[fw-wiz] Double firewall setup (long)

• Previous message: dfoley: "[fw-wiz] Gauntlet End-Of-Support?"
• Next in thread: Victor Williams: "Re: [fw-wiz] Double firewall setup (long)"
• Reply: Victor Williams: "Re: [fw-wiz] Double firewall setup (long)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Mon, 24 Jan 2005 18:13:34 +0100

Hi wizards,

I have the following (admittedly newbie) situation. Current setup is as follows:
 
One PIX 515E w/ 3 interfaces: inside, outside, DMZ. There is a mail
gateway (mailsweeper) in the DMZ for incoming mail which talks to an
Exchange server in the LAN. Abridged configuration is as follows
(public network details are not real):

-- begin --
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security90
hostname pixper1
domain-name foobar.com
names
name 10.181.46.4 mailsweeper
name 10.181.8.189 exchange
name 10.181.8.5 dnsserver
access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq www
access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq ftp
access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq https
access-list OUTB permit tcp host dnsserver any eq domain
access-list OUTB permit udp host dnsserver any eq domain
access-list OUTB permit tcp host exchange host mailsweeper eq smtp
access-list INB permit tcp any host 33.33.33.163 eq smtp
access-list DMZ permit tcp host mailsweeper any eq smtp
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
ip address outside 33.33.33.165 255.255.255.240
ip address inside 10.181.8.19 255.255.248.0
ip address DMZ 10.181.46.1 255.255.255.0
global (outside) 10 interface
nat (inside) 10 10.181.0.0 255.255.0.0 0 0
nat (DMZ) 10 10.181.46.0 255.255.255.0 0 0
static (inside,DMZ) exchange exchange netmask 255.255.255.255 0 0
static (inside,DMZ) dnsserver dnsserver netmask 255.255.255.255 0 0
static (DMZ,outside) 33.33.33.163 mailsweeper netmask 255.255.255.255 0 0
access-group INB in interface outside
access-group OUTB in interface inside
access-group DMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 33.33.33.161 1
route inside 10.181.0.0 255.255.0.0 10.181.8.1 1
-- end --

All incoming mail goes to 33.33.33.163, so it enters the mailsweeper
and after checking is redirected to the internal Exchange. This is
working fine. Now, the idea is to add another level of firewalling
external to this, with its own DMZ. The new PIX (which I call
"external") will have its inside interface directly connected to the
outside interface of the current PIX (which I call "internal"). Since
plugging this in will break down connectivity, I want to minimize loss
of access as much as possible, but as my knowledge of PIX is (very)
limited, I'm not quite sure of the best initial configuration for the
new PIX.

IP segments will be as follows:

LAN segment (internal PIX, inside): 10.181.8.0 /29
internal DMZ (internal PIX, DMZ): 10.181.46.0 /24
PIX to PIX segment: 10.181.47.0 /24
external DMZ (external PIX, DMZ): 10.181.48.0 /24
public (external PIX, outside): 33.33.33.160 /28

In addition to this, there will be a new HTTPS-only web server in the
external DMZ, which will have to be reached at public IP 33.33.33.166.
A crude topology diagram and IP addressing table for the interfaces is
this (interfaces are numbered, servers in DMZs are "m" and "w", please
use monospaced font to view):

LAN ---1| PIX internal |3------4| PIX external |6---- Internet
               2 5
               | |
               | |
               m w

1: 10.181.8.19 (same as current)
2: 10.181.46.1 (same as current)
3: 10.181.47.1
4: 10.181.47.2
5: 10.181.48.1
6: 33.33.33.165 (same as 3 as of now)
m server: 10.181.46.4 (same as current)
w server: 10.181.48.2

No intermediate switches or routers.

Now, what configuration for the external PIX will allow for this to
work with minimum hassle? What changes must be made to the internal
PIX configuration? Both PIXes have software version 6.3.

Obviously, the internal PIX must have as default gateway the external
one, and the mailsweeper must be published so it is visible from the
external PIX. So my idea is this (I have appended (*) to the lines
that are changed wrt the former config):

-- begin PIX internal --
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security90
hostname pixper1
domain-name foobar.com
names
name 10.181.46.4 mailsweeper
name 10.181.8.189 exchange
name 10.181.8.5 dnsserver
access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq www
access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq ftp
access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq https
access-list OUTB permit tcp host dnsserver any eq domain
access-list OUTB permit udp host dnsserver any eq domain
access-list OUTB permit tcp host exchange host mailsweeper eq smtp
access-list INB permit tcp any host mailsweeper eq smtp (*)
access-list DMZ permit tcp host mailsweeper any eq smtp
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
ip address outside 10.181.47.1 255.255.255.0 (*)
ip address inside 10.181.8.19 255.255.248.0
ip address DMZ 10.181.46.1 255.255.255.0
global (outside) 10 interface
nat (inside) 10 10.181.0.0 255.255.0.0 0 0
nat (DMZ) 10 10.181.46.0 255.255.255.0 0 0
static (inside,DMZ) exchange exchange netmask 255.255.255.255 0 0
static (inside,DMZ) dnsserver dnsserver netmask 255.255.255.255 0 0
static (DMZ,outside) mailsweeper mailsweeper netmask 255.255.255.255 0 0 (*)
access-group INB in interface outside
access-group OUTB in interface inside
access-group DMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 10.181.47.2 1 (*)
route inside 10.181.0.0 255.255.0.0 10.181.8.1 1
-- end PIX internal --

As for the external PIX, my initial attempt is this:

-- begin PIX external --
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security90
hostname pixper2
domain-name foobar.com
names
name 10.181.48.2 webserver
name 10.181.46.4 mailsweeper
name 10.181.8.189 exchange
name 10.181.8.5 dnsserver
access-list OUTB permit ip 10.181.47.1 any
access-list INB permit tcp any host 33.33.33.166 eq https
access-list INB permit tcp any host 33.33.33.163 eq smtp
access-list DMZ permit tcp host webserver any eq https
access-list DMZ permit udp host webserver host dnsserver eq domain
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
ip address outside 33.33.33.165 255.255.255.240
ip address inside 10.181.47.2 255.255.255.0
ip address DMZ 10.181.48.1 255.255.255.0
global (outside) 10 interface
nat (inside) 10 10.181.0.0 255.255.0.0 0 0
nat (DMZ) 10 10.181.48.0 255.255.255.0 0 0
static (inside,DMZ) dnsserver dnsserver netmask 255.255.255.255 0 0
static (DMZ,outside) 33.33.33.166 webserver netmask 255.255.255.255 0 0
static (inside,outside) 33.33.33.163 mailsweeper netmask 255.255.255.0 0 0
access-group INB in interface outside
access-group OUTB in interface inside
access-group DMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 33.33.33.161 1
route inside 10.181.0.0 255.255.0.0 10.181.47.1 1
-- end PIX external --

So. Will this work? (I'm afraid not). I'm much more concerned about
the incoming mail not being delivered than about security issues like
traffic between both DMZs being allowed. These later issues can be
addressed refining the ACLs, but it's the NAT interactions and the
involved PIX grammar that make my head spin. How could I get the whole
thing rolling? Thanks in advance.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: dfoley: "[fw-wiz] Gauntlet End-Of-Support?"
• Next in thread: Victor Williams: "Re: [fw-wiz] Double firewall setup (long)"
• Reply: Victor Williams: "Re: [fw-wiz] Double firewall setup (long)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]