PhantomTurtle
IS-IT--Management
How does one open up a pinhole from your dmz to internal netwrok using cisco pix? So far I am using outbound and conduit commands? Any help would be greatly appreciated.
thanks
thanks
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
dmz pinhole help
- Thread starter PhantomTurtle
- Start date
- Status
- Thread starter
- #3
PhantomTurtle
IS-IT--Management
Basically what we have is a pix firwall with three nics. one internal, one external, one dmz. We have a public address for each machine behind the firewall ie web servers, mail, anything needing direct access to the net. Basically it is set up like this.
Traffic is routed from a an external address to the internal server address using static routes. Conduit commands are used to allow access to servers from the internet. Outbound commands are used to allow internal machines out to the net. Now the dmz has only one server in it, a web server. I used conduit commands to allow people to access it from the web and outbound commands to allow us to ftp to it internally. Now i just put a server in the dmz that needs to access port 25 on an internal machine from the dmz. So what i need to know how to do is make conduit or outbound commands that will allow this server in the dmz to access a macine on the internal network on port 25. Any ideas? I cant be too specific...being work and all..
Traffic is routed from a an external address to the internal server address using static routes. Conduit commands are used to allow access to servers from the internet. Outbound commands are used to allow internal machines out to the net. Now the dmz has only one server in it, a web server. I used conduit commands to allow people to access it from the web and outbound commands to allow us to ftp to it internally. Now i just put a server in the dmz that needs to access port 25 on an internal machine from the dmz. So what i need to know how to do is make conduit or outbound commands that will allow this server in the dmz to access a macine on the internal network on port 25. Any ideas? I cant be too specific...being work and all..
HI.
You need 2 commands:
static (inside,dmz) b.b.b.b a.a.a.a
conduit permit tcp host b.b.b.b eq 25 host dmzserver
a.a.a.a = the private address of inside mail server.
b.b.b.b = an unused address that belongs to the dmz network.
Another similar option is:
static (inside,dmz) a.a.a.a a.a.a.a
conduit permit tcp host a.a.a.a eq 25 host dmzserver
Instead of allowing direct traffic from dmz to inside, you can pull the mail (connection initiated from the inside instead) using software like "PopBeamer".
Here you'll find more info:
Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX
Yizhar Hurwitz
You need 2 commands:
static (inside,dmz) b.b.b.b a.a.a.a
conduit permit tcp host b.b.b.b eq 25 host dmzserver
a.a.a.a = the private address of inside mail server.
b.b.b.b = an unused address that belongs to the dmz network.
Another similar option is:
static (inside,dmz) a.a.a.a a.a.a.a
conduit permit tcp host a.a.a.a eq 25 host dmzserver
Instead of allowing direct traffic from dmz to inside, you can pull the mail (connection initiated from the inside instead) using software like "PopBeamer".
Here you'll find more info:
Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX
Yizhar Hurwitz
- Thread starter
- #5
PhantomTurtle
IS-IT--Management
Thanks for the suggestion it looks good. ill have to wait till monday when i get back to work to try it but Ill let you know.
Thanks
Thanks
- Thread starter
- #6
PhantomTurtle
IS-IT--Management
doesnt seem to work...
>>static (inside,dmz) b.b.b.b a.a.a.a
>>conduit permit tcp host b.b.b.b eq 25 host dmzserver
The conduit command doesnt seem right b.b.b.b=dmzserver so arent i giving it access to itself?
>>a.a.a.a = the private address of inside mail server.
>>b.b.b.b = an unused address that belongs to the dmz >>network.
>>Another similar option is:
>>static (inside,dmz) a.a.a.a a.a.a.a
Arent I routing it to itself?
>>conduit permit tcp host a.a.a.a eq 25 host dmzserver
I tested it by trying to telnet from the dmz server to the internal server on port 25.
>>static (inside,dmz) b.b.b.b a.a.a.a
>>conduit permit tcp host b.b.b.b eq 25 host dmzserver
The conduit command doesnt seem right b.b.b.b=dmzserver so arent i giving it access to itself?
>>a.a.a.a = the private address of inside mail server.
>>b.b.b.b = an unused address that belongs to the dmz >>network.
>>Another similar option is:
>>static (inside,dmz) a.a.a.a a.a.a.a
Arent I routing it to itself?
>>conduit permit tcp host a.a.a.a eq 25 host dmzserver
I tested it by trying to telnet from the dmz server to the internal server on port 25.
- Thread starter
- #7
PhantomTurtle
IS-IT--Management
would it be easier to convert to acess lists?
HI.
> The conduit command doesnt seem right b.b.b.b=dmzserver
No - please read again:
>>b.b.b.b = an unused address that belongs to the dmz
So if your dmzserver is b.b.b.x, b.b.b.b should be another different unused address.
> would it be easier to convert to acess lists?
It is recommended to convert to access-list, but it will not make the issue discussed here simplier.
Some tips:
* Don't mix conduit and access-list in the same config. Use only 1 method.
* You should note some important differences in the syntax. For example with "conduit" the destination is specified first, unlike access-list with a reverse order.
Did you read the article in the link above?
Bye
Yizhar Hurwitz
> The conduit command doesnt seem right b.b.b.b=dmzserver
No - please read again:
>>b.b.b.b = an unused address that belongs to the dmz
So if your dmzserver is b.b.b.x, b.b.b.b should be another different unused address.
> would it be easier to convert to acess lists?
It is recommended to convert to access-list, but it will not make the issue discussed here simplier.
Some tips:
* Don't mix conduit and access-list in the same config. Use only 1 method.
* You should note some important differences in the syntax. For example with "conduit" the destination is specified first, unlike access-list with a reverse order.
Did you read the article in the link above?
Bye
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question
- Locked
- Question