need assistance: Cannot communicate from DMZ to Inside..

[buskeyl]

Hello all, this is my first post, I am going to try to state my question without giving too much info. Let me know if you need more. We have a new PIX, set up with a fairly straightforward implementation. Ethernet 0 is labeled "Outside", and is (of course) connected to our ISP. Ethernet 1 is labeled "inside", and we run a 10.10.10.x/24 network off that (all servers). Each 10.10.10.x address has a static translation to a valid routable IP address. Ethernet 2 is labeled "DMZ" and has a 192.168.1.x/24 network set up on it.

Now, i can get to the internet just fine, from either hosts in the DMZ or hosts inside. But if I attempt to access a mail server, in the DMZ, from a host in the inside, it will not connect. WTH? If I attempt to make a connection to a host on the inside from the DMZ. via ports that are open to the inside from the public, I cannot do it, but if a try to gain access from a internet based host, I can get there.

Lee

 

[mtashiro]

Have you configured NAT to the DMZ?

 

[buskeyl]

Hmmmm, how can I answer that question, and not sound ignorant... Dunno. Probably not.

We have static translations set up on a one for one basis for our 10.10.10.x addresses to translate to our public addresses. And we have a number of incoming access list entries that send incoming traffic on certian IP's to certian interfaces, (Inside or DMZ). But I dont quite know how to NAT 10.10.10.x to 192.168.1.x, espically when we are using DNS names. I could run a seperate DNS zone for these, but I assumed that outbound traffic would translate from 10.10.10.x to the public address, hit the router one hop upline, and come back to the firewall as inbound traffic and get sent to the appropriate interface.

Here is the relevent sections of the config. I replaced our public addresses with xxx.xxx.x

Here is the current PIX configuration. I have highlighted the areas I am confused about.

: Written by enable_15 at 16:41:26.851 CDT Fri Apr 25 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
global (outside) 10 XXX.XXX.X.83-XXX.XXX.X.88
global (outside) 10 interface
global (DMZ) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) XXX.XXX.X.68 10.10.10.10 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.X.69 10.10.10.70 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.X.70 10.10.10.71 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.X.71 10.10.10.72 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.X.72 10.10.10.73 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.X.82 10.10.10.83 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.X.74 10.10.10.78 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.X.76 10.10.10.77 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.X.92 10.10.10.92 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.X.94 10.10.10.94 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.X.81 10.10.10.80 netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.X.67 10.10.10.11 netmask 255.255.255.255 0 0
static (DMZ,outside) XXX.XXX.X.93 192.168.1.93 netmask 255.255.255.255 0 0
static (DMZ,outside) XXX.XXX.X.91 192.168.1.91 netmask 255.255.255.255 0 0
static (DMZ,inside) XXX.XXX.X.93 192.168.1.93 netmask 255.255.255.255 0 0
static (DMZ,outside) XXX.XXX.X.90 192.168.1.90 netmask 255.255.255.255 0 0
static (DMZ,outside) XXX.XXX.X.73 192.168.1.73 netmask 255.255.255.255 0 0
static (DMZ,outside) XXX.XXX.X.78 192.168.1.78 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.10.10.80 10.10.10.80 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.10.10.73 10.10.10.73 netmask 255.255.255.255 0 0
static (DMZ,outside) XXX.XXX.X.88 192.168.1.88 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.10.10.83 10.10.10.83 netmask 255.255.255.255 0 0
conduit permit tcp host XXX.XXX.X.94 object-group MailServer any
conduit permit tcp host XXX.XXX.X.93 object-group MailServer any
conduit permit tcp host XXX.XXX.X.93 eq 3389 any
conduit permit tcp host XXX.XXX.X.78 eq 3389 any
conduit permit tcp host XXX.XXX.X.88 eq 3389 any
conduit permit tcp host XXX.XXX.X.91 object-group MailServer any
conduit permit tcp host XXX.XXX.X.91 eq 3389 any
conduit permit tcp host XXX.XXX.X.70 eq citrix-ica any
conduit permit tcp host XXX.XXX.X.71 eq citrix-ica any
conduit permit tcp host XXX.XXX.X.72 eq citrix-ica any
conduit permit tcp host XXX.XXX.X.81 eq citrix-ica any
conduit permit tcp host XXX.XXX.X.82 eq https any
conduit permit tcp host XXX.XXX.X.82 eq 3306 any
conduit permit tcp host XXX.XXX.X.82 eq citrix-ica any
conduit permit tcp host XXX.XXX.X.74 eq citrix-ica any
conduit permit tcp host XXX.XXX.X.74 eq https any
conduit permit tcp host XXX.XXX.X.82 eq

