Re: [fw-wiz] Fwd: Re: Firewall configuration with DMZ



Anthony could you provide some more insight regarding what you want to have happen with this config.What is not working? What do you think the problem might be.
Richard Golodner
-----Original Message-----
From: Anthony Mile [mailto:mileanthony@xxxxxxxxx]
Sent: Monday, March 12, 2007 04:32 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Fwd: Re: Firewall configuration with DMZ

Hi guys!! Help me in this....
I have used this configuration below in my implementation but in vain. Can you tell me where am wrong or which way to go!!!!!


i have a scenario like this:
i have an internet link going to a router,
the router connects to a Pix 515E pix,
the pix has a DMZ interface which connects mail server and file and application server running sql.
the ethernet interface 1 connects to a LAN. the LAN has ISA server as the proxy where all authentication is made.
1. ethernet0 = outside, connects to WAN router. ip=a.b.c.146 255.255.255.248
2. ethernet1 = inside, LAN.ip 4.16.10.2 255.255.255.0
3. DMZ = connects Mail server and also application/file server.ip 4.16.11.254 255.255.255.0
mail server=public ip =a.b.c.148; private ip=4.16.10.43
appl./file server = a.b.c.149; private ip=4.16.11.42
proxy server = a.b.c.147; private ip=4.16.10.254

Router:
inside ip=a.b.c.145;
Help me with this configuration for this Pix.

Kind regards,
Anthony
here are the configs i have already done
PIX# show run
: Saved
:
PIX Version 7.2(1)
! names
!
interface Ethernet0
description Connection to WAN Router
nameif Outside
security-level 0
ip address a.b.c.146 255.255.255.248
!
interface Ethernet1
description Connection to Server
nameif inside
security-level 100
ip address 4.16.10.254 255.255.255.0
!
interface Ethernet2
description connection to mail, application and file server
nameif DMZ
security-level 50
ip address 4.16.11.254 255.255.255.0
! access-list Outside_mpc extended permit ip any interface inside
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq www
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq ftp
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq ftp-data
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq https
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq imap4
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq lotusnotes
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq pop3
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq smtp
access-list Outside_access_in extended permit tcp any host a.b.c.149 eq www
access-list Outside_access_in extended permit tcp any host a.b.c.149 eq ftp
access-list Outside_access_in extended permit tcp any host a.b.c.149 eq ftp-data
access-list Outside_access_in extended permit tcp any host a.b.c.149 eq https
access-list Outside_access_in extended permit tcp any host a.b.c.149 eq imap4
access-list Outside_access_in extended permit tcp any host a.b.c.149 eq sqlnet
access-list Outside_access_in extended permit tcp any host a.b.c.149 eq ssh
access-list Outside_access_in extended permit tcp 4.16.10.0 255.255.255.0 any eq smtp
access-list Outside_access_in extended permit udp any host a.b.c.148 eq domain
access-list Outside_access_in extended permit udp any host a.b.c.148 eq isakmp
access-list Outside_access_in extended permit tcp any host a.b.c.148
access-list Outside_access_in extended permit udp any host a.b.c.149 eq domain
access-list Outside_access_in extended permit tcp 4.16.10.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu DMZ 1500
icmp permit any unreachable inside
icmp permit any time-exceeded inside
icmp permit any inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (Outside) 2 4.16.10.0-4.16.10.255 netmask 255.255.255.0
global (Outside) 1 interface
global (DMZ) 1 4.16.11.0-4.16.11.254 netmask 255.255.255.248
nat (inside) 1 4.16.10.0 255.255.255.0
static (DMZ,Outside) a.b.c.148 4.16.11.252 netmask 255.255.255.255
static (DMZ,Outside) a.b.c.149 4.16.11.251 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 a.b.c.145 1
route DMZ a.b.c.148 255.255.255.255 4.16.11.253 2
route DMZ 4.16.10.151 255.255.255.255 4.16.11.253 2
route DMZ 4.16.10.252 255.255.255.255 4.16.11.253 2
route DMZ a.b.c.149 255.255.255.255 4.16.11.253 2 !
class-map Outside-class
match access-list Outside_mpc
class-map class_http
match port tcp eq ftp
class-map inspection_default
match default-inspection-traffic
!bhbbb
!
policy-map global_policy
class inspection_default
inspect ftp
inspect http
inspect esmtp
class class_http
inspect http
policy-map Accessserver
class Outside-class
inspect http
!
service-policy global_policy global
service-policy Accessserver interface Outside : end
PIX#








------------------------------------------------------------
Be a PS3 game guru.
Get your game face on with the latest PS3 news and previews at Yahoo! Games.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • [fw-wiz] Fwd: Re: Firewall configuration with DMZ
    ... the pix has a DMZ interface which connects mail server and file and application server running sql. ... access-list Outside_access_in extended permit tcp any host a.b.c.148 eq www ... service-policy Accessserver interface Outside: end ...
    (Firewall-Wizards)
  • DMZ pix outside
    ... access-list outside_access_in extended permit tcp any host ... global 200 interface ... access-group DMZ_To_Inside in interface DMZ ...
    (comp.dcom.sys.cisco)
  • Re: basic pix 7.0(1) icmp question
    ... i want to deny icmp to the outside interface: ... access-list acl_outside line 2 extended permit tcp any host 1.2.3.4 eq www ...
    (comp.security.firewalls)
  • Re: PIX 7.22 FTP Problem
    ... users who rely on FTP. ... description This is the Outside/LOWER/PUBLIC Security Interface ... access-list 101 extended permit tcp any host x.x.x.106 eq smtp ...
    (comp.dcom.sys.cisco)
  • Re: Pix to ASA migration
    ... access-list outside_access_in extended permit tcp any gt 1023 host ... access-list dmz_access_in extended deny ip 10.10.10.0 255.255.255.0 ... access-group outside_access_in in interface outside ...
    (Security-Basics)