PIX 515e configuration question

[jhallstrom]

Hello,

I have a Cisco PIX 515e Firewall and I would like to configure the following scenario:

Webserver (10.10.10.50) in the DMZ (10.10.10.1) which can talk to the MSSQL Server on the inside of the network at 10.0.x.x

I have setup the dmz and have the webserver accessible by the outside; however I am not sure which access lists, routes or rules I have to change to get access from the webserver to the MSSQL server.

What rules need to be made to allow the above connection?

Thanks

 

[unclerico]

post your scrubbed config

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jhallstrom]

PIX Version 7.2(2)
!
hostname firewall
domain-name nri-distribution.com
enable password QReLYar3KUlXMDJp encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.224
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address x.x.x.x 255.255.255.0
ospf cost 10
!
interface Ethernet2
nameif DMZ
security-level 0
ip address 10.10.10.1 255.255.255.0
ospf cost 10
!
passwd 2KFQnbNIdI.2KYOU encrypted
no ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name x.x.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Webspeed tcp
port-object range 3050 3051
port-object range 3202 3502
object-group network test
network-object host 192.168.0.237
object-group service NRISIP tcp-udp
port-object eq sip
object-group network
network-object host x.x.x.x
network-object host x.x.x.x
access-list outside_access_in extended permit tcp any host x.x.x.x eq www
access-list outside_access_in extended permit icmp 192.168.x.x 255.255.255.0 192.168.0.0 255.255.255.0 echo-reply
access-list outside_access_in extended permit icmp 192.168.x.x 255.255.255.0 192.168.0.0 255.255.255.0 echo-reply
access-list outside_access_in extended permit icmp 192.168.x.x 255.255.255.0 192.168.0.0 255.255.255.0 echo-reply
access-list outside_access_in extended permit tcp any 192.x.x.x 255.255.255.0
access-list outside_access_in extended permit ip any 192.x.x.x 255.255.255.0
access-list outside_access_in extended permit icmp 192.168.x.x 255.255.255.0 192.168.0.0 255.255.255.0 echo-reply
access-list DMZ_access_in extended permit tcp 10.10.10.0 255.255.255.0 host 192.168.0.x inactive
access-list DMZ_access_in extended permit ip 10.10.10.0 255.255.255.0 host 192.168.0.x inactive
access-list DMZ_access_in extended permit icmp 10.10.10.0 255.255.255.0 host 192.168.0.x echo-reply inactive
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.x.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.x.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.x.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.x.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.x.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.x.x 255.255.255.0
access-list outside_40_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.168.x.x 255.255.255.0
access-list outside_cryptomap_25 extended permit ip 192.168.0.0 255.255.255.0 192.168.x.x 255.255.255.0
access-list inside_access_out extended permit ip host (MS SQL SERVER's IP) 10.10.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm-buffer-size 500
logging asdm emergencies
logging recipient-address level critical
logging class vpn asdm warnings
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
asdm history enable
arp timeout 14400
nat-control
global (outside) 200
global (inside) 201 interface
global (DMZ) 200 10.10.10.20-10.10.10.30 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 200 10.0.0.0 255.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
access-group DMZ_access_in in interface DMZ
route inside 10.0.0.0 255.255.0.0 192.168.0.254 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy nls1 internal
group-policy nls1 attributes
vpn-filter none
vpn-tunnel-protocol IPSec
group-lock none
pfs disable
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs enable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set nls esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 15 match address outside_40_cryptomap
crypto map outside_map 15 set pfs
crypto map outside_map 15 set peer x.x.x.x
crypto map outside_map 15 set transform-set ESP-DES-MD5
crypto map outside_map 25 match address outside_cryptomap_25
crypto map outside_map 25 set peer x.x.x.x
crypto map outside_map 25 set transform-set nls ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 25
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
peer-id-validate cert
telnet 192.168.0.56 255.255.255.255 inside
telnet timeout 5
ssh 192.168.0.56 255.255.255.248 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
smtp-server
prompt hostname context
Cryptochecksum:fc2f463a9e5f2d32e5d8f82ab12731b3
: end
asdm image flash:/asdm
asdm history enable

 

[NetRx]

Since you have 'nat-control' enabled in your config, you will need to have a NAT statement permitting traffic to flow between the two interfaces (DMZ & inside).

You have two options: Use the NAT exemption in your config or create a static NAT. I prefer the first since it is a lot cleaner in the long run.

Config 1
---------
access-list DMZ_access_in extended permit tcp host 10.10.10.50 host 10.0.x.x eq 1433 
access-list inside_nat0_outbound extended permit ip host 10.0.x.x host 10.10.10.50

Config 2
---------
access-list DMZ_access_in extended permit tcp host 10.10.10.50 host 10.0.x.x eq 1433 
static (inside,DMZ) 10.0.x.x 10.0.x.x netmask 255.255.255.255

Good luck.