|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Bear
Guest
|
 Posted: Mon Apr 17, 2006 8:13 pm Post subject: DMZ pix outside |
 |
|
Hello,
I guess this setup is getting too convoluted as I cannot seem to find
the problem.
For some reason i cannot seem to figure out why my DMZ cannot get
access to the internet. Inbound to the DMZ is working fine but I don't
have any kind of outbound access. We are using PAT on the outside
interface.
Note: we have 5 static ip' .42-.46
Can some expert please help me with this one.
Thanks!!!!
The setup is like so.
Router ***.***.223.41
Outside Pix ***.***.223.42
DMZ Pix 192.168.4.251
Webserver 192.168.4.1
access-list outside_access_in extended permit tcp any host
***.***.223.42 eq 338 9
access-list outside_access_in extended permit tcp any host
***.***.223.42 eq smtp
access-list outside_access_in extended permit tcp any host
***.***..223.42 eq https
access-list outside_access_in extended permit tcp any host
***.***.223.44 eq www
access-list outside_access_in extended permit tcp any host
***.***.223.44 eq smtp
access-list outside_access_in extended permit tcp any host
***.***.223.46 eq 9003
access-list outside_access_in extended permit tcp any host
***.***.223.46 eq 9002
access-list outside_access_in extended permit tcp any host
***.***.223.46 eq 9001
access-list outside_access_in extended permit tcp any host
***.***.223.43 eq www
access-list outside_access_in extended permit tcp any host
***.***.223.43 eq https
access-list outside_access_in extended permit tcp any host
***.***.223.44 eq https
access-list outside_access_in extended permit tcp host ***.***..232.253
host ***.***.223.44 eq ftp
access-list outside_access_in extended permit tcp any host
***.***.223.43
access-list outside_access_in extended permit tcp any host
***.***.223.43 eq domain
access-list outside_access_in extended permit tcp any host
***.***.223.44 eq ftp
access-list RemoteVPN extended permit ip 192.168.0.0 255.255.255.0
192.168.3.0 255.255.255.0
access-list MSVPN extended permit ip 192.168.0.0 255.255.255.0
192.168.2.0 255.255.255.0
access-list DMZ_To_Inside extended permit tcp host website host
Exchange eq smtp
access-list DMZ_To_Inside extended permit icmp any any
access-list DMZ_To_Inside extended permit tcp host website host
Exchange eq https
access-list DMZ_To_Inside extended permit tcp host website host
AxSQLOr1 eq 1433
arp timeout 14400
global (outside) 200 interface
nat (DMZ) 200 192.168.4.0 255.255.255.0
nat (Inside) 0 access-list VPN
nat (Inside) 200 0.0.0.0 0.0.0.0
static (Inside,outside) tcp interface 3389 192.168.0.1 3389 netmask
255.255.255.255
static (Inside,outside) tcp ***.***.223.42 smtp Exchange smtp netmask
255.255.255.255
static (Inside,outside) tcp interface https Exchange https netmask
255.255.255.255
static (DMZ,outside) tcp ***.***.223.46 9004 SecSvr2 9004 netmask
255.255.255.255
static (DMZ,outside) tcp ***.***.223.44 smtp website smtp netmask
255.255.255.255
static (DMZ,outside) tcp ***.***.223.43 https website https netmask
255.255.255.255
static (DMZ,outside) tcp ***.***.223.43 www website www netmask
255.255.255.255
static (DMZ,outside) tcp ***.***.223.44 www website 81 netmask
255.255.255.255
static (DMZ,outside) tcp ***.***.223.46 9002 SecSvr2 9002 netmask
255.255.255.255
static (DMZ,outside) tcp ***.***.223.46 9001 SecSvr2 9001 netmask
255.255.255.255
static (DMZ,outside) tcp ***.***.223.44 https website 444 netmask
255.255.255.255
static (DMZ,outside) tcp ***.***.223.44 ftp website ftp netmask
255.255.255.255
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group DMZ_To_Inside in interface DMZ
route outside 0.0.0.0 0.0.0.0 ***.***.223.41 1
Thanks again. |
|
| Back to top |
|
 |
|
|
Walter Roberson
Guest
|
| Posted: Mon Apr 17, 2006 8:18 pm Post subject: Re: DMZ pix outside |
|
|
In article <1145290405.012590.84840@v46g2000cwv.googlegroups.com>,
Bear <ncointepoix@axiumhealthcare.com> wrote:
| Quote: | For some reason i cannot seem to figure out why my DMZ cannot get
access to the internet. Inbound to the DMZ is working fine but I don't
have any kind of outbound access.
access-list DMZ_To_Inside extended permit tcp host website host Exchange eq smtp
access-list DMZ_To_Inside extended permit icmp any any
access-list DMZ_To_Inside extended permit tcp host website host Exchange eq https
access-list DMZ_To_Inside extended permit tcp host website host AxSQLOr1 eq 1433
access-group DMZ_To_Inside in interface DMZ
|
When you have an access-group applied to an interface, it overrides
the default behaviour of allowing traffic to go to lower security
interfaces (which only applies if there is no access-group.)
Therefore if you want the DMZ to be able to communicate with the outside
then you must add the appropriate ACL entries to DMZ_To_Inside . |
|
| Back to top |
|
|
Bear
Guest
|
| Posted: Mon Apr 17, 2006 8:27 pm Post subject: Re: DMZ pix outside |
|
|
Ok so I added the lines
access-list DMZ_To_Inside line 5 extended permit tcp host website any
eq www
and
access-list DMZ_To_Inside line 5 extended permit tcp host website any
eq domain
Is there something else i am missing?
Thanks again for your help!!! |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted: Mon Apr 17, 2006 9:49 pm Post subject: Re: DMZ pix outside |
|
|
In article <1145291275.319965.167520@g10g2000cwb.googlegroups.com>,
Bear <ncointepoix@axiumhealthcare.com> wrote:
| Quote: | Ok so I added the lines
access-list DMZ_To_Inside line 5 extended permit tcp host website any eq www
and
access-list DMZ_To_Inside line 5 extended permit tcp host website any eq domain
Is there something else i am missing?
|
You are missing quoting context -- not many of the regular readers here
use google groups as our primary newsreader, so the previous context
is *not* usually immediately available.
Something that you did leave out there was the block on unwanted
connections from your DMZ to your inside LAN: because 'any' includes
the IP range of your inside network, that ACL allows host website
to contact any www or domain servers on the inside that it can
get a translation to.
Another thing to be aware of is that a lot of sites block DNS over TCP,
and for basic transactions, DNS will try UDP first unless it has good
reason to suspect that the reply will be more than 512 bytes long
(possible but not that common for routine host lookups.) I would
thus suggest you permit udp to domain before the tcp to domain
("before" merely under the principle that you should have the most
common cases at the top of the list unless you are using compiled ACLs.)
I notice that you must be using PIX 7.x as PIX 6 and earlier did
not have 'extended' access lists. The usual rule of thumb applies:
"Never use a dot-zero release on a production system: wait a couple
of dot releases for the major bugs to be found and fixed." |
|
| Back to top |
|
|
rdymek@gmail.com
Guest
|
| Posted: Mon Apr 17, 2006 10:15 pm Post subject: Re: DMZ pix outside |
|
|
To add to what Walter has posted in regards to your to entries:
access-list DMZ_To_Inside line 5 extended permit tcp host website any
eq www
access-list DMZ_To_Inside line 5 extended permit tcp host website any
eq domain
Since this allows 'website' to ANY address it may have a translation
for on these two ports, a common way to lock it down to just internet
traffic would be to statically permit any inside/private communications
you may want to permit from this server, then following that, deny
destination to ALL private addressing, and then add the lines you've
specified. By doing this, you explicitly permit particular IP-to-IP on
port www/domain, then deny all other PRIVATE addresses, then permit all
public IP's for ports www/domain.
This is just one way I've seen it done, I'm sure there are others, but
this seems to cover most of it. But this does also open you up to ALL
the internet. If you wanted to be even more paranoid, you could block
particular IP ranges that may be out of the scope of your website, if
any. For instance, if you know you'll only get US traffic, you could
block IP ranges outside the US, etc. etc.
Lastly, 7.1 has been released, so you do have some revisions, but its
still so new, most people are still waiting a little while before going
the 7.x route - so be warned that you could also experience bugs or
security flaws in the version you're running.
Ryan |
|
| Back to top |
|
|
Bear
Guest
|
| Posted: Tue Apr 18, 2006 12:20 am Post subject: Re: DMZ pix outside |
|
|
Thanks for the updates. I will let you know if I have more issues.
The reason i am at 7.0 is because i am using an ASA and the ASA comes
with 7.
Thanks!!! |
|
| Back to top |
|
|
Bear
Guest
|
| Posted: Tue Apr 18, 2006 12:35 am Post subject: Re: DMZ pix outside |
|
|
Guys Thanks for the help. I believe the problem was with that i was
1.) I did not open up the UDP ports for DNS
2.) I did not reboot the server and therefore it took some time for the
updates to be recognized on that box.
One more question, What is 'quoting context' I always use google
groups. Do you recommend a different way.
Thanks again |
|
| Back to top |
|
|
|
|
Walter Roberson
Guest
|
| Posted: Tue Apr 18, 2006 3:15 am Post subject: Re: DMZ pix outside |
|
|
In article <1145306147.201734.75700@i39g2000cwa.googlegroups.com>,
Bear <ncointepoix@axiumhealthcare.com> wrote:
| Quote: | One more question, What is 'quoting context'
|
The portion of your posting that I quoted above provides the context
for this, my reply. The quotation was trimmed down to the parts that
were relevant to this portion of the discussion.
This particular style is called "mid-posting", because my replies are
in the middle of quotations of different points that I am replying to.
There is also a disreputable style called "top-posting" in which one
puts all of one's answer first and then quotes the entire posting
one was replying to (without trimming out the irrelevant parts);
there is a much-less-used but still uncouth style called "bottom-posting"
which involves quoting the entire posting one is replying to first and
then putting one's reply at the bottom. (If the original message
was very short, bottom posting and mid-posting may come out the same, but
top-posting never comes out the same as mid-posting.)
| Quote: | I always use google groups. Do you recommend a different way.
|
http://cfaj.freeshell.org/google/ has information on how to quote
using the google interface.
People who read a lot of Usenet messages usually end up using
a dedicated piece of software which is generically known as a
"Usenet newsreader". A good newsreader is much faster and gives
much more control than using the google interface -- but if you
only read and post a few messages sporadically, learning a
newsreader might not be worth the time investment. Once one has
gotten accustomed to a good newsreading program, the google
interface seems pretty frustrating as a way to keep on top of
any substantial message volume. |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted: Tue Apr 18, 2006 3:17 am Post subject: Re: DMZ pix outside |
|
|
In article <1145305211.619341.320600@i39g2000cwa.googlegroups.com>,
Bear <ncointepoix@axiumhealthcare.com> wrote:
| Quote: | The reason i am at 7.0 is because i am using an ASA and the ASA comes
with 7.
|
Ah, your Subject: specifically indicated PIX. It is best to distinguish
between the two, so that people don't end giving you irrelevant advice. |
|
| Back to top |
|
|
Rod Dorman
Guest
|
| Posted: Tue Apr 18, 2006 6:01 pm Post subject: Re: DMZ pix outside |
|
|
In article <1145306147.201734.75700@i39g2000cwa.googlegroups.com>,
Bear <ncointepoix@axiumhealthcare.com> wrote:
| Quote: | ...
One more question, What is 'quoting context' I always use google
groups. Do you recommend a different way.
|
http://cfaj.freeshell.org/google/
http://www.safalra.com/special/googlegroupsreply/
--
-- Rod --
rodd(at)polylogics(dot)com |
|
| Back to top |
|
|
Bear
Guest
|
| Posted: Thu Apr 20, 2006 7:56 pm Post subject: Re: DMZ pix outside |
|
|
Thanks for the help!!!
I only put it in the pix newsgroup because it is using the pix
software. Next time i will be more specific. |
|
| Back to top |
|
|
|
|
