Guru NEEDED ASAP

[HUANGDI]

PIX 520 PII 350/ 6.14/8FL/128M/DES/IPSec
3 Interfaces 100/Full

1 Outside/26
2 DMZ (Protected) 10.1.10.3/28
Websites 10.1.10.3-4
Websites 10.1.10.5-6
All static with conduit to outside (reg. url/Ips)via 80 and 443 only.

3 Inside 192.168.10.8/27
DB1 192.168.10.3 needs to talk to both 10.1.10.3-4 via 1433 only
DB1 192.168.10.5 needs to talk to both 10.1.10.5-6 via 1433 only


Problem issue: I keep getting a over lap ERROR: static overlaps when I try to assign both pairs of websites DMZ)lower to DB1 and DB2 (inside) higher respectively. How to fix this or is my config. crap?

Thanks

 

[gbiello]

Can you please post your config? It will help us.
-gbiello

 

[HUANGDI]

HI gbiello

Please excuse the paranoia, but it is kind of like walking around naked for the first time. but here it is.

diagram

2600
|
PIX520
| |
CAT2924 -DMZ (vlanX)
|
Inside (vlanY)

Config PIX 520

ip address OUTSIDE 209.xx.xx.194 255.255.255.192
ip address inside 192.168.10.1 255.255.255.224
ip address DMZ 10.1.10.1 255.255.255.240

global (OUTSIDE) 1 209.xx.xx.203-209.xx.xx.224
global (inside) 1 192.168.10.3-192.168.10.30
nat (inside) 1 192.168.10.0 255.255.255.224 0 0
static (DMZ,OUTSIDE) 209.xx.xx.200 10.1.10.3 netmask 255.255.255.255 0 0
static (DMZ,OUTSIDE) 209.xx.xx.225 10.1.10.5 netmask 255.255.255.255 0 0
static (DMZ,OUTSIDE) 209.xx.xx.226 10.1.10.6 netmask 255.255.255.255 0 0
static (inside,OUTSIDE) 210.xx.xx.106 192.168.10.6 netmask 255.255.255.255 0 0
static (inside,OUTSIDE) 209.xx.xx.212 192.168.10.7 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.1.10.3 192.168.10.3 netmask 255.255.255.255 0 0
conduit permit tcp host 10.1.10.8 eq

http://www any

conduit permit tcp any eq

http://www host

10.1.10.3
conduit permit tcp any eq

http://www host

10.1.10.5
conduit permit tcp any eq

http://www host

10.1.10.6
conduit permit tcp any eq 443 host 10.1.10.3
conduit permit tcp any eq 443 host 10.1.10.5
conduit permit tcp any eq 443 host 10.1.10.6
conduit permit tcp host 210.xx.xx.106 eq h323 host 192.168.10.6
conduit permit tcp any eq 1620 host 192.168.10.7
conduit permit udp any eq 1620 host 192.168.10.7
route OUTSIDE 0.0.0.0 0.0.0.0 209.xx.xx.193 1

Objectives:
DB1 192.168.10.3 needs to talk to both 10.1.10.3-4 via 1433 only
DB1 192.168.10.5 needs to talk to both 10.1.10.5-6 via 1433 only
previous stated in first post and the following:

10.1.10.3-4 and 10.1.10.5-6 to all POP3 out of DMZ

192.168.10.6 to talk to 210.xx.xx.106 eq h323 only

192.168.10.10 to video conference and internet access

192.168.10.7 to IP FAX to and from anyone

192.168.10.8-30 all to access the internet and their email server host at their ISP site/Provider

 

[yizhar]

HI.

What is the pix OS version?
Do you have PDM? What version?
Is this an existing production network, or something new your now testing?
The configuration seems strange to me, and if I'm correct then maybe you should start configuring the pix from scratch instead of fixing the current. For example:
What is this for?
> global (inside) 1 192.168.10.3-192.168.10.30

What are these for?
> static (inside,OUTSIDE) 210.xx.xx.106 192.168.10.6
> static (inside,OUTSIDE) 209.xx.xx.212 192.168.10.7

These are overlapping. Do not use the same ip 10.1.10.3 for different servers:
> static (DMZ,OUTSIDE) 209.xx.xx.200 10.1.10.3
> static (inside,DMZ) 10.1.10.3 192.168.10.3

Wrong syntax and wrong ip address:
> conduit permit tcp any eq

http://www host

10.1.10.6

Here is an alternate partial configuration:
global (outside) 1 209.0.0.203
nat (inside) 1 192.168.10.0 255.255.255.224
static (dmz,outside) 209.xx.xx.200 10.1.10.3
static (dmz,outside) 209.xx.xx.225 10.1.10.5
static (dmz,outside) 209.xx.xx.226 10.1.10.6
static (inside,dmz) 10.1.10.13 192.168.10.3
static (inside,dmz) 10.1.10.15 192.168.10.5
access-list fromoutside permit tcp any host 209.xx.xx.200 eq 80
access-list fromoutside permit tcp any host 209.xx.xx.200 eq 443
access-list fromoutside permit tcp any host 209.xx.xx.225 eq 80
access-list fromoutside permit tcp any host 209.xx.xx.225 eq 443
access-list fromoutside permit tcp any host 209.xx.xx.226 eq 80
access-list fromoutside permit tcp any host 209.xx.xx.226 eq 443
access-group fromoutside in interface outside
access-list fromdmz permit tcp any host 10.1.10.13 eq 1433
access-list fromdmz permit tcp any host 10.1.10.15 eq 1433
access-list fromdmz deny ip any 10.1.10.0 255.255.255.240
access-list fromdmz permit ip any any
access-group fromdmz in interface dmz

Or if using conduits, here are some samples:
conduit permit tcp host 209.xx.xx.200 eq 80 any
conduit permit tcp host 209.xx.xx.200 eq 443 any
conduit permit tcp host 10.1.10.13 eq 1433 host 10.1.10.3

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[HUANGDI]

yizhar,

Facts: PIX 520 running 6.14, no PDM needed
This is go into production in 6 days. FYI,I am a router guy, not a PIX guy or I am just stupid. Hopefully the teacher can enlighten this poor student.

Websites in the DMZ are:
DMZ has a 10.1.10.3-8 255.255.255.240/28

10.1.10.3 mapped to a reg IP 209.xx.xx.200
10.1.10.4
both need to talk anyone ouside to 443 and 80 as well as POP3 to the ouside only.
both need to talk to the same DB1/SQL with a inside of address 192.168.10.3 via 1433

10.1.10.5 mapped to a reg IP 209.xx.xx.225
10.1.10.6 mapped to a reg IP 209.xx.xx.226
both need to talk anyone ouside to 443 and 80 as well as POP3 to the ouside only.
both need to talk to the same DB2/SQL with a inside address of 192.168.10.5 via 1433

Inside has a 192.168.10.3-30 255.255.224/27

192.168.10.7 is a fax and needs to fax from and to anyone.
192.168.10.6 is a IP/PBX and has to statically map to 209.xx.xx.203 255.255.255.192/26 and talk to 210.xx.xx.106 via H.323 only.

192.168.10.10 needs to video conference to anyone

and from 192.168.10.8-30 they need to get email from 209.xx.xx.222 at the ISP and surf the internet.

I don't seem to get the 2DMZ servers to DB1/SQL and the other 2DMZ servers to DB2/SQL

Thanks

 

[HUANGDI]

Hey gbiello where did you go?????????

And Yizhar Hurwitz, Did you get my reply????????

 

[gbiello]

HUANGDI,
Sorry, I've been busy and haven't had time to look at your problem.

10.1.10.4 - I believe this needs a static mapping to something, but I'm not sure what IP you want. Just follow the example for 10.1.10.3 and 10.1.10.5. You will need both a static mapping and access-list lines.

Yizhar has a typo in his fromdmz access list, 10.1.10.13 and 10.1.10.15 should be 10.1.10.3 and 10.1.10.5.

The global IP suggested is the same one as your IP/PBX. Instead, use "global (outside) 1 interface" for simplicity.

For the IP/PBX, you will need a static mapping like "static (inside,outside) 109.x.x.203 192.168.10.6. I have no idea what ports will be needed.

