Re: [fw-wiz] PIX 520 - control traffic between DMZ and inside devices

From: Eye Am (eyeam@optonline.net)
Date: 12/17/02


From: "Eye Am" <eyeam@optonline.net>
To: "Brian A Kee" <bkee@lurhq.com>
Date: Tue Dec 17 15:50:17 2002

Thanks Brian!

We did use NAT, static xlate from DMZ to inside, and access-lists to limit
port/machine access from DMZ to inside. Cisco finally helped me figure out
why I was confused and why it wasn't working as desired. Interestingly they
had me create static xlates very different than any of the "rules" state on
any CCO documents I read.

Normally a static statement xlates two different IP addies but they had me
NAT the same IP address inside and DMZ. Never saw that done and haven't
found anything on CCO discussing the practice.

Also since our DMZ machines have a default gateway of the PIX and our inside
machines have a default gateway of the MSM router, traffic would never flow
between the two interfaces without configuration on the MSM.

We set up Policy Based Routing on the MSM applying access-lists to the
inside VLAN. Without this, even static routes assigned on the servers will
not flow to the DMZ. This had something to do with the metric of static
routes being overridden by that of the direct connected vlans.

Thanks again for your help.

----- Original Message -----
From: "Brian A Kee" <bkee@lurhq.com>
To: "Eye Am" <eyeam@optonline.net>; <firewall-wizards@honor.icsalabs.com>
Sent: Tuesday, December 17, 2002 9:47 PM
Subject: RE: [fw-wiz] PIX 520 - control traffic between DMZ and inside
devices

> Correction!!
>
> I thought about this a little more last night.
> The Nat 0 rule should be used for the internal server.
>
> nat (inside) 0 <Internal-ServerIP> <Mask>
>
> BAK
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Brian A
> Kee
> Sent: Monday, December 16, 2002 6:53 AM
> To: Eye Am; firewall-wizards@honor.icsalabs.com
> Subject: RE: [fw-wiz] PIX 520 - control traffic between DMZ and inside
> devices
>
>
> Remember that with the PIX you must take account for the security level of
> the interface. If you are going from a lower security level to a higher
> level, you will need a NAT rule and an ACL (conduit). In this case you
could
> probably use NAT 0(zero). This will allow trafic to traverse the PIX from
> the DMZ to the Inside. Keep in mind you will still need ACLs (conduits) to
> allow the specified traffic.
>
>
> Assuming you have the Server Statically mapped to an external Address:
> static (dmz,outside) <LocalIP> <GlobalIP> netmask <Mask>
>
> you should be able to configure a nat 0 (zero) rule like:
> nat (dmz) 0 <LocalIP> <Mask>
>
> The staqtic shouls translate all requests from the outside world, while
the
> Nat 0 (zero) rule should grab all request originating from within the
> Internal Network.
>
> There should be several other ways to do this.
>
> BAK
>
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Eye Am
> Sent: Monday, December 16, 2002 12:14 PM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] PIX 520 - control traffic between DMZ and inside
> devices
>
>
> Being confused right now, I'll try to word this as un-confusing as
possible.
>
> Scenario as follows
>
> The pic at http://security.kicks-ass.org:911/DMZ_CONFIG.gif is the basic
> network configuration I need and will be needed to make any sense out of
the
> following.
>
> PIX 520, Three interfaces - inside, Outside and DMZ.
>
> Webserver (Win2kServer) in DMZ.
>
> 6509 Switch with MSM (routing)
>
> Traffic successfully limited to ports 80 and 443 between Outside and DMZ
in
> the PIX using NAT/Access-list/Group
>
> Default gateway for the all DMZ devices is the PIX int E2 "DMZ"
>
> Default gateway for all inside devices is my.PRV.net.14 "6509MSM"
>
> I can successfully ping any DMZ device from the 6509 MSM si it knows how
to
> get to DMZ and back.
>
> I cannot ping any inside devices from the PIX "DMZ" interface
>
> I cannot ping any DMZ devices from any devices on the inside
>
> Hers's my quandry: The webserver also needs to be limited to port 1433,
TCP
> and UDP, to a specific MSSQL server on the inside and all traffic may flow
> on all ports to another computer on the inside. How do I control traffic
> between DMZ and inside devices?
>
> Is this do-able within the PIX or do I need to use MSM (or combination) to
> complete this piece?
>
> I've been tearing my hair out trying to get this to happen in the PIX to
no
> avail.
> Seems no matter what combination of access-lists/groups I install there is
> no limit to traffic flowing between DMZ and inside.
>
>
> TYVM
> Chuck Genrich
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>