Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515E - DMZ - And Exchange Bridge End Servers 1

Status
Not open for further replies.
CertifiedNut

CertifiedNut

Technical User
Feb 14, 2007
22
GB
Hi All,

i'm back with another issue with my PIX. Having had a lot of help in the past, i thought i'd have a crack at setting up a Bridgeend server on my PIX 515E which has and installed DMX interface. However, having studied many of the articles for the web and especially d=from Cisco, it would seem that this is not as straihgt forward as it first looked. As the firewall is live at present and supports VPN's I don't ant to go wadeing in with chancey configs a knock out other things. Please see the config below and can you tell me why i cant see the DMZ Server??

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz_int security50
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
hostname xxxxxxxxxxxx
domain-name xxxxxxxxxxxx
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service group1 udp
port-object range 27950 27965
object-group service HTTPPorts tcp
port-object range port-object eq www
port-object eq https
port-object range 8080 8080
port-object range 81 81
access-list inside_access_in permit tcp host 10.0.10.242 eq smtp any
access-list inside_access_in permit ip any any
access-list smtp permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any host xx.xx.xx.254 eq smtp
access-list outside_access_in permit tcp any host 20.0.20.10 eq www
access-list no_nat permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list no_nat permit ip 10.0.10.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list l2lvpn permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list l2lvpn permit ip 10.0.10.0 255.255.255.0 192.168.253.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered alerts
logging trap alerts
mtu outside 1500
mtu inside 1500
mtu dmz_int 1500
ip address outside xx.xx.xx.254 255.255.255.240
ip address inside 10.0.10.252 255.255.255.0
ip address dmz_int 20.0.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 192.168.253.1-192.168.253.254
pdm location 10.0.10.0 255.255.255.0 inside
pdm location 10.0.10.11 255.255.255.255 inside
pdm location 20.0.20.10 255.255.255.255 dmz_int
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (dmz_int) 200 20.0.20.50-20.0.20.70 netmask 255.255.255.0
nat (inside) 0 access-list no_nat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xx.xx.xx.254 smtp 10.0.10.242 smtp netmask 255.255.255.255 0 0
static (dmz_int,inside) xx.xx.xx.243 20.0.20.10 netmask 255.255.255.255 0 0
static (dmz_int,outside) 20.0.20.10 20.0.20.10 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map map2 10 set transform-set 3DES
crypto map map1 40 ipsec-isakmp dynamic map2
crypto map map1 client authentication LOCAL
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup xxxxxxxxxxxx address-pool VPNPool
vpngroup xxxxxxxxxxxx dns-server 10.0.10.11
vpngroup xxxxxxxxxxxx wins-server 10.0.10.11
vpngroup xxxxxxxxxxxx default-domain xxxxxxxxxxxx
vpngroup xxxxxxxxxxxx idle-time 1800
vpngroup xxxxxxxxxxxx password ********
telnet 10.0.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum: xxxxxxxxxxxx
: end


I'm trying to get the bridgehead server (BHS) which has the ip of 20.0.20.10 on the DMZ (DMZ interface address of 20.0.20.1) to been seen by the outside world on port 80 or HTTP. I have an external IP allocated to the traffic for the Bridge server of xx.xx.xx.243, but it seems not to be ported through the firewall (having spoken to the ISP I'm still not sure what they mean) How do i make this address seen in the outside world and connect throught the PIX to get to the BHS.

Secondly, the BHS has to g=be able to get through to the backend EXCH, but i'd settle for access to the BHS from the web to start with.

Your thoughts, help, etc would, as always, be much appreciated.

Rick
 
Sort by date Sort by votes
It looks like your statics are confused. You have this:

static (dmz_int,inside) xx.xx.xx.243 20.0.20.10 netmask 255.255.255.255 0 0
static (dmz_int,outside) 20.0.20.10 20.0.20.10 netmask 255.255.255.255 0 0

For Outside to DMZ access try this:

static (dmz_int,outside) xx.xx.xx.243 20.0.20.10

and change your ACL from this:

access-list outside_access_in permit tcp any host 20.0.20.10 eq www

to this:

access-list outside_access_in permit tcp any host xx.xx.xx.243 eq www

When you write ACLs for static translations you permit access to the translated address.

