PIX 515 & DMZ with Proxy server

[jamesch]

We are trying to setup an ISA 2000 server in conjunction with our PIX 515 which goes out to a 2600 router. We use a local vender to setup and configure the router and PIX. We told them what we wanted to do and we had them setup the PIX to do our proxy for the clients to use the internet, they said we need a DMZ to do this. This is the configuration from the PIX. xxx.xxx.28.145 is the gateway for the DMZ, xxx.xxx.28.146 is for our web server, xxx.xxx.28.147 is our ISA 2000 proxy server, we have attached both web server and a ISA server and neither works. What advice can I give to our vender to check and get this working. I’m also having a hard time finding what ports the ISA uses when going out on the public side, that would be the .147 address?

.146 is going to be used only for http & https traffic only, from a web server.
.147 is going to be used only for internal users internet browser to the ISA server, and the ISA server goes out the .147 to get http & https requests.

access-list aclout permit tcp any host xxx.xxx.28.146 eq www
access-list aclout permit tcp any host xxx.xxx.28.147 eq www
access-list aclout permit ip any host xxx.xxx.28.146
access-list aclout permit ip any host xxx.xxx.28.147
access-list aclin permit icmp any any
access-list aclin permit ip any any
access-list aclin permit udp any host xxx.xxx.28.146 eq domain
access-list aclin permit udp any host xxx.xxx.28.147 eq domain
access-list aclin permit tcp any host xxx.xxx.28.146 eq domain
access-list aclin permit tcp any host xxx.xxx.28.147 eq domain

On down the list is:

ip address DMZ1 xxx.xxx.28.145 255.255.255.248

static (DMZ1,outside) xxx.xxx.28.146 xxx.xxx.28.146 netmask 255.255.255.255 0 0
static (DMZ1,outside) xxx.xxx.28.147 xxx.xxx.28.147 netmask 255.255.255.255 0 0

 

[lgarner]

I'm confused about your addressing. It looks like DMZ1 and outside are on the same network, which won't work.

Each Pix interface needs a separate network. If your intent is to have non-translated addresses in the dmz, then you need "nat 0"

ip address outside 192.0.2.1 255.255.255.192
ip address dmz 192.0.2.65 255.255.255.192

nat (dmz) 0 0 0

Then the ACLs, operating on the real address. Only "aclin" is needed; all outbound traffic from the dmz to the internet is allowed by default (though it's not a bad idea to limit it in case you get infected by something.)

 

[jamesch]

Yes, the intent is to have a non-translated IP address, which is the 28.147 number, which is going to the 2nd NIC on the ISA server. The 2nd NIC on the ISA server will have the 28.147 IP address on the NIC. But the only out bound protocols should be HTTP/HTTPS, & may be others I don’t know about. Users are only going to use it for Internet, noting else.

Does the 28.147 and the 28.146 need to be on a separate network???? As of 07-28-04 I called our local vendor and he is going to come out and correct the problems, so I can give him a lot of info, on this post.

Thanks,

Curtis

 

[lgarner]

I see. The static statements were confusing me. As I understand it, you have:

Pix DMZ address: 28.145
Web server address: 28.146
ISA server address: 28.147

... all connectec to the DMZ lan, right? No, they should not be on separate networks.

Your outside interface will then have a different network address, and your ISP router will have a route pointing to your Pix to get to the DMZ addresses. The "nat 0" is what you want.

To restrict outbound traffic, just use an acl. The source is your DMZ server, not the destination:

! for the ISA:
access-list aclout permit tcp host 28.147 any eq 80
access-list aclout permit tcp host 28.147 any eq 443
access-list aclout permit tcp host 28.147 eq 80 <inside>
access-list aclout permit tcp host 28.147 eq 443 <inside>
! for the web server:
access-list aclout permit tcp host 28.146 eq 80 any gt 1023
access-list aclout permit tcp host 28.146 eq 443 any gt 1023

access-group aclout in interface dmz

! inbound
! for ISA
access-list aclin permit tcp any eq 80 host 28.147 gt 1023
access-list aclin permit tcp any eq 443 host 28.147 gt 1023
! for web server
access-list aclin permit tcp any gt 1023 host 28.146 eq 80
access-list aclin permit tcp any gt 1023 host 28.146 eq 443
<other acl statements>

access-group aclin in interface outside

I haven't tried this, but it should give you the idea. Remember the implicit "deny ip any any" at the end of each ACL.

 

[jamesch]

Thank you for replying,

Yes the DMZ is on a separate lan, PIX DMZ interface is connected into a Cisco switch, and then the two servers will sit on the switch, both ISA-28.147, and web server-28.146.

Question. Does the command need the port numbers like port 80, or the protocol HTTP.

Example:

access-list aclout permit tcp host 28.147 any eq 80

or

access-list aclout permit tcp host 28.147 any eq HTTP

ALso I did a netstat in DOS, on the ISA server and found that the users come in on port 8080 on the internal side for internet browsing, and the ISA uses several different port numbers to fetch the requested pages, but it shows the address, with a :http at the end.

 

[lgarner]

Either http or 80 will work. I don't know if Pix knows "https".

Inside users should be fine. I didn't show the acl for inside users, but it would be something like

access-list inside_outbound permit tcp any host <isa> eq 8080
.. anything else needed
access-group inside_outbound in interface inside

ISA will use 80 as the destination port for http. It'll use various high ports for the source.

 

[jamesch]

Thanks, again for the help. lgarner.