Pix 515e, dmz---lan communication problem

[zacca]

Hi there,

I got the following devices:
pix515e at site1, dmz 192.168.28.0, lan 192.168.38.0
pix506e at site2, lan 192.168.68.0
pix506e at site3, lan 192.168.88.0
Anyway the problem didn't related to vpn tunnel at all.
From 515e lan, can access internet, cannot access 515e dmz.
From 515e dmz, can access internet, cannot access 515e lan.
From 515e console, can access internet, dmz, lan.
(remark: all above access refer to ping test)

This is the config file of my PIX 515e:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
enable password ******** encrypted
passwd ******** encrypted
hostname pix515
domain-name what.ever
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.28.0 site1-dmz
name 192.168.38.0 site1-lan
name 192.168.68.0 site2-lan
name 192.168.88.0 site3-lan
access-list inside_outbound_nat0_acl permit ip site1-lan 255.255.255.0 site3-lan 255.255.255.0
access-list inside_outbound_nat0_acl permit ip site1-dmz 255.255.255.0 site3-lan 255.255.255.0
access-list inside_outbound_nat0_acl permit ip site1-lan 255.255.255.0 site2-lan 255.255.255.0
access-list inside_outbound_nat0_acl permit ip site1-dmz 255.255.255.0 site2-lan 255.255.255.0
access-list outside_access_in permit icmp any any echo-reply
access-list dmz_outbound_nat0_acl permit ip site1-dmz 255.255.255.0 site3-lan 255.255.255.0
access-list dmz_outbound_nat0_acl permit ip site1-dmz 255.255.255.0 site2-lan 255.255.255.0
access-list outside_cryptomap_20 permit ip site1-lan 255.255.255.0 site3-lan 255.255.255.0
access-list outside_cryptomap_20 permit ip site1-dmz 255.255.255.0 site3-lan 255.255.255.0
access-list outside_cryptomap_40 permit ip site1-lan 255.255.255.0 site2-lan 255.255.255.0
access-list outside_cryptomap_40 permit ip site1-dmz 255.255.255.0 site2-lan 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 2xx.1xx.2xx.1xx 255.255.255.240
ip address inside 192.168.38.254 255.255.255.0
ip address dmz 192.168.28.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm location 192.168.38.100 255.255.255.255 inside
pdm location site1-dmz 255.255.255.0 inside
pdm location 192.168.88.100 255.255.255.255 inside
pdm location site3-lan 255.255.255.0 outside
pdm location 192.168.28.51 255.255.255.255 dmz
pdm location 192.168.28.52 255.255.255.255 dmz
pdm location 192.168.38.50 255.255.255.255 inside
pdm location site2-lan 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 203.161.233.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.38.100 255.255.255.255 inside
http 192.168.88.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 2xx.1xx.1xx.2xx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 2xx.2xx.2xx.1xx
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 2xx.1xx.1xx.2xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 2xx.2xx.2xx.1xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh 192.168.88.100 255.255.255.255 inside
ssh 192.168.38.100 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 5
terminal width 80

I suppose pix should allow traffic from high security to low security, which means without setting the ACLs, by default from 515e lan should be able to access 515e dmz, right? Have I missed something in the config?

Thanks in advance for your help & looking forward to your comments!

 

[themut]

You don't have a translation for the DMZ, that's the reason why you can't access the DMZ from the LAN. The same goes for the DMZ access to the LAN...

You need the following commands:

static (inside, dmz)192.168.38.0 192.168.38.0 netmask 255.255.255.0

access-list dmz_access_in permit ip 192.168.28.0 255.255.255.0 192.168.38.0 255.255.255.0

access-group dmz_access_in in interface dmz

That should take care of your problem. Please realize the access list is pretty much open for all traffic from DMZ to inside so you may want to tighten it up a bit. If you have any concerns about the commands above, I would advise you to read the link below:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

 

[baddos]

You could also do it w/o a static translation, but use a PAT translation to get to your DMZ.

global (dmz) 1 interface

 

[themut]

But then the DMZ would not be able to talk to the LAN.

 

[baddos]

Your kind of defeating the purpose of your DMZ if you allow it to communicate with your INSIDE.

By using PAT for your INSIDE to access the DMZ, it allows the INSIDE to initiate communications with a host or hosts in the DMZ but not the other way around.

 

[cynertex]

add your access-groups

 

[themut]

baddos you're right about that one... but sometimes you need to initiate connections from the DMZ to the inside and it looks to me like this is one of those cases...

 

[baddos]

Yeah... It's one of those things where you can do it, but you have to be careful.

 

[zacca]

Thanks for all the suggestion. I added
static (inside, dmz)192.168.38.0 192.168.38.0 netmask 255.255.255.0
access-list dmz_access_in permit ip 192.168.28.0 255.255.255.0 192.168.38.0 255.255.255.0
access-group dmz_access_in in interface dmz

but somehow it didn't work. Then I added
global (dmz) 1 interface
it still didn't work.

