RE: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices

From: Brian A Kee (bkee@lurhq.com)
Date: 12/17/02


From: "Brian A Kee" <bkee@lurhq.com>
To: "Eye Am" <eyeam@optonline.net>, <firewall-wizards@honor.icsalabs.com>
Date: Tue Dec 17 10:24:17 2002

Correction!!

I thought about this a little more last night.
The Nat 0 rule should be used for the internal server.

nat (inside) 0 <Internal-ServerIP> <Mask>

BAK

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Brian A
Kee
Sent: Monday, December 16, 2002 6:53 AM
To: Eye Am; firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] PIX 520 - control traffic between DMZ and inside
devices

Remember that with the PIX you must take account for the security level of
the interface. If you are going from a lower security level to a higher
level, you will need a NAT rule and an ACL (conduit). In this case you could
probably use NAT 0(zero). This will allow trafic to traverse the PIX from
the DMZ to the Inside. Keep in mind you will still need ACLs (conduits) to
allow the specified traffic.

Assuming you have the Server Statically mapped to an external Address:
static (dmz,outside) <LocalIP> <GlobalIP> netmask <Mask>

you should be able to configure a nat 0 (zero) rule like:
nat (dmz) 0 <LocalIP> <Mask>

The staqtic shouls translate all requests from the outside world, while the
Nat 0 (zero) rule should grab all request originating from within the
Internal Network.

There should be several other ways to do this.

BAK

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Eye Am
Sent: Monday, December 16, 2002 12:14 PM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] PIX 520 - control traffic between DMZ and inside
devices

Being confused right now, I'll try to word this as un-confusing as possible.

Scenario as follows

The pic at http://security.kicks-ass.org:911/DMZ_CONFIG.gif is the basic
network configuration I need and will be needed to make any sense out of the
following.

PIX 520, Three interfaces - inside, Outside and DMZ.

Webserver (Win2kServer) in DMZ.

6509 Switch with MSM (routing)

Traffic successfully limited to ports 80 and 443 between Outside and DMZ in
the PIX using NAT/Access-list/Group

Default gateway for the all DMZ devices is the PIX int E2 "DMZ"

Default gateway for all inside devices is my.PRV.net.14 "6509MSM"

I can successfully ping any DMZ device from the 6509 MSM si it knows how to
get to DMZ and back.

I cannot ping any inside devices from the PIX "DMZ" interface

I cannot ping any DMZ devices from any devices on the inside

Hers's my quandry: The webserver also needs to be limited to port 1433, TCP
and UDP, to a specific MSSQL server on the inside and all traffic may flow
on all ports to another computer on the inside. How do I control traffic
between DMZ and inside devices?

Is this do-able within the PIX or do I need to use MSM (or combination) to
complete this piece?

I've been tearing my hair out trying to get this to happen in the PIX to no
avail.
Seems no matter what combination of access-lists/groups I install there is
no limit to traffic flowing between DMZ and inside.

TYVM
Chuck Genrich

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards