Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 515 DMZ DNS and Email Gateway

Status
Not open for further replies.
rickh9

rickh9

IS-IT--Management
Feb 11, 2002
12
0
0
US
I've got a PIX 515(6.2.2)with a mail server on the inside and a dns forwarder with the local zone also on the inside. I have added an email gateway filter to the dmz that forwards to the inside mail server. Some of my PIX config is as follows.

name 10.51.x.a mailserv
name 192.168.x.b mailgate
name 10.51.x.c dns1

access-list outside permit tcp any host 208.8.x.b eq smtp
access-list DMZ permit tcp any any eq smtp
access-list DMZ1 permit udp host mailgate host dns1 eq domain

ip address outside 208.8.x.a 255.255.255.0
ip address inside 10.51.x.a 255.255.254.0
ip address DMZ 192.168.x.a 255.255.255.0

global (outside) 1 interface
global (DMZ) 1 interface
global (DMZ) 1 192.168.100.100

static (DMZ,outside) 208.8.x.b mailgate netmask 255.255.255.255 0 0
static (inside,DMZ) mailgate mailgate netmask 255.255.255.255 0 0
static (inside,DMZ) dns1 dns1 netmask 255.255.255.255 0 0
static (inside,DMZ) mailserv mailserv netmask 255.255.255.255 0 0

And in the future I will be adding a web server to the DMZ which will require port 1433(sql)to the inside. I had planned on using the same approach, which brings me to my question.

While this configuration seems to work ok, is there a better way to accomplish this? Am I creating a security issue by setting static inside addresses in the DMZ? It just doesn't look right to me, or am I just being paranoid?

Any opinions would be greatly appreciated.

Thanks
 
Sort by date Sort by votes
HI.

Yes, there is a possible security breach here, because a malicious attacker can gain some control over the web server and from that point attack the internal SQL server.
This is not so simple for a script kiddy, but possible.

If this is relevant to you, you can upgrade to pix 515ur with more interfaces, and put the SQL server on a dedicated pix interface. That way you have more control and protection for SQL server (even from internal attacks) and less risk for internal network.
Same idea might be good for mail server if applicable.


Some notes about your configuration:

> static (inside,DMZ) mailgate mailgate ...
What do you need it for? The mailgate is connected to the DMZ, right?

> static (inside,DMZ) mailserv mailserv ...
You can configure the internal mail server to pull mail from the mailgate, instead of mailgate pushing to internal server.
A program like "popbeamer" can do that.

> static (inside,DMZ) dns1 dns1 ...
It is better that the DMZ server will use its own DNS server or the ISP, what do you think?

In general, for allowing access from DMZ to inside, I prefer using the same technique as allowing traffic from outside to DMZ. Use static with addresses that belong to the external subnet, for example:

Instead of using this
> static (inside,DMZ) aaa aaa
Use this:
static (inside,DMZ) 192.168.x.y aaa

You will need to point the DMZ server to use the correct address of course.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Yizhar,
Thank you for your prompt reply.

> static (inside,DMZ) mailgate mailgate ...
>What do you need it for? The mailgate is connected to the >DMZ, right?

From the Cisco sample config,
!--- This static essentially prevents translation of the 192.168.2.x
!--- inside network when sending packets to the DMZ. Literally speaking,
!--- it creates a translation from 192.168.2.x to 192.168.2.x.
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

> static (inside,DMZ) dns1 dns1 ...
>It is better that the DMZ server will use its own DNS ?>server or the ISP, what do you think?

As usual you are correct, I added my mailserver to the hosts file and changed dns to the ip's server. Works great.


I guess I'm not sure what you mean here. Could you please explain a bit further?

->In general, for allowing access from DMZ to inside, I prefer using the same technique as allowing traffic from outside to DMZ. Use static with addresses that belong to the external subnet, for example:

->Instead of using this
->static (inside,DMZ) aaa aaa
->Use this:
->static (inside,DMZ) 192.168.x.y aaa

Thanks very much for your help.

Rick
 
Upvote 0 Downvote
HI.

> static (inside,DMZ) mailgate mailgate
I still think that this line is not needed.
Try to remove it and see what happens.

> From the Cisco sample config ...
Cisco has many samples for different scenarios, not all of them apply to all configurations.
In your case and in most other cases, there is no need for the static command without translation.
> static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
This is a bad idea - it will expose and proxy-arp all addresses on the inside to the DMZ network. There is no need for this, so why use it?

> I guess I'm not sure what you mean here. Could you please explain a bit further?
Both techniques will probably work:
static (inside,DMZ) aaa aaa
static (inside,DMZ) 192.168.x.y aaa

I myself will choose the second option in most cases, but I don't know how to explain it better. It just seems more logical to me .

This might help you also, but remember that not all samples apply to you:

Don't forget to issue the following command after changing the pix settings:

clear xlate


Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Yizhar,

>> static (inside,DMZ) mailgate mailgate
>I still think that this line is not needed.
>Try to remove it and see what happens.

Removed the line and it works just fine.

>> static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
>This is a bad idea - it will expose and proxy-arp all addresses on the inside to the DMZ network. There is no need for this, so why use it?

Took it out, again, no problems.

>In general, for allowing access from DMZ to inside, I prefer using the same technique as allowing traffic from outside to DMZ. Use static with addresses that belong to the external subnet, for example:

Instead of using this
>> static (inside,DMZ) aaa aaa
>Use this:
>static (inside,DMZ) 192.168.x.y aaa

Got it. Translated the inside address to a DMZ address and of course it works just fine.

Thanks much for the assistance.
Rick
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
143
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
143
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
119
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
91
Nitta84
Nitta84
markd885
  • Locked
  • Question
PAC file redirect web page to another gateway
Replies
0
Views
45
markd885
markd885

Part and Inventory Search

Sponsor

Back
Top