Any idea why after adding those commands still can't work?
Many thanks!

 

[zacca]

DMZ-LAN now works!

Please ignore my previous post, after adding the "static, access-list, access-group" commands, dmz-lan can talk both way. Thanks so much for all your suggestions!!

Now I got another question. From site2/site3-lan, can ping site1-lan, but cannot ping site1-dmz. What should I do to allow site2/site3-lan to talk to dmz? Initially I added both site1-dmz/lan into vpn tunnels, is that normal/correct?

Thanks in advance for your help again!

 

[baddos]

add this to your acl.

access-list dmz_access_in permit ip 192.168.68.0 255.255.255.0 192.168.38.0 255.255.255.0

 

[zacca]

Thanks baddos, unfortunately it didn't help.
Added
access-list dmz_access_in permit ip 192.168.68.0 255.255.255.0 192.168.28.0 255.255.255.0 (remark: dmz should be 28.0 instead of 38.0), didn't work.
Then added
access-list outside_access_in permit ip 192.168.68.0 255.255.255.0 192.168.28.0 255.255.255.0, didn't work.

Now site2-lan (68.0) can access site1-lan (38.0) but cannot access site1-dmz (28.0), how can I make those servers in site1-dmz accessible to site2-lan?

Million thanks in advance!!!

 

[baddos]

Please repost your access-lists and access-groups again. Also, post the ip subnet of your dmz and all the networks that need access to it.

 

[zacca]

Hi baddos, here it goes:

Remark: site1-lan 192.168.38.0, site1-dmz 192.168.28.0
site2-lan 192.168.88.0, site3-lan 192.168.68.0

access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024) alert-interval 300
access-list inside_outbound_nat0_acl; 3 elements
access-list inside_outbound_nat0_acl line 1 permit ip 192.168.38.0 255.255.255.0 192.168.88.0 255.255.255.0 (hitcnt=293)
access-list inside_outbound_nat0_acl line 2 permit ip 192.168.38.0 255.255.255.0 192.168.68.0 255.255.255.0 (hitcnt=32)
access-list inside_outbound_nat0_acl line 3 permit ip 192.168.28.0 255.255.255.0 192.168.68.0 255.255.255.0 (hitcnt=0)
access-list inside_outbound_nat0_acl line 4 permit ip 192.168.28.0 255.255.255.0 192.168.88.0 255.255.255.0 (hitcnt=0)
access-list outside_access_in; 1 elements
access-list outside_access_in line 1 permit icmp any any echo-reply (hitcnt=12)
access-list dmz_outbound_nat0_acl; 1 elements
access-list dmz_outbound_nat0_acl line 1 permit ip 192.168.28.0 255.255.255.0 192.168.88.0 255.255.255.0 (hitcnt=98)
access-list outside_cryptomap_20; 2 elements
access-list outside_cryptomap_20 line 1 permit ip 192.168.38.0 255.255.255.0 192.168.88.0 255.255.255.0 (hitcnt=5395)
access-list outside_cryptomap_20 line 2 permit ip 192.168.28.0 255.255.255.0 192.168.88.0 255.255.255.0 (hitcnt=20)
access-list outside_cryptomap_40; 2 elements
access-list outside_cryptomap_40 line 1 permit ip 192.168.38.0 255.255.255.0 192.168.68.0 255.255.255.0 (hitcnt=27)
access-list outside_cryptomap_40 line 2 permit ip 192.168.28.0 255.255.255.0 192.168.68.0 255.255.255.0 (hitcnt=0)
access-list dmz_access_in; 1 elements
access-list dmz_access_in line 1 permit ip 192.168.28.0 255.255.255.0 192.168.38.0 255.255.255.0 (hitcnt=25)
access-list dmz_access_in line 2 permit ip 192.168.28.0 255.255.255.0 192.168.88.0 255.255.255.0 (hitcnt=0)

Maybe I can explain more about it, what I want to do is, setup citrix server in site1-dmz, which could be accessible by site1/2/3-lan by now, & accessible by outside in the future. That dmz citrix server also need to access application data on production server in site1-lan. That's why I want site1/2/3-lan talk to site1-dmz in both directions.

Hope that clarify your doubts & thanks so much for your help!

 

[zacca]

To all great guys who keep on supporting me, it was fixed (partially, I guess) after adding this:

access-list dmz_access_in permit icmp any any echo-reply

So now I can ping the device in site1-dmz from site3-lan.
However that device only can response to ping, so I'm not sure if I put a server there, all the required server services will be accesible. Is that mean I need to setup more dmz_access_in to allow different type of incoming traffics?

Thanks again for your super help!