Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

2 WWW's in DMZ, only 1 accessible 1

Status
Not open for further replies.
themikehyde

themikehyde

IS-IT--Management
Feb 20, 2003
61
US
Hello,
I'm getting a little farther in this setup thanks to some great tips from you guys. My vendor and Cisco are still mucking around trying to find my SMartnet contract #, so here I am. A new firewall and everyone wants to know why we are still using the old one.
Anyway, I have setup a DMZ, added a webserver (x.230), and both inside and outside can access it.

Added another webserver(x.210), can't get to it from anywhere, although it can ping the DMZ interface, the other web server and the router.

Neither webserver can access the outside.

Here's my altered config:
******************************************************
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 dmz1 security10
enable password ***************** encrypted
passwd *************** encrypted
hostname pixfwinside
domain-name maxuse.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_in permit icmp any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 63.105.159.230 eq www
access-list acl_out permit tcp any host 63.105.159.210 eq www
access-list acl_dmz1 permit icmp any any
access-list acl_dmz1 permit tcp any host 63.105.159.230 eq www
access-list acl_dmz1 permit tcp any host 63.105.159.210 eq www
pager lines 24
logging console informational
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu dmz1 1500
ip address outside 63.105.159.250 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address dmz1 192.169.1.1 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address dmz1 0.0.0.0
pdm location 192.169.1.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 63.105.159.251-63.105.159.254
global (outside) 1 63.105.159.249
global (dmz1) 1 63.105.159.228
global (dmz1) 1 63.105.159.230
global (dmz1) 1 63.105.159.210
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (dmz1,outside) 63.105.159.230 192.169.1.4 netmask 255.255.255.255 0 0
static (dmz1,outside) 63.105.159.210 192.169.1.5 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_dmz1 in interface dmz1
route outside 0.0.0.0 0.0.0.0 63.105.159.193 1
route outside 0.0.0.0 0.0.0.0 63.105.159.193 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.51 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.50-192.168.1.254 inside
dhcpd dns 198.6.1.1 198.6.1.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:*****



Thanks!
Mike
 
Sort by date Sort by votes
Try this...

no global (outside) 1 63.105.159.251-63.105.159.254
no global (outside) 1 63.105.159.249
global (outside) 1 interface
!use PAT on the outside interface's IP address
no global (dmz1) 1 63.105.159.228
no global (dmz1) 1 63.105.159.230
no global (dmz1) 1 63.105.159.210
global (dmz1) 1 interface
!use PAT for inside to dmz use's the DMZ's IP address
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
no nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
!Turn of NAT for the DMZ. You are using statics.
 
Upvote 0 Downvote
Here's my updated config. I did a write mem and reload. The web servers in the dmz still cannot access the web, but now users inside cannot access the web servers in the dmz.

MIke

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 dmz1 security10
enable password ******************* encrypted
passwd ***************** encrypted
hostname pixfwinside
domain-name maxuse.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_in permit icmp any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 63.105.159.230 eq www
access-list acl_out permit tcp any host 63.105.159.210 eq www
access-list acl_dmz1 permit icmp any any
access-list acl_dmz1 permit tcp any host 63.105.159.230 eq www
access-list acl_dmz1 permit tcp any host 63.105.159.210 eq www
pager lines 24
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu dmz1 1500
ip address outside 63.105.159.250 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address dmz1 192.169.1.1 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address dmz1 0.0.0.0
pdm location 192.169.1.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz1) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz1,outside) 63.105.159.230 192.169.1.4 netmask 255.255.255.255 0 0
static (dmz1,outside) 63.105.159.210 192.169.1.5 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_dmz1 in interface dmz1
route outside 0.0.0.0 0.0.0.0 63.105.159.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.51 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.50-192.168.1.254 inside
dhcpd dns 198.6.1.1 198.6.1.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
 
Upvote 0 Downvote
Change your acl_dmz1. Do this

no access-list acl_dmz1
access-list acl_dmz1 permit icmp any any
access-list acl_dmz1 permit tcp host 63.105.159.230 any eq www
access-list acl_dmz1 permit tcp host 63.105.159.210 any eq www

Try that out. You were telling the server that they could only use http to themselves. :)
 
Upvote 0 Downvote
Thanks,
Then shouldn't I do a:
access-group acl_dmz1 in interface dmz1

Its not accepting that. Access status status is still the same.
Mike
 
Upvote 0 Downvote
Yes... You'll need to do that, because when you yank the access-list, it also yanks the access-group.

-Bad Dos
 
Upvote 0 Downvote
Why will it not accept the access-group command? I have upgraded to 6.2, and PDM 2.2. PDM states that the access-list for that group in not parsable.
Mike
 
Upvote 0 Downvote
Here it is

It took the "access-group acl_dmz1 in interface dmz1" orcommand this time. Maybe a typo before???? But now the inside cannot access the web???????? The inside still can't access webservers in dmz1 by their registered domain names or public ip addresss, only their private ones.


PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 dmz1 security10
enable password xxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
hostname PIX515E
domain-name maxuse.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_in permit icmp any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 63.105.159.230 eq www
access-list acl_out permit tcp any host 63.105.159.210 eq www
access-list acl_dmz1 permit icmp any any
access-list acl_dmz1 permit tcp host 63.105.159.230 any eq www
access-list acl_dmz1 permit tcp host 63.105.159.210 any eq www
pager lines 24
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu dmz1 1500
ip address outside 63.105.159.250 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address dmz1 192.169.1.1 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address dmz1 0.0.0.0
pdm location 192.169.1.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.50 255.255.255.255 inside
pdm location 192.168.1.51 255.255.255.255 inside
pdm location 192.169.1.4 255.255.255.255 dmz1
pdm location 192.169.1.5 255.255.255.255 dmz1
pdm location 63.105.159.210 255.255.255.255 dmz1
pdm location 63.105.159.230 255.255.255.255 dmz1
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz1) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz1,outside) 63.105.159.230 192.169.1.4 netmask 255.255.255.255 0 0
static (dmz1,outside) 63.105.159.210 192.169.1.5 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz1 in interface dmz1
route outside 0.0.0.0 0.0.0.0 63.105.159.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.51 255.255.255.255 inside
http 192.168.1.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.50-192.168.1.254 inside
dhcpd dns 198.6.1.1 198.6.1.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:0bec3ec2354cbbd763f1a38be1c693d6

 
Upvote 0 Downvote
Change your access-lists to this

access-list acl_in permit ip any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 63.105.159.230 eq www
access-list acl_out permit tcp any host 63.105.159.210 eq www
access-list acl_dmz1 permit ip any any

You were only allowing your inside to ping outbound.

You were only allowing your dmz to go to the two webserver in the dmz.

-Bad Dos
 
Upvote 0 Downvote
themikehyde

The inside still can't access webservers in dmz1 by their registered domain names or public ip addresss, only their private ones.
Click to expand...

yes - that's by design - thou shalt not exit the firewall and come back in. Someone decided that long ago. You need to allow traffic inside ----> dmz and install an inside naming service for your dmz devices. I use a second, private DNS. Same domain names as the public addies just using the DMZ and private addies.

Here's how I allow inside ----> DMZ traffic

static (inside,DMZ) my.priv.net.0 my.priv.net.0 netmask 255.255.255.0

This NATs my entire private network over to the DMZ and allows unrestricted access from all inside devices to the DMZ. Thsi could be done on a device-by-device basis but I decided to allow everything in this direction.

Then I do this to control traffic dmz ----> inside to specific devices and ports:

access-list dmz_in permit tcp host my.dmz.net.37 host my.private.net.12 eq 1433
access-group dmz_in in intervace DMZ

a DMZ device (my.dmz.net.37) is allowed to see a private device (my.private.net.12) on port 1433 (mssql)
access-group dmz_in in interface DMZ

To control/allow traffic dmz ----> outside I do this

access-list dmz_in permit tcp host my.dmz.net.37 any eq www

gives dmz device my.dmz.net.37 permission to browse the Internet.

hope this helps

"If you lived here, you'd be home by now!"

George Carlin
 
Upvote 0 Downvote
HI.

"haknwak" wrote:
> Here's how I allow inside ----> DMZ traffic
> static (inside,DMZ) my.priv.net.0 my.priv.net.0 netmask 255.255.255.0

I don't agree with that.

When you need inside to dmz traffic, use nat+global, similar to the way you allow inside to outside access.
nat (inside) 1 ...
global (dmz) 1 ...

Static (or nat 0) should be used only when you need access in the reverse direction - from dmz to inside in that case.

I recommend to "themikehyde" - keep the current configuration of nat+global (with some needed ACL modifications), as this better hides and protects the inside network from dmz servers.

The suggestion of "haknwak" will permit port 80 attacks from dmz servers to internal web servers:
> static (inside,DMZ) my.priv.net.0 my.priv.net.0 netmask 255.255.255.0
> access-list dmz_in permit tcp host my.dmz.net.37 any eq www

Another tip - don't forget to let the dmz servers access DNS. Don't let them access the internal DNS server but use either ISP or DNS caching server on the DMZ network.
So if you are going to place an access-list on the dmz interface you should remember this also.

Here is a sample config for web server in dmz:
ip address outside a.b.c.2 ????
ip address dmz 192.168.99.254 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
nat (inside) 1 0 0
global (dmz) 1 192.168.99.3 <== Allow inside to dmz traffic
global (outside) 1 a.b.c.3
static (dmz,outside) a.b.c.4 192.168.99.11
access-list fromoutside permit tcp any host a.b.c.4 eq 80
access-group fromoutside in interface outside

To &quot;themikehyde&quot; - you should recheck your ip addressing and subnet configuration. Here are some notes:
> ip address dmz1 192.169.1.1 255.255.255.240
You should use private addressing like 192.168.x.x unless these are registered ip addresses.
> ip address outside 63.105.159.250 255.255.255.252
You should be consistent with the perimeter router configuration. Did you check if the router uses the same subnet mask?
Do you know about not using network or broadcast addresses (your last config does not use them, but the initial one did, so you should pay attention to this for future modifications).

In addition to whole that - implementing the internal DNS server and DNS configuration of internal workstations (to point to the internal server) can solve the problem of accessing the web server from inside.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
interesting yizhar,

The static was recommended by Cisco when they assisted me in setting up the DMZ.

And you're exactly correct about the potential for dmz ----> inside by the structure of my ACLs.

I'm gonna contact the Cisco engineer who helped me with these concerns and see what he comes up with. I see your points and am curious to see how they address them.

ps - while you were disgreeing with me on several points, you might have mentioned that you agreed with me on the inside dns issue. You know - mention both the negative and the positive. &quot;If you lived here, you'd be home by now!&quot;

George Carlin
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
551
nnaarrnn
nnaarrnn
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
314
AllenH12
AllenH12
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
161
kythri
kythri
basball
  • Locked
  • Question
Punching a whole in DMZ
Replies
1
Views
105
joepc
joepc
disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
154
disturbedone
disturbedone

Part and Inventory Search

Sponsor

Back
Top