Re: [fw-wiz] Double firewall setup (long)
From: Victor Williams (vbwilliams_at_neb.rr.com)
Date: 01/25/05
- Previous message: Mark Tinberg: "Re: [fw-wiz] Exchange 2003 OWA compromise reached"
- In reply to: Greymagick: "[fw-wiz] Double firewall setup (long)"
- Next in thread: Greymagick: "RE: [fw-wiz] Double firewall setup (long)"
- Reply: Greymagick: "RE: [fw-wiz] Double firewall setup (long)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 25 Jan 2005 09:10:19 -0600
Can you give us an indication of why you want/need to do this?
You can disable NAT altogether on the 2nd PIX and just have IP Addresses pass
through as-is with no translation, and Cisco has documentation on how to do
this. But, I don't ever recall reading any Cisco docs on having two firewalls
*chained* in succession like this. In my opinion, there's nothing I can think
of that would ever *require* this setup to be. Why don't you get a 4-port NIC
card for each firewall (giving you 4 physical DMZ's instead of one), and put
those firewalls into an Active/Failover setup?
Greymagick wrote:
> Hi wizards,
>
> I have the following (admittedly newbie) situation. Current setup is as follows:
>
> One PIX 515E w/ 3 interfaces: inside, outside, DMZ. There is a mail
> gateway (mailsweeper) in the DMZ for incoming mail which talks to an
> Exchange server in the LAN. Abridged configuration is as follows
> (public network details are not real):
>
> -- begin --
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 DMZ security90
> hostname pixper1
> domain-name foobar.com
> names
> name 10.181.46.4 mailsweeper
> name 10.181.8.189 exchange
> name 10.181.8.5 dnsserver
> access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq www
> access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq ftp
> access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq https
> access-list OUTB permit tcp host dnsserver any eq domain
> access-list OUTB permit udp host dnsserver any eq domain
> access-list OUTB permit tcp host exchange host mailsweeper eq smtp
> access-list INB permit tcp any host 33.33.33.163 eq smtp
> access-list DMZ permit tcp host mailsweeper any eq smtp
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
> ip address outside 33.33.33.165 255.255.255.240
> ip address inside 10.181.8.19 255.255.248.0
> ip address DMZ 10.181.46.1 255.255.255.0
> global (outside) 10 interface
> nat (inside) 10 10.181.0.0 255.255.0.0 0 0
> nat (DMZ) 10 10.181.46.0 255.255.255.0 0 0
> static (inside,DMZ) exchange exchange netmask 255.255.255.255 0 0
> static (inside,DMZ) dnsserver dnsserver netmask 255.255.255.255 0 0
> static (DMZ,outside) 33.33.33.163 mailsweeper netmask 255.255.255.255 0 0
> access-group INB in interface outside
> access-group OUTB in interface inside
> access-group DMZ in interface DMZ
> route outside 0.0.0.0 0.0.0.0 33.33.33.161 1
> route inside 10.181.0.0 255.255.0.0 10.181.8.1 1
> -- end --
>
> All incoming mail goes to 33.33.33.163, so it enters the mailsweeper
> and after checking is redirected to the internal Exchange. This is
> working fine. Now, the idea is to add another level of firewalling
> external to this, with its own DMZ. The new PIX (which I call
> "external") will have its inside interface directly connected to the
> outside interface of the current PIX (which I call "internal"). Since
> plugging this in will break down connectivity, I want to minimize loss
> of access as much as possible, but as my knowledge of PIX is (very)
> limited, I'm not quite sure of the best initial configuration for the
> new PIX.
>
> IP segments will be as follows:
>
> LAN segment (internal PIX, inside): 10.181.8.0 /29
> internal DMZ (internal PIX, DMZ): 10.181.46.0 /24
> PIX to PIX segment: 10.181.47.0 /24
> external DMZ (external PIX, DMZ): 10.181.48.0 /24
> public (external PIX, outside): 33.33.33.160 /28
>
> In addition to this, there will be a new HTTPS-only web server in the
> external DMZ, which will have to be reached at public IP 33.33.33.166.
> A crude topology diagram and IP addressing table for the interfaces is
> this (interfaces are numbered, servers in DMZs are "m" and "w", please
> use monospaced font to view):
>
> LAN ---1| PIX internal |3------4| PIX external |6---- Internet
> 2 5
> | |
> | |
> m w
>
> 1: 10.181.8.19 (same as current)
> 2: 10.181.46.1 (same as current)
> 3: 10.181.47.1
> 4: 10.181.47.2
> 5: 10.181.48.1
> 6: 33.33.33.165 (same as 3 as of now)
> m server: 10.181.46.4 (same as current)
> w server: 10.181.48.2
>
> No intermediate switches or routers.
>
> Now, what configuration for the external PIX will allow for this to
> work with minimum hassle? What changes must be made to the internal
> PIX configuration? Both PIXes have software version 6.3.
>
> Obviously, the internal PIX must have as default gateway the external
> one, and the mailsweeper must be published so it is visible from the
> external PIX. So my idea is this (I have appended (*) to the lines
> that are changed wrt the former config):
>
> -- begin PIX internal --
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 DMZ security90
> hostname pixper1
> domain-name foobar.com
> names
> name 10.181.46.4 mailsweeper
> name 10.181.8.189 exchange
> name 10.181.8.5 dnsserver
> access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq www
> access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq ftp
> access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq https
> access-list OUTB permit tcp host dnsserver any eq domain
> access-list OUTB permit udp host dnsserver any eq domain
> access-list OUTB permit tcp host exchange host mailsweeper eq smtp
> access-list INB permit tcp any host mailsweeper eq smtp (*)
> access-list DMZ permit tcp host mailsweeper any eq smtp
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
> ip address outside 10.181.47.1 255.255.255.0 (*)
> ip address inside 10.181.8.19 255.255.248.0
> ip address DMZ 10.181.46.1 255.255.255.0
> global (outside) 10 interface
> nat (inside) 10 10.181.0.0 255.255.0.0 0 0
> nat (DMZ) 10 10.181.46.0 255.255.255.0 0 0
> static (inside,DMZ) exchange exchange netmask 255.255.255.255 0 0
> static (inside,DMZ) dnsserver dnsserver netmask 255.255.255.255 0 0
> static (DMZ,outside) mailsweeper mailsweeper netmask 255.255.255.255 0 0 (*)
> access-group INB in interface outside
> access-group OUTB in interface inside
> access-group DMZ in interface DMZ
> route outside 0.0.0.0 0.0.0.0 10.181.47.2 1 (*)
> route inside 10.181.0.0 255.255.0.0 10.181.8.1 1
> -- end PIX internal --
>
> As for the external PIX, my initial attempt is this:
>
> -- begin PIX external --
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 DMZ security90
> hostname pixper2
> domain-name foobar.com
> names
> name 10.181.48.2 webserver
> name 10.181.46.4 mailsweeper
> name 10.181.8.189 exchange
> name 10.181.8.5 dnsserver
> access-list OUTB permit ip 10.181.47.1 any
> access-list INB permit tcp any host 33.33.33.166 eq https
> access-list INB permit tcp any host 33.33.33.163 eq smtp
> access-list DMZ permit tcp host webserver any eq https
> access-list DMZ permit udp host webserver host dnsserver eq domain
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
> ip address outside 33.33.33.165 255.255.255.240
> ip address inside 10.181.47.2 255.255.255.0
> ip address DMZ 10.181.48.1 255.255.255.0
> global (outside) 10 interface
> nat (inside) 10 10.181.0.0 255.255.0.0 0 0
> nat (DMZ) 10 10.181.48.0 255.255.255.0 0 0
> static (inside,DMZ) dnsserver dnsserver netmask 255.255.255.255 0 0
> static (DMZ,outside) 33.33.33.166 webserver netmask 255.255.255.255 0 0
> static (inside,outside) 33.33.33.163 mailsweeper netmask 255.255.255.0 0 0
> access-group INB in interface outside
> access-group OUTB in interface inside
> access-group DMZ in interface DMZ
> route outside 0.0.0.0 0.0.0.0 33.33.33.161 1
> route inside 10.181.0.0 255.255.0.0 10.181.47.1 1
> -- end PIX external --
>
> So. Will this work? (I'm afraid not). I'm much more concerned about
> the incoming mail not being delivered than about security issues like
> traffic between both DMZs being allowed. These later issues can be
> addressed refining the ACLs, but it's the NAT interactions and the
> involved PIX grammar that make my head spin. How could I get the whole
> thing rolling? Thanks in advance.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Mark Tinberg: "Re: [fw-wiz] Exchange 2003 OWA compromise reached"
- In reply to: Greymagick: "[fw-wiz] Double firewall setup (long)"
- Next in thread: Greymagick: "RE: [fw-wiz] Double firewall setup (long)"
- Reply: Greymagick: "RE: [fw-wiz] Double firewall setup (long)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