------------

For DMZ to inside you have a couple options, but it looks like you're thinking identity nat, so try this:

static (dmz_int,inside) 20.0.20.10 20.0.20.10

You will need an access list that permits the DMZ hosts (lower security) to the inside (higher security):

access-list dmz_in permit ip any any
access-group dmz_in in interface dmz_int

Matt
CCSP
 
Upvote 0 Downvote
Hi Matt,

Thanks for your comments which i have used to make the necessary changes to my PIX. I still cannot get the complete web access to work though. It would seem that i can now reach the Bridge Head server (front end Exhange) as it comes up with the request for username and password. However, authentication now fails which leads me to believe that the front end is not communicating with the backend or AD. I have posted my current config below.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz_int security50
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname XXXXXXXXXXPIX
domain-name XXXXXXXXXXXXXX
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service group1 udp
port-object range 27950 27965
object-group service HTTPPorts tcp
port-object range port-object eq www
port-object eq https
port-object range 8080 8080
port-object range 81 81
access-list inside_access_in permit tcp host 10.0.10.242 eq smtp any
access-list inside_access_in permit ip any any
access-list inside_access_in deny icmp any any
access-list smtp permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any host XX.XX.XX.254 eq smtp
access-list outside_access_in permit tcp any host XX.XX.XX.243 eq www
access-list no_nat permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list no_nat permit ip 10.0.10.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list l2lvpn permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list l2lvpn permit ip 10.0.10.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list dmz_in permit ip any any
pager lines 24
logging on
logging timestamp
logging buffered alerts
logging trap alerts
mtu outside 1500
mtu inside 1500
mtu dmz_int 1500
ip address outside XX.XX.XX.254 255.255.255.240
ip address inside 10.0.10.252 255.255.255.0
ip address dmz_int 20.0.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 192.168.253.1-192.168.253.254
pdm location 10.0.10.0 255.255.255.0 inside
pdm location 10.0.10.11 255.255.255.255 inside
pdm location 10.0.10.242 255.255.255.255 inside
pdm location 195.92.195.158 255.255.255.255 outside
pdm location XX.XX.XX.241 255.255.255.255 outside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 20.0.20.10 255.255.255.255 dmz_int
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (dmz_int) 200 20.0.20.50-20.0.20.70 netmask 255.255.255.0
nat (inside) 0 access-list no_nat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp XX.XX.XX.254 smtp 10.0.10.242 smtp netmask 255.255.255.255 0 0
static (dmz_int,outside) XX.XX.XX.243 20.0.20.10 netmask 255.255.255.255 0 0
static (dmz_int,inside) 20.0.20.10 20.0.20.10 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_in in interface dmz_int
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map map2 10 set transform-set 3DES
crypto map map1 40 ipsec-isakmp dynamic map2
crypto map map1 client authentication LOCAL
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup XXXXXXXXXXX address-pool VPNPool
vpngroup XXXXXXXXXXX dns-server 10.0.10.11
vpngroup XXXXXXXXXXX wins-server 10.0.10.11
vpngroup XXXXXXXXXXX default-domain XXXXXXXXXXXXX
vpngroup XXXXXXXXXXX idle-time 1800
vpngroup XXXXXXXXXXX password ********
telnet 10.0.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXX
: end

Are there any glaring errors that i seem to have made or is it the type of DMZ to Int nating that I'm using that has caused the issue.

Your help is appreciated.

Regards

Rich
 
Upvote 0 Downvote
Sorry, I think I forgot to consider the security levels when i made my initial recommendation. You have a couple options here:

Option1: The simplest is to do the opposite of what you just did. Remove the translation we added and then translate the Inside AD server to the DMZ

static(inside,dmz) 20.0.20.x 10.0.10.x
access-list dmz_in permit <see note at bottom>

Then the Server on the DMZ can just reach the AD server via that translated address. If you're using DNS here though, it might be a problem as the BridgeHead server will now need to contact 20.0.20.x instead of 10.0.10.x

Alternatively, you can create another identity translation going the other way, in addition to the one we added:

static (inside,dmz)10.0.10.x 10.0.10.x
access-list dmz_in permit <see note at bottom>

This will allow each server to use the other's real address.

Note about ACL: In my first post I threw up "permit ip any any" in my example for the dmz_in ACL. This was just intended to get the point across that there's an ACL there. :) I highly recommend that you make that ACL as specific as possible. That way if the DMZ server becomes compromised, an attacker will have a harder time getting to the inside. Below are more specific example ACL lines for each option above. I'm using SSL, but replace with what you need:

Option1:
access-list dmz_in permit tcp host 20.0.20.x host 20.0.20.x eq 443
First 20. address: DMZ server
Second 20. address: translated Inside server

Option2:
access-list dmz_in permit tcp host 20.0.20.x host 10.0.10.x eq 443


Matt
CCSP
 
Upvote 0 Downvote
I'm slightly confused here so please bear with me. Firstly, i'd like to get the front end owa server to work and then look at the whole issue surrounding the use of SSL.

What i have is an Exchange 10.0.10.18 an AD server 10.0.10.11 - a front end OWA server 20.0.20.10 that sits on the PIX DMZ int of 20.0.20.1 and an outside interface (dirty) of XX.XX.XX.254 although the public IP i have for the OWA server is XX.XX.XX.243.

The latest config which has your option 2 added, but slightly modified to include the AD server address as well, but i'm thinking I'm not getting this at all. So here goes with the latest config...

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz_int security50
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXXXt encrypted
hostname XXXXXXXXXPIX
domain-name XXXXXXXX
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service group1 udp
port-object range 27950 27965
object-group service HTTPPorts tcp
port-object range port-object eq www
port-object eq https
port-object range 8080 8080
port-object range 81 81
access-list inside_access_in permit tcp host 10.0.10.242 eq smtp any
access-list inside_access_in permit ip any any
access-list inside_access_in deny icmp any any
access-list smtp permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any host 86.54.76.254 eq smtp
access-list outside_access_in permit tcp any host 86.54.76.243 eq www
access-list no_nat permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list no_nat permit ip 10.0.10.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list l2lvpn permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list l2lvpn permit ip 10.0.10.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list dmz_in permit tcp host 20.0.20.10 host 10.0.10.18 eq www
pager lines 24
logging on
logging timestamp
logging buffered alerts
logging trap alerts
mtu outside 1500
mtu inside 1500
mtu dmz_int 1500
ip address outside XX.XX.XX.254 255.255.255.240
ip address inside 10.0.10.252 255.255.255.0
ip address dmz_int 20.0.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 192.168.253.1-192.168.253.254
pdm location 10.0.10.0 255.255.255.0 inside
pdm location 10.0.10.11 255.255.255.255 inside
pdm location 10.0.10.242 255.255.255.255 inside
pdm location 195.92.195.158 255.255.255.255 outside
pdm location XX.XX.XX.241 255.255.255.255 outside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 20.0.20.10 255.255.255.255 dmz_int
pdm location 10.0.10.18 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (dmz_int) 200 20.0.20.50-20.0.20.70 netmask 255.255.255.0
nat (inside) 0 access-list no_nat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp XX.XX.XX.254 smtp 10.0.10.242 smtp netmask 255.255.255.255 0 0
static (dmz_int,outside) XX.XX.XX.243 20.0.20.10 netmask 255.255.255.255 0 0
static (dmz_int,inside) 20.0.20.10 20.0.20.10 netmask 255.255.255.255 0 0
static (inside,dmz_int) 10.0.10.18 10.0.10.18 netmask 255.255.255.255 0 0
static (inside,dmz_int) 10.0.10.11 10.0.10.11 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map map2 10 set transform-set 3DES
crypto map map1 40 ipsec-isakmp dynamic map2
crypto map map1 client authentication LOCAL
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup XXXXXXXX address-pool VPNPool
vpngroup XXXXXXXX dns-server 10.0.10.11
vpngroup XXXXXXXX wins-server 10.0.10.11
vpngroup XXXXXXXX default-domain XXXXXXXX
vpngroup XXXXXXXX idle-time 1800
vpngroup XXXXXXXX password ********
telnet 10.0.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0


Your continued help is much appreciated

Regards

Rich
 
Upvote 0 Downvote
I just used SSL as an example to show you a more specific access list than permit ip any any. I don't know off-hand all the protocols the OWA server will need to use to communicate with the AD and Exchange servers. SSL may or may not be one of them. You'll need to look it up. :)

It looks like your static statements are right, but there is no access list to allow traffic from the low security DMZ (50) to the high security Inside (100). I see an access list called dmz_in, but there is no corresponding access-group statement.

Try adding an access-group statement:
access-group dmz_in in interface dmz

Note also that your dmz_in acl right now only has one statement:
access-list dmz_in permit tcp host 20.0.20.10 host 10.0.10.18 eq www

You probably need to add more statements, especially if more than just in use between the servers. At least one for 10.0.10.11, your other server.

Matt
CCSP
 
Upvote 0 Downvote
Matt, your recommendations were spot on and i have now managed to get the system fully operational and using SSL as well. Many thanks for all your help.

Rick
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
696
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
602
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
526
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
460
Nitta84
Nitta84
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
157
kythri
kythri

Part and Inventory Search

Sponsor

Back
Top