RE: [fw-wiz] PIX DMZ inter-access via outside IP address

From: Andy Lyakhovetskiy (andy_at_net4bay.com)
Date: 12/07/03

  • Next message: Behm, Jeffrey L.: "RE: [fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to No kia/Check Point firewall"
    To: "'Keith Anderson'" <keith@purescience.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Sun, 7 Dec 2003 14:57:22 -0800
    
    

    Hi Keith,

    PIX can't "circle" packets, but using aliases you can solve you DNS
    problem.
    See
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note
    09186a0080094aee.shtml

    Andy

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Keith
    Anderson
    Sent: Thursday, December 04, 2003 2:58 PM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] PIX DMZ inter-access via outside IP address

    This one is driving me crazy... if someone can help, I'd greatly
    appreciate it.

    I've got a client with a PIX 520, four interfaces, with the following
    configuration:

      Interface 0, the "outside" with public IP address 1.1.1.x (not their
    actual address range)
         connected to a Cisco 3640 router, T1 to the Internet, router
    address 1.1.1.1

      Interface 1, the "inside", the executives (about 10 workstations)
         several Cisco Catalyst switches, all layer 2

      Interface 2, the DMZ with two servers (1.1.1.3 and 1.1.1.4)
         one Cisco Catalyst switch

      Interface 3, the "inside2", the rest of the company (about 60
    workstations)
         several Cisco Catalyst switches, all layer 2

    In order to support their applications, the two servers must be
    accessible by everyone in the company AND the Internet by both IP
    address AND domain name.

    * Systems on the inside, inside2 and the Internet can reach the servers
    using their public 1.1.x.x addresses just fine.

    * Systems on the inside and inside2 can reach the servers using their
    192.168 addresses also, just fine, although this is not required.

    * All systems on the inside, inside2 and DMZ can access the Internet
    without problems.

    The PIX can ping everything on all interfaces. No connectivity
    problems.

    THE KILLER PROBLEM: The two servers in the DMZ CAN NOT access each other
    using their public Internet addresses. They can use their 192.168
    addresses just fine, but not their public addresses.

    For the last week or so, I've been getting around this using HOST
    entries (these are Windows servers), but we are about to add a lot of
    servers, virtual hosts and other devices, and HOST entries will not
    work.

    Thanks in advance to anyone that can help with this.

    Here are the relevant entries in the PIX configuration:

    ! the interfaces
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security10
    nameif ethernet3 inside2 security40
    ip address outside 1.1.1.9 255.255.248.0
    ip address inside 10.48.0.1 255.255.0.0
    ip address DMZ 192.168.1.1 255.255.0.0
    ip address inside2 10.10.10.1 255.255.0.0

    ! address pools
    global (outside) 1 1.1.1.10-1.1.1.249 netmask 255.255.240.0 global
    (outside) 1 1.1.1.250 netmask 255.255.240.0 global (DMZ) 1
    192.168.1.2-192.168.1.249 netmask 255.255.0.0 global (DMZ) 1
    192.168.0.250 netmask 255.255.0.0 global (inside2) 1
    10.10.0.2-10.10.0.249 netmask 255.255.0.0 global (inside2) 1 10.10.0.250
    netmask 255.255.0.0

    ! NAT
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
    nat (inside2) 1 0.0.0.0 0.0.0.0 0 0

    ! Grant access to the DMZ from the other interfaces using the outside
    addresses sysopt nodnsalias inbound alias (inside) 1.1.1.3 192.168.1.3
    255.255.255.255 alias (inside2) 1.1.1.3 192.168.1.3 255.255.255.255
    alias (inside) 1.1.1.4 192.168.1.4 255.255.255.255 alias (inside2)
    1.1.1.4 192.168.1.4 255.255.255.255

    ! Static mappings to allow everyone to access the DMZ servers static
    (inside,DMZ) 192.168.1.3 192.168.1.3 netmask 255.255.255.0 0 0 static
    (inside2,DMZ) 192.168.1.3 192.168.1.3 netmask 255.255.255.255 0 0 static
    (DMZ,outside) 1.1.1.3 192.168.1.3 netmask 255.255.255.255 0 0 static
    (inside,DMZ) 192.168.1.4 192.168.1.4 netmask 255.255.255.0 0 0 static
    (inside2,DMZ) 192.168.1.4 192.168.1.4 netmask 255.255.255.255 0 0 static
    (DMZ,outside) 1.1.1.4 192.168.1.4 netmask 255.255.255.255 0 0

    ! This is in the lab only to make sure traffic flow isn't being stopped
    ! In the production PIX, access-lists are used to permit only needed
    ports conduit permit icmp any any conduit permit ip any any

    ! default route to the 3640
    route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

    Here is the Cisco 3640 route information:

    ip route 0.0.0.0 0.0.0.0 up.stream.pro.vider
    ip route 1.1.1.0 255.255.255.0 1.1.1.9

    _______________________________________________
    firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Behm, Jeffrey L.: "RE: [fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to No kia/Check Point firewall"

    Relevant Pages

    • PIX help-- DMZ to DMZ using outside addresses
      ... several Cisco Catalyst switches, all layer 2 ... In order to support their applications, the two servers must be accessible ... The PIX can ping everything on all interfaces. ...
      (Security-Basics)
    • [fw-wiz] PIX DMZ inter-access via outside IP address
      ... In order to support their applications, the two servers must be accessible ... The PIX can ping everything on all interfaces. ... The two servers in the DMZ CAN NOT access each other ...
      (Firewall-Wizards)
    • Re: SQL through a Pix Firewall
      ... This is a Pix 515E with 6 interfaces. ... The company policy requires the database servers to be in their own subnet ... >> access the server using SQL authentication but not Windows ...
      (microsoft.public.sqlserver.security)
    • Re: PIX - help with initial rules/terminology
      ... like you need three interfaces an inside, dmz, and outside. ... The 501 basicly has two interfaces. ... > Soon to be PIX ... > of the proper PIX term) all my public IPs to the PIX external NIC? ...
      (comp.security.firewalls)
    • Re: NAT/PAT not working in PIX 515
      ... I have a public /26 to test this pix. ... But the DMZ should have no access to ... I would like the servers in DMZ to know the real IP of the inside host, ... ACL, ...
      (comp.dcom.sys.cisco)