DMZ to Inside Communication on PIX 515

[BigDaddyJ]

We have just configured our PIX 515 with one DMZ and an inside network. The inside computers are on a 10.0.0.0 network and the dmz is on a 172.16.0.0 network, both subnetted to 255.255.0.0.

Most things seem to be working fine except accessing the websites on our webservers in the dmz from the inside network. Nothing appears to be resolving anywhere. It is trying to resolve to our public address but gets nowhere.

Our 3 servers we have in the dmz are using static and conduit commands to translate addresses to the outside world.

Can anyone help?

Justin Day

 

[havanajoe]

Please post our config

 

[BigDaddyJ]

PIX Version 5.2(1)
nameif ethernet0 ouside security0
nameif ethernet1 inside security100
nameif ethernet2 perimeter security50
enable password mLy5dR3EBv2fyWVf encrypted
passwd zNPI9nc/dVnGiMfH encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered debugging
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp permit any echo-reply ouside
icmp permit any source-quench ouside
icmp permit any unreachable ouside
icmp permit any time-exceeded ouside
icmp permit any echo-reply inside
icmp permit any source-quench inside
icmp permit any unreachable inside
icmp permit any time-exceeded inside
mtu ouside 1500
mtu inside 1500
mtu perime
ip address ouside xxx.xxx.xxx.189 255.255.255.240
ip address inside 10.0.0.254 255.255.0.0
ip address perimeter 172.16.0.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address ouside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address perimeter 0.0.0.0
arp timeout 14400
global (ouside) 1 xxx.xxx.xxx.184-193.123.234.188
global (ouside) 3 xxx.xxx.xxx.180-193.123.234.183
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
static (perimeter,ouside) xxx.xxx.xxx.179 172.16.0.1 netmask 255.255.255.255 0 0

static (perimeter,ouside) xxx.xxx.xxx.190 172.16.0.2 netmask 255.255.255.255 0 0

static (perimeter,ouside) xxx.xxx.xxx.178 172.16.0.3 netmask 255.255.255.255 0 0

static (inside,perimeter) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0
conduit permit icmp any any
conduit permit tcp host xxx.xxx.xxx.179 eq

http://www any

conduit permit tcp host xxx.xxx.xxx.190 eq

http://www any

conduit permit tcp host xxx.xxx.xxx.178 eq smtp any
conduit permit tcp host xxx.xxx.xxx.190 eq ftp any
conduit permit tcp host xxx.xxx.xxx.178 eq

http://www any

conduit permit tcp host xxx.xxx.xxx.190 eq 443 any
conduit permit tcp any any
conduit permit udp any any
rip ouside passive version 1
rip inside passive version 1
route ouside 0.0.0.0 0.0.0.0 193.123.234.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community publ
no snmp-server enable traps
tftp-server inside 10.0.0.19 firewall.txt
no floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet xxx.xxx.xxx.177 255.255.255.255 inside
telnet 10.0.0.3 255.255.255.255 inside
telnet xxx.xxx.xxx.177 255.255.255.255 perimeter
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:314c916f2ec7f0f22622d013184529c5

 

[kfriend]

Aren't conduits deprecated? I was under the impression that you should use access-list vice conduit.

another newb question brought to you by me.

 

[bp1169]

Several things to note here, you don't have any route statements to your dmz. Also depending on the design you want, you may decide to nat inside addresses to the dmz, via the nat and global commands. Then point your internal dns addresses to the dmz addresses of the server, not the external address.

 

[havanajoe]

Personally speaking, looking at this config scares the hell out of me. Your conduit statements are allowing anyone on the internet to get to everything on your network.

conduit permit icmp any any
conduit permit tcp any any
conduit permit udp any any

This opens up your firewall and pretty much acts like there is no firewall there at all.

the icmp permits on the outside interface should also be removed. Your network at this point in time is EXTREMELY vulnerable to just about any intrusion out there, especially DOS attacks.

You might want to considering upgrading the pix to version 6.x right now and then migrating away from the conduit statements and implementing the access-list statements.

Back to your original problem, where do your DNS servers sit? Is there just one at the ISP, or do you have internal servers as well?