DMZ3 to inside?

[pixboy]

This should be easy, but I can't get it work. I have a PIX 520 -- version 5.2(1) -- with six interfaces (outside, inside, dmz1, dmz2, dmz3 and dmz4). We use five of them (everything but dmz4). I recently stuck a new server in dmz3, making it the first machine in that area. For some reason, I can't get it to make a connection from that machine to anything on the inside. I can go from inside to dmz3 with no problem.

The Cisco documentation says to use a static to enable traffic to start from a lower-security interface to a higher-security interface. (inside = 100, dmz3 = 40) So here's what I have tried:

static (inside,dmz3) 10.1.3.254 10.1.4.5 netmask 255.255.255.255 0 0
static (inside,dmz3) 10.1.3.253 10.1.4.6 netmask 255.255.255.255 0 0

The server in dmz3 is a Win2K machine with two NICs -- 10.1.4.5 and 10.1.4.6. The inside interface has the 10.1.3.0/24 block, hence the 10.1.3.254 and .253 statics. This does not work at all. The syslog shows things like "Deny inbound icmp src dmz3:10.1.4.6 dst inside:10.1.3.59 (type 8, code 0)" when I tried to ping a machine on the inside from that Win2K server. It also shows "Deny inbound udp src dmz3:10.1.4.5/138 dst inside:10.1.3.20/138" when that server tries to access the NT PDC for our domain.

I've tried reversing the IPs in the static listed above, but that doesn't work either.

Any ideas????

Thanks.

Dan

 

[yizhar]

HI.

What's the idea of placing the server in dmz3, if it can access the whole inside network?

Or do you need access from dmz3 to a specific server and port on the inside?

Using STATIC is the solution for accessing a specific server that is in the higher security side (the oposite of your scenario).

You can try the following instead of static (I'm not sure if it will work):

=== Disable nat from dmz3 to inside ===
access-list nonat permit ip host 10.1.4.5 10.1.3.0 255.255.255.0
access-list nonat permit ip host 10.1.4.6 10.1.3.0 255.255.255.0
nat (dmz3) 0 access-list nonat

=== Permit traffic (overide ASA security levels) ===
access-list fromdmz3 permit ip host 10.1.4.5 10.1.3.0 255.255.255.0
access-list fromdmz3 permit ip host 10.1.4.6 10.1.3.0 255.255.255.0
access-group fromdmz3 in interface dmz3

=== OR: ===
=== Permit traffic (overide ASA security levels) ===
conduit permit ip 10.1.3.0 255.255.255.0 host 10.1.4.5
conduit permit ip 10.1.3.0 255.255.255.0 host 10.1.4.6

============

Again, you should re-consider your security and network design. The main idea behind a dmz is the limitted access toward the LAN.

Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[pixboy]

The server in question does at least need to be able to communicate with DCs that are in the inside zone. Maybe this is a stupid question, but is that poor network design? So far, the other two DMZs only have (I think) Solaris and HP-UX boxes, so that's not been an issue.

This Win2K server has a static address on the outside, and the 10.1.4.5 and .6 addresses on its two NICs. (The outside static is only assigned to .5. Eventually, I'm sure it'll have another outside static for .6, but that's down the road.)

 

[yizhar]

HI.

Let me guess, Outlook Web Access?
Anyway, if it's going to be a web-server, make sure you patch and lock it well, and consider it as a possible door for intruders (access from outside to server, and access from server to inside DC).

In that case, you can configure the pix like this.
I will assume that the internal DC server is 10.1.3.5:

static (inside,dmz3) 10.1.4.235 10.1.3.5
access-list fromdmz3 permit ip host 10.1.4.5 host 10.1.4.235
access-list fromdmz3 permit ip host 10.1.4.6 host 10.1.4.235
access-group fromdmz3 in interface dmz3

or
static (inside,dmz3) 10.1.4.235 10.1.3.5
conduit permit ip host 10.1.4.235 host 10.1.4.5
conduit permit ip host 10.1.4.235 host 10.1.4.6

You can limit access to specific ports, ofcourse.

Read these, they might not be the exact situation you have, but still can give good info:

http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=13545

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/msexchng.htm

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[pixboy]

I tried the latter idea you listed (with conduits, just to keep with the others we have), but that doesn't seem to work just yet. I've added conduits for both tcp and ip, but can't ping. (There's a "conduit permit icmp any any" in there already, but that doesn't seem to allow it through.) Is there something equivalent to "conduit permit any host 10.1.4.254 host 10.1.4.5"? There's no protocol "any", says the Pix when I try that. I just want to see if I can get this to work and then scale back from there. Then again, as you mentioned, maybe all this is completely unneeded!

Thanks!

Dan

 

[pixboy]

In thinking further about the issue, I decided it isn't necessary for the server in DMZ3 to make a connection with something on the inside. It can still initiate outside connections just fine, and that's all it really needs. Thanks for helping me straighten this out!

Dan