Hi all,
Have problem here and would appreciate anyone's help.
Scenario:
Cisco pix 515 w/ 3 int
MS ISA server w/ 2 int (one in dmz, one in lan)
currently 1 public IP via cable modem (possibly might get a second one from ISP - pending)
setup:
Inet -> Pix -> network 192.168.3.0/24
|
DMZ 192.168.4.0/24
|
MS ISA 192.168.4.244
MS ISA 192.168.3.199 (connected to inside LAN)
because of nat/pat issues I have access-list/static problems translating the isa server obviously for any other ports/services not in my static translation tables.
I want to send all port 80/443 traffic from Outside through PIX into ISA and let ISA do header checks and redirect to all my webservers. I have 3 other MS OWA Exchange web servers I need access to in addition to a regular web server. When I add a static NAT for port 80 to ISA in dmz it locks it from building any other port connections outbound.
I need users to go outbound through ISA for caching and content filtering control. If users try to proxy through ISA - translation problems because I have a static NAT from Outside to dmz ISA reserved already. PAT won't allow for the dynamic ports ISA tries to use to get out on the web for users.
I can't specify port ranges on PIX for static NAT statements.
I would like to just have PIX control inbound layer 4 filtering for me and forward PPTP and web requests to ISA server in DMZ. There it can do header checks and redirects for all my internal web servers while providing outbound Inet access for users and caching. Help!
Here's my "current" config. I've been trying different things so it may be a bit sloppy. Please help.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
!
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
!
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted
hostname mypix
domain-name mydomain.com
!
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
!
names
name 192.168.3.252 spamassassin
name 192.168.3.201 server2b
name 192.168.1.242 st2
name 192.168.5.242 marlboro2
name 192.168.3.244 server4
name 192.168.3.199 rmweb
name 192.168.4.244 rmweb-dmz
name 192.168.0.0 Internal-LAN
name 192.168.3.203 webserver
!
object-group network webservers
network-object server2b 255.255.255.255
network-object server4 255.255.255.255
network-object rmweb-dmz 255.255.255.255
network-object st2 255.255.255.255
network-object marlboro2 255.255.255.255
!
object-group network remote-access
network-object rmweb 255.255.255.255
!
object-group service web-access tcp
port-object eq https
port-object eq www
!
object-group service remote-auth tcp
port-object eq pptp
!
object-group network Internal-LAN
network-object Internal-LAN 255.255.255.255
!
access-list Inbound remark *********************************
access-list Inbound remark Rulebase to allow Inet traffic in
access-list Inbound remark *********************************
access-list Inbound permit icmp any any echo-reply
access-list Inbound permit icmp any any source-quench
access-list Inbound permit icmp any any unreachable
access-list Inbound permit icmp any any time-exceeded
access-list Inbound permit tcp any any object-group remote-auth
access-list Inbound permit tcp any any object-group web-access
access-list Inbound permit tcp any any eq smtp
access-list Inbound permit gre any any
access-list Inbound permit esp any any
access-list Inbound deny ip any any
!
access-list Dmz remark ******************************
access-list Dmz remark Rulebase for DMZ server access
access-list Dmz remark ******************************
access-list Dmz permit tcp any host rmweb-dmz eq pptp
access-list Dmz permit tcp any host rmweb-dmz eq www
access-list Dmz permit tcp any host rmweb-dmz eq https
access-list Dmz permit tcp host rmweb-dmz any
access-list Dmz permit udp host rmweb-dmz any
access-list Dmz deny ip any any
!
access-list Outbound remark ************************************
access-list Outbound remark General Outbound Inet rule for users
access-list Outbound remark ************************************
access-list Outbound permit gre any any
access-list Outbound permit tcp any any eq pptp
access-list Outbound permit udp any any
access-list Outbound permit ip any any
access-list Outbound deny ip any any
!
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
!
ip address outside dhcp setroute
ip address inside 192.168.3.254 255.255.255.0
ip address dmz 192.168.4.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
!
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 192.168.4.0 255.255.255.0 0 0
!
static (inside,outside) tcp interface smtp spamassassin smtp netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface pptp rmweb-dmz pptp netmask 255.255.255.255 0 0
static (dmz,outside) udp interface domain rmweb-dmz domain netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface https webserver https netmask 255.255.255.255 0 0
!
access-group Inbound in interface outside
access-group Outbound in interface inside
access-group Dmz in interface dmz
!
route inside 10.15.18.0 255.255.255.0 192.168.3.251 1
route inside 192.168.1.0 255.255.255.0 192.168.3.251 1
route inside 192.168.5.0 255.255.255.0 192.168.3.251 1
!
timeout xlate 2:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
!
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
!
no snmp-server location
no snmp-server contact
snmp-server community tin2bu4a!
no snmp-server enable traps
!
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
!
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
banner motd ***************************************************************************
banner motd
banner motd Access to this device is limited to authorized personnel only.
banner motd Any unauthorized connection to this device will be construed as
banner motd purposeful criminal intent, and will be handled accordingly.
banner motd We will prosecute to the fullest extent of the law!
banner motd
banner motd ***************************************************************************
Cryptochecksum:245805754246dceb2ea63af0848b7c98
Have problem here and would appreciate anyone's help.
Scenario:
Cisco pix 515 w/ 3 int
MS ISA server w/ 2 int (one in dmz, one in lan)
currently 1 public IP via cable modem (possibly might get a second one from ISP - pending)
setup:
Inet -> Pix -> network 192.168.3.0/24
|
DMZ 192.168.4.0/24
|
MS ISA 192.168.4.244
MS ISA 192.168.3.199 (connected to inside LAN)
because of nat/pat issues I have access-list/static problems translating the isa server obviously for any other ports/services not in my static translation tables.
I want to send all port 80/443 traffic from Outside through PIX into ISA and let ISA do header checks and redirect to all my webservers. I have 3 other MS OWA Exchange web servers I need access to in addition to a regular web server. When I add a static NAT for port 80 to ISA in dmz it locks it from building any other port connections outbound.
I need users to go outbound through ISA for caching and content filtering control. If users try to proxy through ISA - translation problems because I have a static NAT from Outside to dmz ISA reserved already. PAT won't allow for the dynamic ports ISA tries to use to get out on the web for users.
I can't specify port ranges on PIX for static NAT statements.
I would like to just have PIX control inbound layer 4 filtering for me and forward PPTP and web requests to ISA server in DMZ. There it can do header checks and redirects for all my internal web servers while providing outbound Inet access for users and caching. Help!
Here's my "current" config. I've been trying different things so it may be a bit sloppy. Please help.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
!
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
!
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted
hostname mypix
domain-name mydomain.com
!
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
!
names
name 192.168.3.252 spamassassin
name 192.168.3.201 server2b
name 192.168.1.242 st2
name 192.168.5.242 marlboro2
name 192.168.3.244 server4
name 192.168.3.199 rmweb
name 192.168.4.244 rmweb-dmz
name 192.168.0.0 Internal-LAN
name 192.168.3.203 webserver
!
object-group network webservers
network-object server2b 255.255.255.255
network-object server4 255.255.255.255
network-object rmweb-dmz 255.255.255.255
network-object st2 255.255.255.255
network-object marlboro2 255.255.255.255
!
object-group network remote-access
network-object rmweb 255.255.255.255
!
object-group service web-access tcp
port-object eq https
port-object eq www
!
object-group service remote-auth tcp
port-object eq pptp
!
object-group network Internal-LAN
network-object Internal-LAN 255.255.255.255
!
access-list Inbound remark *********************************
access-list Inbound remark Rulebase to allow Inet traffic in
access-list Inbound remark *********************************
access-list Inbound permit icmp any any echo-reply
access-list Inbound permit icmp any any source-quench
access-list Inbound permit icmp any any unreachable
access-list Inbound permit icmp any any time-exceeded
access-list Inbound permit tcp any any object-group remote-auth
access-list Inbound permit tcp any any object-group web-access
access-list Inbound permit tcp any any eq smtp
access-list Inbound permit gre any any
access-list Inbound permit esp any any
access-list Inbound deny ip any any
!
access-list Dmz remark ******************************
access-list Dmz remark Rulebase for DMZ server access
access-list Dmz remark ******************************
access-list Dmz permit tcp any host rmweb-dmz eq pptp
access-list Dmz permit tcp any host rmweb-dmz eq www
access-list Dmz permit tcp any host rmweb-dmz eq https
access-list Dmz permit tcp host rmweb-dmz any
access-list Dmz permit udp host rmweb-dmz any
access-list Dmz deny ip any any
!
access-list Outbound remark ************************************
access-list Outbound remark General Outbound Inet rule for users
access-list Outbound remark ************************************
access-list Outbound permit gre any any
access-list Outbound permit tcp any any eq pptp
access-list Outbound permit udp any any
access-list Outbound permit ip any any
access-list Outbound deny ip any any
!
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
!
ip address outside dhcp setroute
ip address inside 192.168.3.254 255.255.255.0
ip address dmz 192.168.4.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
!
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 192.168.4.0 255.255.255.0 0 0
!
static (inside,outside) tcp interface smtp spamassassin smtp netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface pptp rmweb-dmz pptp netmask 255.255.255.255 0 0
static (dmz,outside) udp interface domain rmweb-dmz domain netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface https webserver https netmask 255.255.255.255 0 0
!
access-group Inbound in interface outside
access-group Outbound in interface inside
access-group Dmz in interface dmz
!
route inside 10.15.18.0 255.255.255.0 192.168.3.251 1
route inside 192.168.1.0 255.255.255.0 192.168.3.251 1
route inside 192.168.5.0 255.255.255.0 192.168.3.251 1
!
timeout xlate 2:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
!
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
!
no snmp-server location
no snmp-server contact
snmp-server community tin2bu4a!
no snmp-server enable traps
!
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
!
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
banner motd ***************************************************************************
banner motd
banner motd Access to this device is limited to authorized personnel only.
banner motd Any unauthorized connection to this device will be construed as
banner motd purposeful criminal intent, and will be handled accordingly.
banner motd We will prosecute to the fullest extent of the law!
banner motd
banner motd ***************************************************************************
Cryptochecksum:245805754246dceb2ea63af0848b7c98