Re: PIX proxy-arp question

From: Curt Edsall (cedsall@aol.com)
Date: 11/14/02 

From: "Curt Edsall" <cedsall@aol.com>
Date: Wed, 13 Nov 2002 19:11:35 -0500

Comments inline.

"Martin Haberstroh" <Martin.Haberstroh@fms-media.com> wrote in message
news:vTuA9.28$ib5.41285@se2-fa199-9.gva.ch.colt.net...
> Hi everybody,

Hello Martin

> running a Cisco PIX 515 Version 5.3(2) with proxy-arp following should be
> possible, part of configuration:
> ...
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security15
> ...
> ip address outside 194.195.196.33 255.255.255.0
> ip address inside 192.168.10.1 255.255.255.0
> ip address dmz 194.195.196.65 255.255.255.192
> ...
> route outside 0.0.0.0 0.0.0.0 194.195.196.1 1
> ...

Let me jump in right here. Your subnet masks are incorrect on the outside
and dmz interfaces (well, one of them is anyway). With your current
configuration, the network configured on the dmz interface is contained
within the network configured on the outside interface. Don't know what the
affect would be right off the top of my head but it's bound to cause some
problems (actually, I'm surprised the PIX would let you create that
interface configuration but stranger things have happened).

The easiest way to make this work in a PIX is to take another RFC 1918 /24
network (say 192.168.11.0/24) and use it on your dmz interface. Address
your internet facing servers into that address space (.1 for the PIX
interface, .2 for the web server, .3 for the dns, etc...).

Once you have this set up, use the static command as shown here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmdqref.htm

(that's for the 6.1 release, use the appropriate command reference for your
firewall)

Set up statics for your servers using addresses from your address range
(194.195.196.X) and create access lists to allow inbound traffic to those
servers. Apply the access lists to the outside interface for inbound
traffic and you're all set.

>
> as far as I understand proxy-arp it should be possible to run a server in
> dmz with ip address 194.195.196.66 (mask 255.255.255.192,
> gateway194.195.196.65) which can be reached from the outside and it should
> also can connect to systems on the outside. But I didn't find any
> configuration hints/examples.
>
> What conduit, global, static, nat commands do I have to use, so the server
> can
> a) be reached from the outside (maybe an example with http)?
> b) connect to a system on the outside?
>
> Thanks for your help
>
> Martin

No problem.

Grace & Peace

Curt

Relevant Pages

  • Re: Trihomed DMZ just doesnt work
    ... To be succsessful with tri-homed ISA configuration you should follow the ... You should assign your DMZ interface the IP address from the block of IPs ... And what we've got here with your configuration... ...
    (microsoft.public.isa)
  • Domain & AD in the DMZ
    ... practice for configuring a DMZ? ... as this would seem to be the most secure configuration. ... we have several servers in the DMZ ... in my DMZ to help me out with this sort of thing. ...
    (microsoft.public.windows.server.security)
  • Re: Active Directory Authentication and DMZ server
    ... I think there's more a DMZ and Firewall configuration. ... On the Part 3 you will find that the key aspect of making the servers capable to join a domain, is adding a statis route on DMZ so it can communicate with internal hosts using the back-end FW: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain & AD in the DMZ
    ... Check out this one about using RODCs in a DMZ, ... as this would seem to be the most secure configuration. ... we have several servers in the DMZ ... in my DMZ to help me out with this sort of thing. ...
    (microsoft.public.windows.server.security)
  • Dmz Nic Ip Address, What Should It Be?
    ... i have a pppoe dsl connection which works fine from suse linux. ... DMZ ... if my servers in the dmz are on the ... or the address of the servers DMZ interface card? ...
    (alt.os.linux.suse)