Are my Statics Wrong?

[Guest_imported]

My Pix has 3 interfaces inside, dmz and outside
10.1.1.0 addresses are used inside.
Public Addresses are used in the DMZ and Outside. (I know Public addresses are not recommended for the DMZ but I can't change that at present without major upheaval to Legacy systems)
Partial configuration is as follows (not real addresses):-
names
name 200.0.0.10 blue (Mail relay)
name 200.0.0.11 yellow (Web server & Certif. server)
ip address outside 200.0.0.5 255.255.255.248
ip address dmz 200.0.0.9 255.255.255.248
ip address inside 10.1.1.0 255.255.255.0
global (outside) 1 200.0.0.1-200.0.0.4 netmask 255.255.255.248
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
static (dmz,outside) blue blue 255.255.255.255 0 0
static (dmz,outside) yellow yellow 255.255.255.255 0 0
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0

My reasoning is as follows:- Because the dmz uses public addresses the first two statics allow them to go out without translation using their own public addresses.
The 3rd static is because people on the 10.1.1.0 network need to be able to get to both dmz servers but not to the internet other a few users (5) who have access via a proxy server. I thought they would not need translation just to go to the dmz but is this correct?
Is the 3rd static incorrect

At present all users have access to everything they should have BUT due to the nat (inside) 1 10.1.1.0 255.255.255.0 rule everybody also has direct access to the internet.
I tried to cut this off with an access list on the inside interface which allowed everything from inside to the DMZ but denied access to the outside on port 80 but this cut off everybody from the DMZ.

Could somebody please tell me where I have gone wrong? I am beginning to wish I had spent the extra money on FW-1 which is a breeze to configure compared to this Pix.

What translations do I need to enable all inside users to get to the DMZ and all DMZ servers to be able to reach the internet. I do not want all inside users to have access to the internet. Only the proxy server and a couple of other servers should have access to the internet. It is no good looking at the Cisco site as there are no examples which use public addresses in the DMZ.
TIA
Regards
Rob

 

[Guest_imported]

Since writing the above I have been playing with Pixscript and I think the 3rd Static line above needs to be replaced by something like:
Static (inside,dmz) 200.0.0.10 10.1.1.0 netmask 255.255.255.0
Static (inside,dmz) 200.0.0.11 10.1.1.0 netmask 255.255.255.0
Is this on the right track?
Regards
Rob

 

[yizhar]

HI.

You're translation rules are not good.

You should REMOVE this line:
> static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0
And you should not use any other static (inside,dmz) rule.

Instead, use the following to allow inside to dmz traffic:
global (dmz) 1 200.0.0.X
OR:
global (dmz) interface.

If you need to limit outbound traffic, you have several different options.
One of them is applying an access-list to the inside interface.
Another option is to play with nat translations like:

Specify here only the proxy server and other that need access to internet
nat (inside) 1 x.x.x.x x.x.x.x
global (outside) 1 .......

Allow all inside hosts access to dmz
nat (inside) 2 0 0
global (dmz) 2 ......

And use static for dmz-outside translations.

I suggest using PDM for managing complex translation and access rules. It can be easier for you.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ChrisAC]

Yizhar,

Excellent idea for restricting web access to just the proxy server, only nat the proxy!! I never thought of that!! lol

Keep up the good work!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[Guest_imported]

Yizhar, thank you for advice. I have fixed up the NAT.
Do I need an access list at all on the DMZ interface then? I have one at the moment but in view of your comments above it would seem that traffic from the inside to the DMZ would get back by way of the dynamic access lists.
Is one needed to allow the Mail relay and web server traffic to return to the internet?
My dmz access list does seem to be getting a lot of hits when I do a show access-list.
I have of course got an access list on the outside interface.
Regards
Rob

 

[yizhar]

HI.

You do not need an access-list on the DMZ interface.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Guest_imported]

Yizhar, one more question please.
How does traffic from the DMZ which does not originate inside get to the inside for basic authentication.
We have some clients who log in via the web server in the dmz. The web server performs basic authentication with a domain controller inside and after being authenticated these clients are able to download data from an internal data server. I understood the nat/global thing was a one way thing so what mechanism should I employ to allow the above.
I can see that perhaps the authentication and the data server should be situated in the dmz but I can't do this immediately.
Kind Regards and many thanks for all your help which has been invaluable.
Rob

 

[yizhar]

HI.

You should better not allow the Windows authentication traffic from DMZ to inside, as this is a potential risk.

Use other alternative, like:

* Local accounts on the dmz server if not too much users.

* Use RADIUS instead of MS protocols to reduce the risk.
This is better since it will be used only for authentication and will not allow the DMZ server to use SMB.
For this to work, you need to:
1) Configure DMZ server as RADIUS client.
2) Configure one of the internal servers as RADIUS client.
This can be a DC or even a member server.
3) Configure pix with static mapping for the internal RADIUS server:
static (inside,dmz) ...
4) Configure access-list on the dmz interface to allow only RADIUS traffic to the internal RADIUS server.
You should note that this will block any other traffic originating from the DMZ, so if you need the DMZ server to be able to access the Internet, you should also allow this in the access-list.

A RADIUS server & client comes as an option in Win2000 (Add/Remove...), and for NT4 it can be installed as part as IIS4 - NT Option Pack.
In both cases it is called "Internet Authentication Service" or IAS.

Again - it is best not to allow ANY traffic originating from DMZ to the inside. This is what DMZ is for.
But if you have no better alternative, use RADIUS.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar