HELP - HAVING A ROUTING ISSUE

[kozmonot28]

Here's my situation. I'm running a PIX 506e and now I need a DMZ. Since the 506e does not have a true DMZ, I rigged one up. I placed a 4-port hub between the PIX and my 2600 router connected to my ISP. I've got a server on the outside that needs to communicate with certain systems on the inside. I'd like to do so without having to give a static public address for each box in the PIX.

Here's my setup:

* Inside LAN is setup for a 172.16.1.0 network

* Our public addresses are a x.x.x.192/28

* The box on the outside is x.x.x.197 (default gateway is the Internet router)

* Internet router is x.x.x.193

* Pix is x.x.x.194

I can get to the box fine from the inside, but can not get back from that box.

I'd really love to give the machines in the DMX (if that is what you can call it) private IP Addresses (192.168.254.x)

I know this is not the best way to do it, but if this goes into production, I may be able to justify a PIX515.

Can one of you Cisco gurus help?

 

[gconnect]

i would just put those servers in the inside (internal network) and use nat & port redirection on the pix instead of potentially comprimising security with that rigged up dmz setup

-gC-

 

[pmays]

As you already realize this is not a recommended design and puts your internal network at risk. With that said... The reason you can access the server from the inside network but you cannot access the inside network from the server is this is how the PIX's Adaptive Security Algorithm (ASA) works by default. A higher security level can access a lower security level (e.g. inside to outside) by default, but a lower security level cannot access a higher security level without specifically allowing it. You'll need to open a hole in the PIX to allow the server to access resources on the inside network. Because you do not have a DMZ off the PIX you will want to use your perimeter router to do some basic security. Since your server is very exposed the opportunity to have the server compromised is fairly high, and since you will need to open a hole into your inside network you exposing your inside network via the compromised server to a high degree.
If you still choose to go forward with this, the following link will help you get going:

http://www.cisco.com/warp/public/707/28.html

I don't know what application(s) your server is running but moving the server to the inside network and then opening specific holes for the server would be a safer design, a true DMZ interface off the PIX is ideal. Here is a link to help with moving the server to the inside:

http://www.cisco.com/warp/public/110/single-net.shtml

You have probably already done this but I would suggest hardening the server as much as possible.

Long message but hopefully that helps get you going.

pmays
ccie#8498

 

[kozmonot28]

I think I may just drag the thing inside. I'm using the box as a Citrix NFUSE/Secure Gateway server. Ports 80 & 443 are opened on the perimeter router to that box. Then ports 80 & 1494 are open between that box and the Citrix farm.

I can make it work if I give the server I want to get to a static translation. I've got 5 servers in the farm plus the STA/CA. Only having 14 public IP addresses keeps me from doing that.

I'm not sure why this is not working. I'll post some of my config here tomorrow.

 

[kozmonot28]

OK, I've got the box sitting outside the firewall. Its IP is x.x.x.197/28 and a gateway is x.x.x.193. For testing purposes, I am trying to reach our Intranet server.

x.x.x.193 is my internet router. I have the following route statement in place:

ip route 172.16.1.0 255.255.255.0 x.x.x.194

x.x.x.194 is my PIX. Just for a test, I'm trying to reach our Intranet server. Here's what I have in place:

access-list outside_access_in permite tcp host x.x.x.197 172.16.1.x eq www

WHAT AM I MISSING. This should work.