I have no idea what you mean by "255.255.255.192/26 and talk to 210.xx.xx.106 via H.323 only.".

Once these changes are made, lets start over fresh. If you still have issues, post a new config and state what you still need addressed.

-gbiello

 

[HUANGDI]

gbiello


If we can concentrate on the

10.1.10.3 and 4 both on the DMZ to the inside 192.168.10.3 sql server I would be happy. I keep getting an overlapping error

I don't get this global (outside) 1 interface" for simplicity.

 

[gbiello]

"global (outside) 1 interface" uses the IP address of the outside interface as the global IP for PAT.

As Yizhar stated:
These are overlapping. Do not use the same ip 10.1.10.3 for different servers:
> static (DMZ,OUTSIDE) 209.xx.xx.200 10.1.10.3
> static (inside,DMZ) 10.1.10.3 192.168.10.3

You will need to change the 10.1.10.3 to something else on one of them. If you can't, try doing a "clear xlate" first.

-gbiello

 

[HUANGDI]

gbiello

Her lies the problem

static 10.1.10.3 192.168.10.3 netmask 255.255.255.255 0 0
520-1(config)# static 10.1.10.4 192.168.10.3 netmask 255.255.255.255 0 0
ERROR: static overlaps with 10.1.10.3 to 192.168.10.3
Type help or '?' for a list of available commands.

here are the globals:
global (inside) 1 192.168.10.8-192.168.10.30
global (DMZ) 1 10.1.10.8-10.1.10.14

I have kept the global ranges short inorder to eliminate the overlapping, but tono success.

I running 6.14 . I provided the diagram as you reqd earlier.

Appreciate some help, please.

 

[yizhar]

HI.

> Yizhar has a typo in his fromdmz access list, 10.1.10.13
> and 10.1.10.15 should be 10.1.10.3 and 10.1.10.5
Nope. It's not a typo.
The idea is to use some address, which will not overlap and must not match an address of a real server in the DMZ.
However it conflicts with this:
> global (DMZ) 1 10.1.10.8-10.1.10.14
So you should change either the global (dmz) or the static (inside,dmz) so that nothing overlaps or conflicts.

I suggest that the global (dmz) statement will use only a single IP address (PAT). This is for internal hosts accessing the web servers:
> global (DMZ) 1 10.1.10.8
Or any other unused address in 10.1.10.X

The static(inside,dmz) statements will allow (in conjunction with proper access-list) the web servers to access internatl SQL servers.
The web servers will need to be configured to look for the SQL servers using the same ip address sepcified in the static mapping.
You can also use static with the same ip address, like this:

static (inside,dmz) 192.168.10.3 192.168.10.3
static (inside,dmz) 192.168.10.5 192.168.10.5

In that case the webserver will look for the SQL server using their internal ip address 192.168.10.X

After each change of nat,global,static commands, you should issue at the pix:
clear xlate

Here is a modified config from my previous post:
global (outside) 1 209.0.0.203
global (DMZ) 1 10.1.10.8
nat (inside) 1 192.168.10.0 255.255.255.0
static (dmz,outside) 209.xx.xx.200 10.1.10.3
static (dmz,outside) 209.xx.xx.225 10.1.10.5
static (dmz,outside) 209.xx.xx.226 10.1.10.6
static (inside,dmz) 192.168.10.3 192.168.10.3
static (inside,dmz) 192.168.10.5 192.168.10.5
access-list fromoutside permit tcp any 10.1.10.0 255.255.255.0 eq 80
access-list fromoutside permit tcp any 10.1.10.0 255.255.255.0 eq 443
access-group fromoutside in interface outside
access-list fromdmz permit tcp any host 192.168.10.3 eq 1433
access-list fromdmz permit tcp any host 192.168.10.5 eq 1433
access-list fromdmz deny ip any 192.168.10.0 255.255.255.0
access-list fromdmz permit ip any any
access-group fromdmz in interface dmz

> FYI,I am a router guy, not a PIX guy ...
Tip1: remember that pix uses subnet mask in access-list unlike IOS which uses "wildcard".
Tip2: Use access-list only and not the obsolute conduit command.
Tip3: Start new configuration from scratch, to eliminate left overs.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar