Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DMZ to Internal LAN? 1

Status
Not open for further replies.
mRgEE

mRgEE

IS-IT--Management
Oct 13, 2003
61
GB
I am looking at setting up a DMZ as follows: -

Internet > router > pix -------> dmz / isa > web servers
¦
¦-----> lan


I want to set up the DMZ with a 192.168.0.0 address.
At present I have my Pix setup with the outside interface address of 10.0.0.254. I have configured the inside interface to be 192.168.0.254.

I have an ISA server providing application layer filtering for my DMZ with an ip address of 192.168.0.253. I would like all web traffic to be forwarded to this ISA server.

Now the problem is that I need to have communication for Citrix Secure Gateway which will sit in the DMZ with an ip address of 192.168.0.10 to the internal citrix servers that sit on the internal LAN in the 10.0.0.0 range.

Can anyone confirm whether this is possible to setup routing between these two networks and then create an access list for access for the host in the DMZ?
Note that 10.0.0.254 is assigned to the outside interface and the LAN is 10.0.0.0 and that the inside interface 1 is assigned 192.168.0.254.

Here is my config: -
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ######## encrypted
passwd ######## encrypted
hostname CP501FW
domain-name mydomain.co.uk
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.254 255.0.0.0
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.0.0.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:fa67b32670247455a9aa50685da1e794
: end
 
Sort by date Sort by votes
This setup is certainly possible and yes you can control access to the DMZ with access lists. I would say however that you should use a different IP subnet for your DMZ than is already in use on your LAN subnet, e.g. 192.168.1.0/24
 
Upvote 0 Downvote
My LAN ip address is currently 10.0.0.0/8. I would like my DMZ to be 192.168.0.0/24.
From the above config I can ping both networks on the pix successfully. However, if I ping the LAN from the DMZ or the DMZ from the LAN I get no response. Do I need to setup ACLs or routing for this?
 
Upvote 0 Downvote
Some more information...
I turned on debug icmp trace and pinged from a server in the DMZ to the inside interface and the outside interface.
here are the results: -

CP501FW# sh ip address
System IP Addresses:
ip address outside 10.0.0.253 255.0.0.0
ip address inside 192.168.0.254 255.255.255.0
Current IP Addresses:
ip address outside 10.0.0.253 255.0.0.0
ip address inside 192.168.0.254 255.255.255.0
CP501FW# 31: ICMP echo request (len 32 id 2 seq 36864) 192.168.0.1 > 192.168.0.254
32: ICMP echo reply (len 32 id 2 seq 36864) 192.168.0.254 > 192.168.0.1
33: ICMP echo request (len 32 id 2 seq 37120) 192.168.0.1 > 192.168.0.254
34: ICMP echo reply (len 32 id 2 seq 37120) 192.168.0.254 > 192.168.0.1
35: ICMP echo request (len 32 id 2 seq 37376) 192.168.0.1 > 192.168.0.254
36: ICMP echo reply (len 32 id 2 seq 37376) 192.168.0.254 > 192.168.0.1
37: ICMP echo request (len 32 id 2 seq 37632) 192.168.0.1 > 192.168.0.254
38: ICMP echo reply (len 32 id 2 seq 37632) 192.168.0.254 > 192.168.0.1
39: Outbound ICMP echo request (len 32 id 2 seq 37888) 192.168.0.1 > 10.0.0.253 > 10.0.0.253
40: Outbound ICMP echo request (len 32 id 2 seq 38144) 192.168.0.1 > 10.0.0.253 > 10.0.0.253
41: Outbound ICMP echo request (len 32 id 2 seq 38400) 192.168.0.1 > 10.0.0.253 > 10.0.0.253
42: Outbound ICMP echo request (len 32 id 2 seq 38656) 192.168.0.1 > 10.0.0.253 > 10.0.0.253

Can anyone help with this? I am quite new to the pix.
 
Upvote 0 Downvote
First things first is you have to have nonat rule for the LAN and DMZ and then depending upon the security level you define you can put the access-list
 
Upvote 0 Downvote
What is the syntax for this nonat rule? - i am having trouble locating documentation on it.
 
Upvote 0 Downvote
ok, I have added the following but still no joy :(

nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (outside) 0 0.0.0.0 0.0.0.0 0 0

Can anyone point to where I am going wrong?
 
Upvote 0 Downvote
Hey mRgEE,

What are you trying to do with the No Nat rule? Do you mean you don't want to do any translation from an inside interface to a outside or DMZ interface? If so it would be something like this. nat (inside) 0 192.168.10.0 255.255.255.0 0 0...Obviously enter the correct interface and Subnet.

But the No Nat rule is just going to remove a previous Nat rule that you already have in place..

Also if you are wanting to ping a device from a Lower Security Level to a higher security(Outside to Inside) level you will need an access list allowing this. Something like access-list ACCESSLISTNAME line 1 permit icmp any any or from the networks you are pinging to the networks you want. For a client to ping a lower security interface is NOT needed. So really inside out should work just as long as you pinging the right IP. Note that because you are wanting to use NAT you have to ping the NATed ip.

If you want your clients on inside to get out to the internet your nat should be nat (inside) 1 0.0.0.0 0.0.0.0 0 0 that way all your inside clients when the go outside are using the outside interface as the ip address to go out.

Lastly i dont see a Nameif for the DMZ nic? are you using the outside interface as the DMZ?

Let me know on my questions.
 
Upvote 0 Downvote
All I am basically wanting to do is to implement a DMZ that is protected via the Pix. Any traffic that is destined for the DMZ must pass through the Pix first.

I already have a Perimiter Router / firewall in place protecting the LAN. The Perimiter Router is performing NAT with an internal IP address of 10.0.0.254. I have connected the Pix to this device via the outside interface and given it an ip address of 10.0.0.253. I will then setup rules to direct specific traffic to the pix on 10.0.0.253. I have assigned my DMZ ip address range 192.168.0.0/24 with the inside interface using 192.168.0.254. However I cannot get traffic to route between the 2 interfaces.
In this scenario would it be easier to use the two inside interfaces rather than using the outside interface?
For example if I rename inside interface 1 to LAN and inside interface 2 to DMZ?
 
Upvote 0 Downvote
Above I asked if it was possible to use the 2 internal interfaces... however I have just been reading and as I am using the pix 501 it only has 1 outside interface and 1 inside interface (not 2). Is this correct?
 
Upvote 0 Downvote
the 501 has only one outside interface and one inside (manageable) interface. there are the others of course, you will notice you will not be able to assign an ip to them.
 
Upvote 0 Downvote
Ok, I am getting a little closer now. I now get replies when I ping the LAN (10.0.0.0/8) from the DMZ (192.168.0.0/24).

I added the following to my config to get this to work: -

access-list allow_icmp permit icmp any any
access-group allow_icmp in interface outside
access-group allow_icmp in interface inside

However, I still cannot get replies when I ping the DMZ (192.168.0.0/24) from the LAN (10.0.0.0/8).

I always get "Reply from 10.0.0.254: TTL expired in transit." followed by 3 timouts.
I tried increasing the TTL e.g. "ping -i 15 10.0.0.254" but this made no difference.

I also switched on "debug icmp trace" but I don't see anything when I try to ping the inside interface of the pix (192.168.0.254) from a host on the LAN (10.0.0.10).

Any ideas??? Stuck again :(
 
Upvote 0 Downvote
System IP Addresses:
ip address outside 10.0.0.253 255.0.0.0
ip address inside 192.168.0.254 255.255.255.0
Current IP Addresses:
ip address outside 10.0.0.253 255.0.0.0
ip address inside 192.168.0.254 255.255.255.0
CP501FW(config)# sh access-list
access-list allow_icmp; 1 elements
access-list allow_icmp permit icmp any any (hitcnt=2268)
CP501FW(config)# sh access-group
access-group allow_icmp in interface outside
CP501FW(config)#

I get timeouts when I ping 192.168.0.254 from 10.0.0.11 (a workstation)... however with 'debug icmp trace' enabled on the pix I see the following: -

CP501FW(config)# 1886: ICMP echo request (len 32 id 2 seq 25373) 10.0.0.11 > 192.168.0.254
1887: ICMP echo reply (len 32 id 2 seq 25373) 192.168.0.254 > 10.0.0.11
1888: ICMP echo request (len 32 id 2 seq 25629) 10.0.0.11 > 192.168.0.254
1889: ICMP echo reply (len 32 id 2 seq 25629) 192.168.0.254 > 10.0.0.11
1890: ICMP echo request (len 32 id 2 seq 25885) 10.0.0.11 > 192.168.0.254
1891: ICMP echo reply (len 32 id 2 seq 25885) 192.168.0.254 > 10.0.0.11
1892: ICMP echo request (len 32 id 2 seq 26141) 10.0.0.11 > 192.168.0.254
1893: ICMP echo reply (len 32 id 2 seq 26141) 192.168.0.254 > 10.0.0.11

The hitcnt from 'sh access-list' does not increment however.
 
Upvote 0 Downvote
Update, I have tried to get RIP working without success to route between the 10.0.0.0 and 192.168.0.0 networks.
The only way I have managed to get successful pings from the 10.0.0.0 to the 192.168.0.0 network is to add the static statement "static (inside,outside) 10.0.0.150 192.168.0.1 netmask 255.255.255.255 0 0" to the config.

This isn't really the best option as I do not want to use 10.0.0.0 addresses for the DMZ. Can anyone help me out here as surely this cannot be a hard config to carry out and I must be missing something really simple. I am quite new to the pix but learning more each day.

Latest config is below (note I also upgraded the IOS to 6.3(4). Any help is greatly appreciated.


PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password njYR2McU21hK0lQf encrypted
passwd njYR2McU21hK0lQf encrypted
hostname CP501FW
domain-name #############
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list allow_icmp permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.253 255.0.0.0
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.0.0.150 192.168.0.1 netmask 255.255.255.255 0 0
access-group allow_icmp in interface outside
rip outside passive version 1
rip outside default version 1
rip inside passive version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 10.0.0.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:00000000000000000000000000000000
: end
CP501FW#
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
269
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
286
Johnkite
Johnkite
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
96
kythri
kythri
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
233
nnaarrnn
nnaarrnn
shmideo
  • Locked
  • Question
How to set up a wireless LAN on X5 interface TZ500
Replies
1
Views
81
shmideo
shmideo

Part and Inventory Search

Sponsor

Back
Top