Re: [fw-wiz] PIX DMZ inter-access via outside IP address

From: Jason Ostrom (justiceguy_at_pobox.com)
Date: 12/08/03

  • Next message: Keith Anderson: "RE: [fw-wiz] PIX DMZ inter-access via outside IP address" 
    To: "Keith Anderson" <keith@purescience.com>
Date: Mon, 8 Dec 2003 10:35:26 -0600

    Keith,

    Based on what you have described, it sounds like you need to use the
    "alias" command. My understanding is you are trying to have the DMZ
    hosts sourced on the RFC1918 network reach each other based on public
    destination addresses. The alias command will solve this problem.

    From the PIX 6.3 OS command reference:
    [no] alias [(if_name)] dnat_ip foreign_ip [netmask]

    Usage Guidelines

    The alias command translates one address into another. Use this command to prevent conflicts when
    you have IP addresses on a network that are the same as those on the Internet or another intranet.
    You can also use this command to do address translation on a destination address. For example, if a
    host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address,
    such as, 209.165.201.30.

    Keith Anderson> This one is driving me crazy... if
    Keith Anderson> someone can help, I'd greatly appreciate
    Keith Anderson> it.

    Keith Anderson> I've got a client with a PIX 520,
    Keith Anderson> four interfaces, with the following
    Keith Anderson> configuration:

    Keith Anderson> Interface 0, the "outside" with
    Keith Anderson> public IP address 1.1.1.x (not their
    Keith Anderson> actual address range)
    Keith Anderson> connected to a Cisco 3640
    Keith Anderson> router, T1 to the Internet, router address
    Keith Anderson> 1.1.1.1

    Keith Anderson> Interface 1, the "inside", the
    Keith Anderson> executives (about 10 workstations)
    Keith Anderson> several Cisco Catalyst switches, all layer 2

    Keith Anderson> Interface 2, the DMZ with two
    Keith Anderson> servers (1.1.1.3 and 1.1.1.4)
    Keith Anderson> one Cisco Catalyst switch

    Keith Anderson> Interface 3, the "inside2", the
    Keith Anderson> rest of the company (about 60
    Keith Anderson> workstations)
    Keith Anderson> several Cisco Catalyst switches, all layer 2

    Keith Anderson> In order to support their
    Keith Anderson> applications, the two servers must be accessible
    Keith Anderson> by everyone in the company AND the
    Keith Anderson> Internet by both IP address AND domain
    Keith Anderson> name.

    Keith Anderson> * Systems on the inside, inside2 and
    Keith Anderson> the Internet can reach the servers
    Keith Anderson> using their public 1.1.x.x addresses just fine.

    Keith Anderson> * Systems on the inside and inside2
    Keith Anderson> can reach the servers using their
    Keith Anderson> 192.168 addresses also, just fine,
    Keith Anderson> although this is not required.

    Keith Anderson> * All systems on the inside, inside2
    Keith Anderson> and DMZ can access the Internet without
    Keith Anderson> problems.

    Keith Anderson> The PIX can ping everything on all
    Keith Anderson> interfaces. No connectivity problems.

    Keith Anderson> THE KILLER PROBLEM: The two servers
    Keith Anderson> in the DMZ CAN NOT access each other
    Keith Anderson> using their public Internet
    Keith Anderson> addresses. They can use their 192.168 addresses
    Keith Anderson> just fine, but not their public addresses.

    Keith Anderson> For the last week or so, I've been
    Keith Anderson> getting around this using HOST entries
    Keith Anderson> (these are Windows servers), but we
    Keith Anderson> are about to add a lot of servers,
    Keith Anderson> virtual hosts and other devices, and
    Keith Anderson> HOST entries will not work.

    Keith Anderson> Thanks in advance to anyone that can help with this.

    Keith Anderson> Here are the relevant entries in the PIX configuration:

    Keith Anderson> ! the interfaces
    Keith Anderson> nameif ethernet0 outside security0
    Keith Anderson> nameif ethernet1 inside security100
    Keith Anderson> nameif ethernet2 DMZ security10
    Keith Anderson> nameif ethernet3 inside2 security40
    Keith Anderson> ip address outside 1.1.1.9 255.255.248.0
    Keith Anderson> ip address inside 10.48.0.1 255.255.0.0
    Keith Anderson> ip address DMZ 192.168.1.1 255.255.0.0
    Keith Anderson> ip address inside2 10.10.10.1 255.255.0.0

    Keith Anderson> ! address pools
    Keith Anderson> global (outside) 1 1.1.1.10-1.1.1.249
    Keith Anderson> netmask 255.255.240.0
    Keith Anderson> global (outside) 1 1.1.1.250 netmask 255.255.240.0
    Keith Anderson> global (DMZ) 1
    Keith Anderson> 192.168.1.2-192.168.1.249 netmask 255.255.0.0
    Keith Anderson> global (DMZ) 1 192.168.0.250 netmask 255.255.0.0
    Keith Anderson> global (inside2) 1
    Keith Anderson> 10.10.0.2-10.10.0.249 netmask 255.255.0.0
    Keith Anderson> global (inside2) 1 10.10.0.250 netmask 255.255.0.0

    Keith Anderson> ! NAT
    Keith Anderson> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    Keith Anderson> nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
    Keith Anderson> nat (inside2) 1 0.0.0.0 0.0.0.0 0 0

    Keith Anderson> ! Grant access to the DMZ from the
    Keith Anderson> other interfaces using the outside
    Keith Anderson> addresses
    Keith Anderson> sysopt nodnsalias inbound
    Keith Anderson> alias (inside) 1.1.1.3 192.168.1.3 255.255.255.255
    Keith Anderson> alias (inside2) 1.1.1.3 192.168.1.3 255.255.255.255
    Keith Anderson> alias (inside) 1.1.1.4 192.168.1.4 255.255.255.255
    Keith Anderson> alias (inside2) 1.1.1.4 192.168.1.4 255.255.255.255

    Keith Anderson> ! Static mappings to allow everyone
    Keith Anderson> to access the DMZ servers
    Keith Anderson> static (inside,DMZ) 192.168.1.3
    Keith Anderson> 192.168.1.3 netmask 255.255.255.0 0 0
    Keith Anderson> static (inside2,DMZ) 192.168.1.3
    Keith Anderson> 192.168.1.3 netmask 255.255.255.255 0 0
    Keith Anderson> static (DMZ,outside) 1.1.1.3
    Keith Anderson> 192.168.1.3 netmask 255.255.255.255 0 0
    Keith Anderson> static (inside,DMZ) 192.168.1.4
    Keith Anderson> 192.168.1.4 netmask 255.255.255.0 0 0
    Keith Anderson> static (inside2,DMZ) 192.168.1.4
    Keith Anderson> 192.168.1.4 netmask 255.255.255.255 0 0
    Keith Anderson> static (DMZ,outside) 1.1.1.4
    Keith Anderson> 192.168.1.4 netmask 255.255.255.255 0 0

    Keith Anderson> ! This is in the lab only to make
    Keith Anderson> sure traffic flow isn't being stopped
    Keith Anderson> ! In the production PIX, access-lists
    Keith Anderson> are used to permit only needed ports
    Keith Anderson> conduit permit icmp any any
    Keith Anderson> conduit permit ip any any

    Keith Anderson> ! default route to the 3640
    Keith Anderson> route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

    Keith Anderson> Here is the Cisco 3640 route information:

    Keith Anderson> ip route 0.0.0.0 0.0.0.0 up.stream.pro.vider
    Keith Anderson> ip route 1.1.1.0 255.255.255.0 1.1.1.9

    Keith Anderson> _______________________________________________
    Keith Anderson> firewall-wizards mailing list
    Keith Anderson> firewall-wizards@honor.icsalabs.com
    Keith Anderson> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Keith Anderson: "RE: [fw-wiz] PIX DMZ inter-access via outside IP address"
    • Quantcast