DMZ access to inside server

[psavin]

I'm having trouble configuring my PIX 515E to allow access from the DMZ interface to a server that resides on the inside interface. Both DMZ and inside interfaces use public IP using NAT 0. Using a computer on the DMZ I can access any hosts on the outside, but not the server on the inside.

Here are the relevant (I think) portions of the configuration:

ip address outside 192.64.x.x 255.255.255.0
ip address inside 134.39.x.x 255.255.255.0
ip address dmz 168.156.x.x 255.255.255.128

nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 134.39.x.x 134.39.x.x netmask 255.255.255.0
static (dmz,outside) 168.156.x.x 168.156.x.x netmask 255.255.255.128
static (inside,dmz) 168.156.x.x 168.156.x.x netmask 255.255.255.128

access-list acl_dmz permit tcp any host 134.39.x.x (internal server IP) eq 80
access-list acl_dmz deny ip any 134.39.x.x 255.255.255.0
access-list acl_dmz permit ip any any
access-group acl_dmz in interface dmz

All the examples I can find use NAT on either or both the DMZ and inside interfaces, so I'm not sure what exactly I'm doing wrong here. Any suggestions?

 

[NetworkGhost]

What is the IP range on the inside that you are trying to access? 134.39.x.x?

 

[psavin]

Yes, the server I'm trying to get to on the inside has the IP referenced in the first ACL command:

access-list acl_dmz permit tcp any host 134.39.x.x eq 80
(where 134.39.x.x is the IP of the server)

I just realized I may need a 255.255.255.255 netmask on that command...? I'm trying to allow access from DMZ to inside to that specific IP, and deny to the rest of the 134.39.x.x range (class C).

 

[lgarner]

No, you don't. "host" effectively provides the all-1's mask.

What you need is to change your (inside,dmz) static NAT to "static (inside,dmz) 134.39.x.x 134.39.x.x netmask 255.255.255.0". Then the DMZ can see the Inside by its real IP range.

 

[psavin]

Ahh, I see! I misunderstood how the static NAT command was working, obviously looking at it backwards. It works now, thanks!

 

[psavin]

Ok, correction. That worked, in that I could then access the internal server from the DMZ. However, clients on the inside could no longer reach the internet.

How could the "static (inside,dmz) 134.39.x.x 134.39.x.x netmask 255.255.255.0" command break connections to the internet?

 

[psavin]

Ok, I think I figured it out. What I really needed was no "static (inside,dmz)" command at all. Deleting that static nat allows me to access the specified host on the inside and internal hosts are getting everywhere they ought to be able to as well.

 

[psavin]

I'm still having trouble with this (Ignore my above post, I jumped the gun and thought I had it working, before the xlate had cleared).

I can use "static (inside,dmz) 134.39.x.x 134.39.x.x netmask 255.255.255.0" to allow hosts on the dmz to get to the inside interface. However, hosts on the inside cannot get to the internet with this static in place. Without it, hosts on the dmz cannot get to hosts on the inside, regardless of access-lists. It appears to be a static/nat problem, but I can't figure out why. I'd very much appreciate any further suggestions!

 

[NetworkGhost]

Do you have a global statement in place for the outside interface?

 

[psavin]

No. I'm using no nat, so my understanding is that I don't need any global statements...?

 

[NetworkGhost]

Post your config. There has to be something else stopping traffic.

 

[psavin]

Here it is, minus some ACLs that aren't relevant.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name 134.39.x.x backup
name 134.39.x.x websql
name 134.39.x.x korrs
name 134.39.x.x aegis
name 134.39.x.x cis_icmp
name 134.39.x.x cis_snmp
name 134.39.x.x rainier
name 134.39.x.x psavin
name 134.39.x.x printer_fin_3
name 134.39.x.x procert
name 134.39.x.x exch-1
name 134.39.x.x oly-1
access-list outside_access_in permit gre any host backup
access-list outside_access_in permit tcp any host backup eq 1723
access-list outside_access_in permit tcp any host websql eq www
access-list outside_access_in permit tcp any host websql eq ftp
access-list outside_access_in permit tcp any host korrs eq www
access-list outside_access_in permit tcp any host aegis eq 443
access-list outside_access_in permit tcp any host websql eq 443
access-list outside_access_in permit udp cis_icmp 255.255.255.240 any eq snmp
access-list outside_access_in permit tcp cis_icmp 255.255.255.240 any eq telnet
access-list outside_access_in permit icmp cis_icmp 255.255.255.240 any
access-list outside_access_in permit udp host cis_snmp any eq snmp
access-list outside_access_in permit tcp any host rainier eq smtp
access-list outside_access_in permit tcp any host rainier eq www
access-list outside_access_in permit tcp 168.156.x.x 255.255.255.224 host backup eq 139
access-list outside_access_in permit tcp any host dwhittaker eq 3389
access-list outside_access_in permit tcp any host procert eq www
access-list outside_access_in permit tcp any host procert eq 443
access-list outside_access_in permit tcp any host exch-1 eq www
access-list outside_access_in permit tcp any host exch-1 eq 443
access-list outside_access_in permit tcp any host exch-1 eq smtp
access-list outside_access_in permit tcp 168.156.x.x 255.255.255.224 host oly-1 eq 139
access-list outside_access_in permit gre any host exch-1
access-list outside_access_in permit tcp any host exch-1 eq 1723
access-list acl_dmz permit tcp any host websql eq www
access-list acl_dmz permit tcp any host korrs eq www
access-list acl_dmz deny ip any 134.39.x.x 255.255.255.0
access-list acl_dmz permit ip any any
pager lines 24
logging trap debugging
logging host inside psavin
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.122 255.255.255.0
ip address inside 134.39.x.x 255.255.255.0
ip address dmz 168.156.x.x 255.255.255.128
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 134.39.x.x 134.39.x.x netmask 255.255.255.0 0 0 norandomseq
static (inside,outside) 168.156.y.x 168.156.y.x netmask 255.255.255.224 0 0 norandomseq
static (dmz,outside) 168.156.x.x 168.156.x.x netmask 255.255.255.128 0 0 norandomseq
static (inside,outside) 134.39.y.x 134.39.y.x netmask 255.255.255.252 0 0
static (inside,dmz) 134.39.x.x 134.39.x.x netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.122 1
route inside 134.39.y.x 255.255.255.252 134.39.x.x 1
route inside 168.156.y.x 255.255.255.224 134.39.x.x 1
timeout xlate 3:00:00
timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet psavin 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
terminal width 80

 

[NetworkGhost]

Try doing a capture on the traffic from the DMZ server to the inside server:


access-list 150 permit ip host 134.39.x.x host insideserver
access-list 150 permit ip host insideserver host 134.39.x.x

capture captraff access-list 150 buffer 8000 interface inside circular-buffer

Let the traffic start flowing then do:

sh capture captraff detail


You should see the traffic flowing both ways. If you dont change capture interface to the dmz interface, When you are done with the capture do:

no capture captraff
no access-list 150

Post your results back. Also turn on logging to the buffer

logging on
logging buffer 6


When you are trying to access do:

sh log

see if there are any entries for your destination or source IP that might explain why the traffic isnt goign through

Post results here

 

[psavin]

Unfotunately my Pix is running 6.1, it doesn't understand the "capture" command.

When I turn logging on and try to get to the inside from the DMZ (without the "static (inside,dmz) 134.39.x.x 134.39.x.x netmask 255.255.255.0" statement), I don't see any evidence of the traffic from the DMZ to the inside.

 

[NetworkGhost]

Well Try pinging through.

Then do this:

debug icmp trace

Let it run for the ping.

To Stop:
no debug all

Post the results.