DMZ Question...

[StevoDevo]

Okay here's question for ya about DMZ's.

I've just set one up off my Pix 515. Here's the setup...

Outside Interface: 203.132.60.1/24
Inside Interface: 10.1.1.1/24
DMZ Interface: 10.1.10.1/24

My box in the DMZ has an IP of 10.1.10.40 which is natted to 203.132.60.40. I can access 203.132.60.40 from the internet just fine but can't get to it from the inside network.

I can ping 10.1.10.40 but not 203.132.60.40. What am I missing?!!

--Stevo

 

[gbiello]

You probably are missing a line like:
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

hope this helps
-gbiello

 

[StevoDevo]

Yeah I've tried that, but that just stops the packets from the inside to the dmz being translated on the way out of the Pix.

I still don't get it!!

 

[gbiello]

Let's see your config. Probably your NAT/global statements.

 

[MichaelM]

You can try the Alais command, refer to the PIX command reference for more info. But, I haven't had much luck with that.

I don't think you will be able to go to the nated address 203.132.60.40 from your inside network. The PIX has limited routing capabilities.

Think about what is happening...

This packet destination address is 203.132.60.40, this address in within the network 203.132.60.0/24, so the PIX is going to send it out the external interface, that is where that IP address should be. At this point the PIX is not smart enough to know that 60.40 is one of its transulated addresses from the DMZ.

Here's what you need to do:
Change your subnetting on your external network to something like:
203.132.60.0/27 (Host's numbers are 1-30)
203.132.60.32/27 (Host's numbers are 33-62)

On your external router, you will have a route statement like:
ip route 203.132.60.32 255.255.255.224 203.132.60.1

Now your packet will leave your PIX, hit your external router, which will send it back to the PIX, the PIX will regonize it as a static transulated address, and will pass it through. (Also, for this to work, your global transulated address can not be in the network 203.132.60.0/27)


Your final option is to do a no nat statement between your internal and DMZ network, then change your internal DNS server to resolve your HOST name to 10.1.10.40. Another words, prevent any NATs from happening.

Good Luck.

 

[haknwak]

StevoDevo - NEVER NEVER NEVER post your public IP addie or anything particular to your network on a public forum. ALWAYS replace the IP address with XXX.XXX.XXX.1, MY.PUBLIC.IP.1, MY.PRIVATE.IP.1 or something like that.

It takes a few minutes in notepad to copy/paste the config and do a replace, but well worth it.

You have given a bad guy sufficient info to start a hack attack on your network already.

We are, in all likelyhood an honest bunch here but this IS a public forum and crackres haunt places like this for just the info you posted.

You might consider asking the admins to remove your post or allow you to edit it (if that's possible).

 

[SYNACK]

Steve,

I'm with MichaelM. The connection gets from the inside to the DMZ host just fine, most likely, but then the PIX tries to nat the connection on the way back. A nonat statement will take care of that. Sometimes good to create on for the the inside interface for use with VPNs,and another for the DMZ to permit communications from the inside network.

 

[StevoDevo]

Yeah the IP addresses are not my actualy IP addresses, but it make answering the question a lot easier having 'real' IP addresses to play with...

Try tracerouting to 203.132.60.1... networks doesn't even exist in my routing table!

You do give good advice on posting IP addresses... how about some advice on the question at hand!

 

[yizhar]

HI.

> I can ping 10.1.10.40 but not 203.132.60.40.
Internal hosts should access the server using 10.1.10.40

Depending on the network configuration, this can be achieved in several ways, here are some:

* Modifications to internal DNS server that is used by your internal hosts.

* Using the pix alias command.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[haknwak]

StevoDevo - I set my pix up with NAT between my DMZ and my inside by mapping as follows:

static (inside,DMZ) my.priv.net.0 my.priv.net.0

It allows all traffic to flow from the inside to the dmz. Then I create ACLs to limit just which devices are allowed to pass traffic from the DMZ back to the inside.

And it's great that you took the time to make up fake public addresses. Most of the people on other firewall discussion boards I haunt just make text IP addies and everyone understands. "If you lived here, you'd be home by now!"

George Carlin

 

[dopehead]

You cannot reach nat translated addresses from the inside, instead use the dns keyword after your static command, then use a dns registered name to lookup your server (ext. dns) you will seee that the pix then translates the dns info to your private ip address on the dmz.

 

[StevoDevo]

Cool - I'll give that a go... actually can you give me an example of such a nat statement?!

 

[dopehead]

That would look something like : &quot;static (inside,outside) <official ip> <internal ip> netmask 255.255.255.255 dns