RE: [fw-wiz] Extreme Problem with PIX Config

From: Ben Nagy (ben_at_iagu.net)
Date: 05/13/05

  • Next message: Joseph S D Yao: "Re: [fw-wiz] A fun smackdown..."
    To: "'Brian Loe'" <knobdy@stjoelive.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Fri, 13 May 2005 15:46:20 +0200
    
    

    Hiya,

    > I've been fighting this problem for two weeks now. What follows is the
    > current config (edited to protect the innocent). If format is
    > maintained, the trouble lines will be bolded. These trouble lines are:
    >
    > access-list nonat permit ip any any;
    > nat (inside) 0 access-list nonat;
    > access-group nonat in interface dmz.

    You've turned off NAT for all traffic leaving the internal network.

    nat (inside) 0 access-list nonat <-- don't NAT anything matching the nonat
    ACL
    access-list nonnat permit ip any any <-- This ACL matches everything

    You also have a totally wacky line - yikes :/
     
    access-group nonat in interface dmz <-- allow anything into the DMZ !

    The reason things break when they're in place is because your internal
    traffic is wandering out onto the internet with no NAT taking place -
    addressed as 10.100.something. The Internet can't route to those addresses,
    so you'll never get responses.

    So! Remove all that stuff. Also, find the guy that added them and kick them
    in the goolies for me.

    Now.... The reason it breaks when you remove them is because your inside
    traffic will always be natted according to global pool 1, because of this
    line:

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0 <-- nat anything leaving the internal
    network

    That global pool is defined here:

    global (outside) 1 ip.pub.nt.117-ip.pub.nt.119 netmask 255.255.255.224
    global (outside) 1 ip.pub.nt.116 netmask 255.255.255.224

    So the outbound will be natted with an external address and then dumped into
    the DMZ. The return traffic from the DMZ will then be routed out of the
    external interface (which is where external addresses live), and
    communication will fail.

    That all makes sense, right?

    Finally, after enduring my tutoring, you want to know how to fix it, I
    guess. ;P

    Try this:

    static (inside,dmz) 10.100.0.0 10.100.0.0 netmask 255.255.248.0

    Now it's about five years since I touched a PIX in anger, but that _should_
    create a mapping for the traffic from the inside network to the DMZ. The
    return traffic will be taken care of by routing and stateful inspection. No
    traffic will be permitted from the DMZ to the Internal network because
    Internal is a higher security rating. If that's not what you want, you might
    need extra statics to allow DMZ->Internal for some traffic.

    Note that it ONLY allows traffic from 10.100.[0-7].x - those are the only
    WAN networks you have routed, so I hope those are the only ones you have...

    Hopefully this clears things up for you. Even if I've forgotten how to
    configure a PIX and the last step doesn't work, it should at least explain
    why it's broken.

    Cheers!

    ben

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > Of Brian Loe
    [...]
    > The problem is that with these lines in place I can get to
    > the DMZ machines
    > from machines/networks on the inside interface but those machines lose
    > access to the Internet on the outside interface. With these
    > lines removed
    > the machines on the inside interface have Internet access but
    > no access to
    > the machines in the DMZ. I need both. I'm pretty sure that
    > the access list
    > is to broad as it is but I'm not sure how to open it up - if I specify
    > networks on the inside interface I have no access anywhere.
    [...]
    > : Saved
    > : Written by enable_15 at 11:19:34.327 UTC Mon May 9 2005
    > PIX Version 6.3(4)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > interface ethernet2 auto
    > interface ethernet3 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 DMZ security4
    > nameif ethernet3 intf3 security6
    > enable password <> encrypted
    > passwd <> encrypted
    > hostname pix
    > domain-name domain.com
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol icmp error
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > name 10.100.1.82 FaxerM2
    > name 10.100.1.81 FaxerM1
    > name 10.100.1.86 FaxerM6
    > name 10.100.1.84 FaxerM4
    > name 10.100.1.83 FaxerM3
    > name 192.168.1.12 Faxer_Gateway
    > name 192.168.1.39 mail
    > name 192.168.1.101 ftp
    > name 192.168.1.104 clkdmz1
    > name 192.168.1.108 PUBWEB
    > name 192.168.1.115 KCIT07
    > object-group network Remote_Site
    > description Selling Source range.
    > network-object ip.pb.net.33 255.255.255.255
    > network-object ip.pb.net.34 255.255.255.255
    > network-object ip.pb.net.35 255.255.255.255
    > network-object ip.pb.net.36 255.255.255.255
    > network-object ip.pb.net.37 255.255.255.255
    > network-object ip.pb.net.38 255.255.255.255
    > network-object ip.pb.net.39 255.255.255.255
    > network-object ip.pb.net.40 255.255.255.255
    > network-object ip.pb.net.41 255.255.255.255
    > network-object ip.pb.net.42 255.255.255.255
    > network-object ip.pb.net.43 255.255.255.255
    > network-object ip.pb.net.44 255.255.255.255
    > network-object ip.pb.net.45 255.255.255.255
    > network-object ip.pb.net.46 255.255.255.255
    > network-object ip.pb.net.47 255.255.255.255
    > network-object ip.pb.net.48 255.255.255.255
    > network-object ip.pb.net.49 255.255.255.255
    > network-object ip.pb.net.50 255.255.255.255
    > network-object ip.pb.net.51 255.255.255.255
    > network-object ip.pb.net.52 255.255.255.255
    > network-object ip.pb.net.53 255.255.255.255
    > network-object ip.pb.net.54 255.255.255.255
    > network-object ip.pb.net.55 255.255.255.255
    > network-object ip.pb.net.56 255.255.255.255
    > network-object ip.pb.net.57 255.255.255.255
    > network-object ip.pb.net.58 255.255.255.255
    > network-object ip.pb.net.59 255.255.255.255
    > network-object ip.pb.net.60 255.255.255.255
    > network-object ip.pb.net.61 255.255.255.255
    > network-object ip.pb.net.62 255.255.255.255
    > network-object ip.pb.net.63 255.255.255.255
    > object-group network IBM
    > description IBM range.
    > network-object net.pub.ip.197 255.255.255.255
    > network-object net.pub.ip.198 255.255.255.255
    > network-object net.pub.ip.199 255.255.255.255
    > network-object net.pub.ip.200 255.255.255.255
    > network-object net.pub.ip.201 255.255.255.255
    > object-group network Internal_Net
    > description All internal networks.
    > network-object 10.100.0.0 255.255.254.0
    > network-object 191.168.2.0 255.255.254.0
    > network-object 10.100.4.0 255.255.254.0
    > network-object 10.100.6.0 255.255.254.0
    > network-object 10.101.0.0 255.255.254.0
    > network-object 10.101.2.0 255.255.254.0
    > object-group network Faxer_Group
    > network-object FaxerM1 255.255.255.255
    > network-object FaxerM2 255.255.255.255
    > network-object FaxerM3 255.255.255.255
    > network-object FaxerM4 255.255.255.255
    > network-object FaxerM6 255.255.255.255
    > object-group service WEB_PORTS tcp
    > port-object eq www
    > port-object eq https
    > port-object eq echo
    > object-group service FTP_PORTS tcp
    > port-object eq ftp
    > port-object eq ftp-data
    > port-object eq echo
    > object-group service PubX tcp
    > group-object FTP_PORTS
    > group-object WEB_PORTS
    > port-object eq 1935
    > object-group service Tranlink_TCP tcp
    > group-object WEB_PORTS
    > port-object range 3306 3307
    > port-object eq ssh
    > object-group service KCIT07 tcp
    > port-object range 1433 19628
    > object-group service DB2_TCP tcp
    > port-object eq 523
    > port-object eq ssh
    > port-object range 50000 50100
    > port-object eq 1415
    > object-group service Mail_Ports tcp
    > group-object WEB_PORTS
    > port-object range 1000 1028
    > port-object eq 2000
    > port-object eq 3000
    > port-object eq pop3
    > port-object eq smtp
    > object-group service KCIT01 tcp
    > port-object eq pptp
    > object-group service EQA_TCP tcp
    > port-object eq 3389
    > object-group service Tranlink_UDP udp
    > port-object eq 22
    > object-group service DB2_UDP udp
    > port-object range 50000 50100
    > object-group service EQA_UDP udp
    > port-object eq 3389
    > access-list compiled
    > access-list acl_inbound permit tcp any host ip.pub.nt.114
    > object-group PubX
    > access-list acl_inbound permit tcp any host ip.pub.nt.108
    > object-group PubX
    > access-list acl_inbound permit tcp any host ip.pub.nt.111 object-group
    > WEB_PORTS
    > access-list acl_inbound permit tcp any host ip.pub.nt.107 object-group
    > Tranlink_TCP
    > access-list acl_inbound permit udp any host ip.pub.nt.107 object-group
    > Tranlink_UDP
    > access-list acl_inbound permit tcp any host ip.pub.nt.115 object-group
    > KCIT07
    > access-list acl_inbound permit tcp any host ip.pub.nt.106 object-group
    > DB2_TCP
    > access-list acl_inbound permit udp any host ip.pub.nt.106 object-group
    > DB2_UDP
    > access-list acl_inbound permit tcp any host ip.pub.nt.100 object-group
    > KCIT01
    > access-list acl_inbound permit tcp any host ip.pub.nt.102 object-group
    > FTP_PORTS
    > access-list acl_inbound permit icmp any host ip.pub.nt.102
    > access-list acl_inbound permit tcp any host ip.pub.nt.104 eq domain
    > access-list acl_inbound permit udp any host ip.pub.nt.104 eq domain
    > access-list acl_inbound permit tcp any host ip.pub.nt.99 object-group
    > Mail_Ports
    > access-list acl_inbound permit tcp any host ip.pub.nt.101 object-group
    > WEB_PORTS
    > access-list nonat permit ip any any
    > pager lines 24
    > icmp permit any outside
    > icmp permit any inside
    > icmp permit any DMZ
    > mtu outside 1500
    > mtu inside 1500
    > mtu DMZ 1500
    > mtu intf3 1500
    > ip address outside ip.pub.nt.126 255.255.255.224
    > ip address inside 10.100.0.3 255.255.254.0
    > ip address DMZ 192.168.1.1 255.255.255.0
    > ip address intf3 10.255.255.253 255.255.255.252
    > ip verify reverse-path interface outside
    > ip audit info action alarm
    > ip audit attack action alarm
    > no failover
    > failover timeout 0:00:00
    > failover poll 15
    > no failover ip address outside
    > no failover ip address inside
    > no failover ip address DMZ
    > no failover ip address intf3
    > pdm location 10.100.1.10 255.255.255.255 inside
    > pdm location 10.100.1.20 255.255.255.255 inside
    > pdm location 10.100.1.49 255.255.255.255 inside
    > pdm location 10.100.1.57 255.255.255.255 inside
    > pdm location 10.100.1.190 255.255.255.255 inside
    > pdm location 10.100.2.0 255.255.254.0 inside
    > pdm location 10.100.4.100 255.255.255.255 inside
    > pdm location 10.100.4.0 255.255.254.0 inside
    > pdm location 10.100.6.0 255.255.254.0 inside
    > pdm location mail 255.255.255.255 DMZ
    > pdm location 192.168.1.102 255.255.255.255 DMZ
    > pdm location clkdmz1 255.255.255.255 DMZ
    > pdm location PUBWEB 255.255.255.255 DMZ
    > pdm location 192.168.1.114 255.255.255.255 DMZ
    > pdm location KCIT07 255.255.255.255 DMZ
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 ip.pub.nt.117-ip.pub.nt.119 netmask 255.255.255.224
    > global (outside) 1 ip.pub.nt.116 netmask 255.255.255.224
    > nat (inside) 0 access-list nonat
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) ip.pub.nt.111 10.100.1.57 netmask
    > 255.255.255.255 0
    > 0
    > static (DMZ,outside) ip.pub.nt.114 192.168.1.114 netmask
    > 255.255.255.255 0 0
    >
    > static (DMZ,outside) ip.pub.nt.108 PUBWEB netmask 255.255.255.255 0 0
    > static (inside,outside) ip.pub.nt.107 10.100.1.190 netmask
    > 255.255.255.255 0
    > 0
    > static (DMZ,outside) ip.pub.nt.115 KCIT07 netmask 255.255.255.255 0 0
    > static (inside,outside) ip.pub.nt.106 10.100.1.49 netmask
    > 255.255.255.255 0
    > 0
    > static (inside,outside) ip.pub.nt.100 10.100.4.100 netmask
    > 255.255.255.255 0
    > 0
    > static (DMZ,outside) ip.pub.nt.102 192.168.1.102 netmask
    > 255.255.255.255 0 0
    >
    > static (DMZ,outside) ip.pub.nt.104 clkdmz1 netmask
    > 255.255.255.255 0 0
    > static (DMZ,outside) ip.pub.nt.99 mail netmask 255.255.255.255 0 0
    > static (inside,outside) ip.pub.nt.101 10.100.1.20 netmask
    > 255.255.255.255 0
    > 0
    > access-group acl_inbound in interface outside
    > access-group nonat in interface DMZ
    > route outside 0.0.0.0 0.0.0.0 ip.pub.nt.97 1
    > route inside 10.100.2.0 255.255.254.0 10.100.0.1 1
    > route inside 10.100.4.0 255.255.254.0 10.100.0.1 1
    > route inside 10.100.6.0 255.255.254.0 10.100.0.1 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 1:00:00 mgcp 1:00:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server radius-authport 1812
    > aaa-server radius-acctport 1813
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server RADIUS (inside) host 10.100.1.10 sec.ret timeout 5
    > aaa-server LOCAL protocol local
    > aaa authentication http console RADIUS
    > aaa authentication serial console RADIUS
    > aaa authentication ssh console RADIUS
    > aaa authentication telnet console RADIUS
    > http server enable
    > http 0.0.0.0 0.0.0.0 inside
    > snmp-server location Lowell
    > snmp-server contact Brian Loe
    > snmp-server community public
    > no snmp-server enable traps
    > tftp-server inside 10.100.0.169 PIX_DATE
    > floodguard enable
    > telnet timeout 5
    > ssh 10.100.0.0 255.255.254.0 inside
    > ssh timeout 15
    > management-access inside
    > console timeout 15
    > terminal width 80
    > banner motd ******************************************
    > banner motd * *
    > banner motd * !!!WARNING !!! *
    > banner motd * All attempts at unauthorized access *
    > banner motd * will be aggressively pursued and *
    > banner motd * prosecuted to the full extent *
    > banner motd * of local and international law. *
    > banner motd * *
    > banner motd ******************************************
    > Cryptochecksum:907db442f83ad6e9daefb8f116d4c362
    > : end

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Joseph S D Yao: "Re: [fw-wiz] A fun smackdown..."