Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help allowing traffic to go from DMZ to Internet

Status
Not open for further replies.
fieryhail

fieryhail

IS-IT--Management
Mar 12, 2010
92
I am trying to configure a PIX 525 with PIX OS 8.0.4.

I have a DMZ setup (DMZ-IBM) which hold my Domino servers. I have created static NAT entries and ACLs aplied to the outside_in in direction and traffic matching the criteria I set gets into the servers just fine. There is however no internet access from servers in that DMZ as well as no outbound smtp. I am very new to PIX/ASA devices, my first time actually. When i run a packet-tracer I get the end result that traffic is dropped to to an ACL. I believe this must be an implicit rule. Any help in getting the servers in this DMZ to be able to access Internet would be very very much appreciated.

I'm posting a scrubbed config, hopefully that will help out also. My goal in this scenario is to enable internet access from servers in DMZ-IBM.

PIX Version 8.0(4)
!
hostname pix
domain-name rcserveny.com



names
!
interface Ethernet0
nameif outside
security-level 0
ip address 96.xx.xx.174 255.255.255.248
!
interface Ethernet1
nameif DMZ1
security-level 50
ip address 192.168.30.1 255.255.255.248
!
interface Ethernet2
speed 100
duplex full
nameif DMZ-ESX
security-level 80
ip address 192.168.50.1 255.255.255.248
!
interface Ethernet3
speed 100
duplex full
nameif DMZ-IBM
security-level 60
ip address 192.168.10.1 255.255.255.240
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name rcserveny.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list nonnat_inside_DMZ1 extended permit ip 10.0.0.0 255.0.0.0 192.168.30.0 255.255.255.0
access-list nonnat_inside_DMZ1 extended permit ip any 10.1.1.0 255.255.255.192
access-list nonnat_inside_DMZ1 extended permit ip host 10.1.1.1 10.1.1.0 255.255.255.192
access-list nonnat_inside_DMZ1 extended permit ip 10.0.0.0 255.0.0.0 192.168.112.0 255.255.248.0
access-list nonnat_inside_DMZ1 extended permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.192
access-list DMZ1_IN extended permit ip interface inside interface DMZ1
access-list DMZ1_IN extended permit tcp host 192.168.30.2 any eq www
access-list DMZ1_IN extended permit icmp host 192.168.30.2 any
access-list DMZ1_IN extended permit ip host 192.168.30.2 any
access-list DMZ1_IN extended permit ip 10.1.1.0 255.255.255.0 192.168.30.0 255.255.255.248
access-list DMZ1_IN extended permit icmp any any
access-list DMZ1_IN extended permit ip 10.0.0.0 255.0.0.0 192.168.30.0 255.255.255.248
access-list INSIDE_IN extended permit ip 10.0.0.0 255.0.0.0 any
access-list INSIDE_IN extended permit ip 10.1.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list INSIDE_IN extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.240
access-list OUTSIDE_IN extended deny ip 0.0.0.0 255.0.0.0 any
access-list OUTSIDE_IN extended deny ip 10.0.0.0 255.0.0.0 any
access-list OUTSIDE_IN extended deny ip 127.0.0.0 255.0.0.0 any
access-list OUTSIDE_IN extended deny ip 172.16.0.0 255.240.0.0 any
access-list OUTSIDE_IN extended deny ip 192.168.0.0 255.255.0.0 any
access-list OUTSIDE_IN extended deny ip 224.0.0.0 224.0.0.0 any
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.171 eq www
access-list OUTSIDE_IN extended permit icmp any host 96.xx.xx.171
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.171 eq 420
access-list OUTSIDE_IN extended permit tcp 10.0.0.0 255.0.0.0 host 192.168.30.2 eq www
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq smtp
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq pop3
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq imap4
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq ldap
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 580
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 581
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq lotusnotes
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 1433
access-list OUTSIDE_IN extended permit udp any host 96.xx.xx.172 eq 1433
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 1516
access-list OUTSIDE_IN extended permit udp any host 96.xx.xx.172 eq 1516
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 2080
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 3891
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 3903
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 7080
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 7090
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 7092
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 7443
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 7444
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 8642
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 11099
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 11100
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 18180
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 18443
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.171 eq ldap
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.171 eq https
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.171 eq lotusnotes



access-list DMZ1_nat0_outbound extended permit ip 192.168.30.0 255.255.255.248 10.1.1.0 255.255.255.192
access-list DMZ-ESX_IN extended permit ip 10.1.1.0 255.255.255.0 192.168.50.0 255.255.255.248
access-list DMZ-ESX_IN extended permit ip interface inside interface DMZ-ESX
access-list nonnat_inside_DMZ-ESX extended permit ip 10.0.0.0 255.0.0.0 192.168.50.0 255.255.255.248
access-list nonnat_inside_DMZ-ESX extended permit ip any 10.1.1.0 255.255.255.192
access-list nonnat_inside_DMZ-ESX extended permit ip host 10.1.1.1 10.1.1.0 255.255.255.192
access-list nonnat_inside_DMZ-ESX extended permit ip 10.0.0.0 255.0.0.0 192.168.112.0 255.255.248.0
access-list nonnat_inside_DMZ-ESX extended permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.192
access-list DMZ-IBM_IN extended permit ip interface inside interface DMZ-IBM
access-list DMZ-IBM_IN extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.240
access-list DMZ-IBM_IN extended permit tcp host 192.168.10.2 any eq smtp
pager lines 24
logging enable
logging monitor emergencies
logging asdm informational
logging host inside 10.1.1.101

mtu inside 1500
mtu outside 1500
mtu DMZ1 1500
mtu DMZ-ESX 1500
mtu DMZ-IBM 1500
ip local pool internal 10.1.1.31-10.1.1.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list nonnat_inside_DMZ1
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ1) 0 access-list DMZ1_nat0_outbound
static (DMZ1,outside) tcp 96.56.78.171 420 192.168.30.2 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 smtp 192.168.10.2 smtp netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 pop3 192.168.10.2 pop3 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 imap4 192.168.10.2 imap4 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 ldap 192.168.10.2 ldap netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 580 192.168.10.6 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 581 192.168.10.6 https netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 lotusnotes 192.168.10.2 lotusnotes netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 1433 192.168.10.2 1433 netmask 255.255.255.255
static (DMZ-IBM,outside) udp 96.56.78.172 1433 192.168.10.2 1433 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 1516 192.168.10.2 1516 netmask 255.255.255.255
static (DMZ-IBM,outside) udp 96.56.78.172 1516 192.168.10.2 1516 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 2080 192.168.10.2 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 2443 192.168.10.2 https netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 3891 192.168.10.2 3891 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 3903 192.168.10.2 3903 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 7080 192.168.10.6 7080 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 7090 192.168.10.6 7090 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 7092 192.168.10.6 7092 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 7443 192.168.10.6 7443 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 8642 192.168.10.6 8642 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 11099 192.168.10.6 11099 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 11100 192.168.10.6 11100 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 18180 192.168.10.6 18180 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 18443 192.168.10.6 18443 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.171 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.171 ldap 192.168.10.4 ldap netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.171 https 192.168.10.4 https netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.171 lotusnotes 192.168.10.4 lotusnotes netmask 255.255.255.255
static (inside,DMZ-ESX) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
static (inside,DMZ-IBM) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
access-group INSIDE_IN in interface inside
access-group OUTSIDE_IN in interface outside
access-group DMZ1_IN in interface DMZ1
access-group DMZ-ESX_IN in interface DMZ-ESX
access-group DMZ-IBM_IN in interface DMZ-IBM
route outside 0.0.0.0 0.0.0.0 96.xx.xx.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact



ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.101-10.1.1.200 inside
dhcpd dns xx.xx.xx.138 xx.xx.xx.4 interface inside
dhcpd domain rcserveny.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept



!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect esmtp
!
service-policy global_policy global
prompt hostname context
: end
 
Sort by date Sort by votes
add:
Code: 
nat (DMZ-IBM) 101 192.168.10.0 255.255.255.240

access-list DMZ-IBM_IN extended permit tcp any any eq 80

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thank you for the reply. I tried this, also cleared the xlate, but still no success. Not sure why.
 
Upvote 0 Downvote
When I modified that statement (after adding in the nat (DMZ-IBM) 101 192.168.10.0 255.255.255.240) to access-list DMZ-IBM_IN extended permit ip any any, then traffic flowed. While this is a working config, my question now is, whether it is a "safe" config. Should I attempt to more finely narrow traffic permitted to go out from that server. In short, what I am wondering if by using the "ip any any" is a bad idea, which my gut tells me it is, and with that being the case, any suggestions on how to make it better? Thank you in advance.
 
Upvote 0 Downvote
Thank you again Unclerico, your help started me on a new thought process. I now have enabled selective accres outbound from the necessary servers using a series of statements like such:

access-list DMZ-IBM_IN extended permit udp host 192.168.10.2 host 167.206.112.138 eq domain
access-list DMZ-IBM_IN extended permit udp host 192.168.10.4 host xx.xx.xx.138 eq domain
access-list DMZ-IBM_IN extended permit udp host 192.168.10.6 host xx.xx.xx.138 eq domain
access-list DMZ-IBM_IN extended permit tcp host 192.168.10.2 any eq www
access-list DMZ-IBM_IN extended permit tcp host 192.168.10.4 any eq www
access-list DMZ-IBM_IN extended permit tcp host 192.168.10.2 any eq https
access-list DMZ-IBM_IN extended permit tcp host 192.168.10.4 any eq https
access-list DMZ-IBM_IN extended permit tcp host 192.168.10.2 any eq smtp
access-list DMZ-IBM_IN extended deny ip any any log
 
Upvote 0 Downvote
Yes, your last post is how I manage access outbound from my networks also. Explicitly permitting traffic increases your administrative overhead, but it's worth it in the end. Glad you got it working.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
664
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
582
Johnkite
Johnkite
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
117
gbayi_omo
gbayi_omo
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
165
Russtoleum
Russtoleum
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
624
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top