http://www any

conduit permit tcp host XXX.XXX.X.82 eq smtp any
conduit permit tcp host XXX.XXX.X.76 eq citrix-ica any
conduit permit tcp host XXX.XXX.X.81 eq https any
conduit permit tcp host XXX.XXX.X.82 eq domain any
conduit permit udp host XXX.XXX.X.82 eq domain any
conduit permit tcp host XXX.XXX.X.68 eq domain any
conduit permit udp host XXX.XXX.X.68 eq domain any
conduit permit tcp host XXX.XXX.X.69 eq citrix-ica any
conduit permit tcp host XXX.XXX.X.92 eq https any
conduit permit tcp host XXX.XXX.X.92 eq

http://www any

conduit permit tcp host XXX.XXX.X.68 eq

http://www any

conduit permit tcp host XXX.XXX.X.94 eq

http://www any

conduit permit tcp host XXX.XXX.X.94 eq https any
conduit permit tcp host XXX.XXX.X.94 eq smtp any
conduit permit tcp host XXX.XXX.X.93 object-group FTPserver any
conduit permit tcp host XXX.XXX.X.90 object-group DataWhse any
conduit permit tcp host XXX.XXX.X.73 object-group MailServer any
conduit permit tcp host XXX.XXX.X.78 object-group MailServer any
conduit permit tcp host XXX.XXX.X.88 object-group MailServer any
conduit deny tcp any any range 1433 1434
conduit deny udp any any range 1433 1434
outbound 1 deny 0.0.0.0 0.0.0.0 1604 udp
outbound 2 permit 192.168.1.78 255.255.255.255 3389 tcp
apply (inside) 1 outgoing_src
apply (inside) 2 outgoing_dest
route outside 0.0.0.0 0.0.0.0 XXX.XXX.X.65 1
timeout xlate 3:00:00


Thanks for the interest..

 

[yizhar]

HI.

I suggest that you backup your config, then erase it and start over using PDM, and using access-list instead of the obsolute commands like "conduit" and "outbound" (these are leftovers from old pix versions and should not be used with new devices).

> Each 10.10.10.x address has a static translation to a valid routable IP
What for? In most cases only servers which need inbound connectivity should have static.
The other can use PAT.
(There are some scenarios where static is needed for workstations also, but do it on need basis.

> global (outside) 10 XXX.XXX.X.83-XXX.XXX.X.88
> global (outside) 10 interface
Use PAT only with a single address, for example:
global (outside) 10 XXX.XXX.X.83
The mix of NAT and PAT does not give you any advantage and can make troubleshooting more difficult.

Pay close attention to the access-list bound to dmz interface - if should first block access to internal network, and only then allow outgoing traffic from dmz to internet.

Here is a sample mini config with 3 interfaces and a TS in dmz:

global (outside) 10 XXX.XXX.X.83
global (dmz) 10 192.168.1.251
nat (inside) 10 0 0
static (dmz,outside) XXX.XXX.X.93 192.168.1.93

access-list fromoutside permit tcp any host XXX.XXX.X.93 eq 3389
access-group fromoutside in interface outside
access-list fromdmz deny ip any 10.10.10.0 255.255.255.0
access-list fromdmz permit udp any any eq 53
access-list fromdmz permit tcp any any eq 80
access-group fromdmz in interface dmz

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar