
    #2
    1. Advertisements

  3. JohnC

    JohnC Guest

    I'll set up the static nats - I think that is where I was getting stuck -
    any suggestions where to look for the recommended steps to do this? It
    would have been nice if the PDM had a wizrd to set up the DMZ.

    Also, the previous owner deleted the facotry default config - so far, I
    haven't found a default config to download from the cisco website to store
    on flash.
    John
     
    JohnC, Dec 6, 2004
    #3
  4. JohnC

    JohnC Guest

    I'll set up the static nats - I think that is where I was getting stuck -
    any suggestions where to look for the recommended steps to do this? It
    would have been nice if the PDM had a wizrd to set up the DMZ.

    Also, the previous owner deleted the facotry default config - so far, I
    haven't found a default config to download from the cisco website to store
    on flash.
    John
     
    JohnC, Dec 6, 2004
    #4
  5. :Also, the previous owner deleted the facotry default config - so far, I
    :haven't found a default config to download from the cisco website to store
    :eek:n flash.

    Urrr,

    clear configure all
    clear configure flashfs

    will restore anything but a 501 or 506/506E to its factory configuration.

    For the 501, clear configure factory-default
    will always work to reset to the factory configuration. For a
    506 or 506E that was shipped with PIX 6.2 or later, proceed as with
    the 501; for a 506 or 506E that was shipped before PIX 6.2, proceed as
    for the other kinds of systems. You can use the factory-default
    one on PIX 506 or 506E that was shipped before 6.2 but later upgraded
    to 6.2 or beyond, but then you get into semantics about what
    exactly is meant by "factory default". When the factory-default option
    is used on a 501 or 506/506E, it resets the configuration to be
    one that has an inside network of 192.168.1.x/24 and which is
    permitted PAT through a DHCP'd outside IP. That's the factory default
    for all 501s and for 506/506E shipped with 6.2 onwards; for everything
    else, including older 506/506E, the factory default is an essentially
    empty configuration with no networks or IPs at all configured.
     
    Walter Roberson, Dec 6, 2004
    #5
  6. JohnC

    JohnC Guest

    hi Walter,
    Thanks for the reply , but I have the 515e-dmz - when I tried the factory
    reset from the pdm, it said unable to restore factory config. I can't try
    it now as we are trying to get the 515e-dmz up for a T1 that needs to go
    live in 2 days.

    So far, we are unable to create the nat and static route via the pdm. We'll
    keep on it for a bit, then post the config if we can't get it working. I
    can see why the previous owner sold this pix - we are following the cisco
    article from tac, but they just are not working on setting up the dmz.
    john
     
    JohnC, Dec 6, 2004
    #6
  7. :Thanks for the reply , but I have the 515e-dmz - when I tried the factory
    :reset from the pdm, it said unable to restore factory config.

    As I indicated, the 515E is not one of the devices that supports
    factory reset as such. Go into the PDM command line mode and
    send the clear of the flashfs and then the clear of the main configure.
    At that point, you'll lose communications with the 515E as it won't
    have an IP address for the PDM to talk to, so be prepared with a
    serial console.
     
    Walter Roberson, Dec 6, 2004
    #7
  8. JohnC

    JohnC Guest

    JohnC, Dec 6, 2004
    #8
  9. JohnC

    JohnC Guest

    Can't get nat to translate to or from dmz.
    -----------------------------------------
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ-intf2 security4
    enable password x encrypted
    passwd x encrypted
    hostname x
    domain-name x.com
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside_access_in permit icmp any any
    xx
    access-list outside_access_in permit tcp any eq pptp any eq pptp
    access-list outside_access_in permit udp any eq 1723 any eq 1723
    access-list outside_access_in remark UDP 500
    access-list outside_access_in permit udp any eq isakmp any eq isakmp
    access-list outside_access_in remark IP Protocol ESP 50
    access-list outside_access_in permit esp any any
    access-list outside_access_in permit tcp any eq 137 any
    access-list outside_access_in permit udp any eq netbios-ns any
    access-list outside_access_in remark SNTP
    access-list outside_access_in permit tcp any eq 123 any
    access-list outside_access_in remark SNTP
    access-list outside_access_in permit udp any eq ntp any
    access-list outside_access_in permit udp any any eq 4500
    access-list outside_access_in permit tcp any host 69.x.x.90 eq www
    access-list outside_access_in permit tcp any host 69.x.x.90 eq https
    access-list inside_outbound_nat0_acl permit ip any 192.168.x.44
    255.255.255.252
    access-list outside_cryptomap_dyn_20 permit ip any 192.168.x.44
    255.255.255.252
    ....
    access-list inside_access_in remark allow any outbound tcp
    access-list inside_access_in permit tcp any any
    access-list inside_access_in remark permit any outbound udp
    access-list inside_access_in permit udp any any
    access-list inside_access_in remark enable any outbound ip
    access-list inside_access_in permit ip any any
    access-list DMZ-intf2_access_in permit tcp any any
    pager lines 24
    logging on
    logging timestamp
    logging console informational
    logging buffered informational
    logging trap informational
    logging history informational
    logging device-id string ...
    logging host inside ...
    mtu outside 1500
    mtu inside 1500
    mtu DMZ-intf2 1500
    ip address outside 69.x.x.82 255.255.255.240
    ip address inside 192.168.x.1 255.255.255.0
    ip address DMZ-intf2 192.168.x.1 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface DMZ-intf2
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ...
    ....
    pdm logging informational 200
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 0.0.0.0 0.0.0.0 0 0
    static (DMZ-intf2,outside) 69.x.x.90 xxxx netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group DMZ-intf2_access_in in interface DMZ-intf2
    route outside 0.0.0.0 0.0.0.0 69.x.x.81 1
    route inside 192.168.x.0 255.255.255.0 192.168.x.2 1
    ......
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authorization command LOCAL
    http server enable
    http 192.168.x.0 255.255.255.0 inside
    ....
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    .....
    telnet timeout 5
    ssh timeout 60
    management-access inside
    console timeout 30
    .....
    dhcpd auto_config outside
    terminal width 80
    .....
    : end
     
    JohnC, Dec 6, 2004
    #9
  10. :Can't get nat to translate to or from dmz.

    You haven't been very clear about what you are trying to do.

    :pIX Version 6.3(4)
    :nameif ethernet2 DMZ-intf2 security4

    :access-list outside_access_in permit tcp any host 69.x.x.90 eq www
    :access-list outside_access_in permit tcp any host 69.x.x.90 eq https

    Hazarding a guess here: you want a www server to be on the dmz and
    you want its public address to be 69.x.x.90 ?

    :access-list inside_access_in remark allow any outbound tcp
    :access-list inside_access_in permit tcp any any
    :access-list inside_access_in remark permit any outbound udp
    :access-list inside_access_in permit udp any any
    :access-list inside_access_in remark enable any outbound ip
    :access-list inside_access_in permit ip any any

    The last of those lines renders all the other redundant. And you
    might as well just get rid of the ACL entirely and not apply
    any access-group to the inside interface, if you are going to permit
    everything anyhow.


    :access-list DMZ-intf2_access_in permit tcp any any

    You aren't permitting back the standard icmp maintenance messages
    that are needed to impliment MTU Path Discovery. You should be permitting
    icmp ttl-exceeded and icmp unreachable to go out of the DMZ. You
    should also consider which hosts [including on the inside] that you
    want to the dmz systems to be able to send icmp echo-reply to so that
    you can ping the dmz system.


    :ip address outside 69.x.x.82 255.255.255.240
    :ip address inside 192.168.x.1 255.255.255.0
    :ip address DMZ-intf2 192.168.x.1 255.255.255.0

    If we read those last two "algebraically", then you can't do that.
    Your dmz interface and your inside interface must be on different
    networks. If your inside interface is 192.168.x/24 then your
    dmz interface has to be something else such as 192.168.y/24 where
    x is not the same as y.


    :ip verify reverse-path interface outside
    :ip verify reverse-path interface DMZ-intf2

    :global (outside) 1 interface
    :nat (inside) 0 0.0.0.0 0.0.0.0 0 0
    :static (DMZ-intf2,outside) 69.x.x.90 xxxx netmask 255.255.255.255 0 0

    In that statement, is xxxx something in the 192.168.x/24 IP range?
    If you try to use anything else on the dmz interface, then your
    reverse-path verification is going to kill the packets.

    I notice that you do not have any global (dmz) 1 interface
    or similar, nor any static between inside and DMZ-intf2. You need
    a global or a static statement in order for the inside systems
    to be able to reach the dmz systems.

    :access-group outside_access_in in interface outside
    :access-group inside_access_in in interface inside
    :access-group DMZ-intf2_access_in in interface DMZ-intf2

    :route outside 0.0.0.0 0.0.0.0 69.x.x.81 1
    :route inside 192.168.x.0 255.255.255.0 192.168.x.2 1

    That last statement is unnecessary unless 192.168.x.2
    is a router within your inside LAN, and it's probably wrong as well.
    If all hosts on your inside LAN are in 192.168.x/24 then just leave
    out that 'route inside' statement, as the PIX inside interface
    will ARP for the destination hosts and will detect them directly
    provided they are not in a different IP address range.


    If your xxxx in your static is an IP in a 192.168.?/24 address range
    that is the same address range assigned to the DMZ, and that address
    range is a different address range than for the inside interface,
    and if the 'route inside' statement is not referring to the DMZ address
    range, then the configuration you posted should be able to
    allow new connections to a WWW server that lives on the DMZ and
    whose public IP is 69.x.x.90 . [You might have DNS issues, but that's
    a different matter.]
     
    Walter Roberson, Dec 7, 2004
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.