Pix 515e dmz webaccess

[fdiskboy]

Hi,

We have placed our webserver on the DMZ and i have open port so our webserver can access our SQL inside the network.

We like to give our Webserver outgoing http access and i have added:
access-list 110 permit tcp host Webserver any eq www
access-list 110 permit tcp host Webserver any eq domain
access-list 110 permit udp host Webserver any eq domain

However, our webserver can't access internet, and when we try to do an nslookup it timed out; Please help.

We also like to give our VPN user ability to browse the web when VPN, and i have not find the information on how to do it, could someone please point out where i should look?

Here is our Pix list:

:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password wccvB77.a7ep26V/ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.11 Venus
name 192.168.0.33 Saturn
name 198.97.78.131 LAMV_AFIPRemote2
name 198.97.78.136 LAMV_AFIPremote1
name 4.21.101.237 LAMV_SCILAN
name 192.168.0.12 Jupiter
name 4.21.101.233 ASW_SCILAN
name 217.3.3.13 Mailx_and_OWA
name 192.168.1.10 Webserver

access-list inside_outbound_nat0_acl permit ip any 10.0.0.0 255.255.255.240
access-list inside_outbound_nat0_acl permit ip any 10.0.0.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.0 255.255.255.240
access-list outside_cryptomap_dyn_40 permit ip any 10.0.0.0 255.255.255.224

access-list dmz_access_in permit udp host Webserver eq 1434 host Jupiter eq 1434
access-list dmz_access_in permit tcp host Webserver eq 1434 host Jupiter eq 1434
access-list dmz_access_in permit tcp host Webserver eq 1433 host Jupiter eq 1433
access-list dmz_access_in permit udp host Webserver eq 1433 host Jupiter eq 1433
access-list dmz_access_in permit tcp host Webserver host Jupiter

access-list 110 permit tcp host Webserver any eq www
access-list 110 permit tcp host Webserver any eq domain
access-list 110 permit udp host Webserver any eq domain

pager lines 24
logging on
logging facility 16
logging device-id ipaddress inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 217.3.3.10 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip address dmz 192.168.1.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 10.0.0.1-10.0.0.20
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) Mailx_and_OWA Saturn netmask 255.255.255.255 0 0
static (inside,outside) 217.3.3.12 Venus netmask 255.255.255.255 0 0
static (dmz,outside) 217.3.3.14 Webserver netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
access-group out2in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 217.3.3.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map interface inside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

vpngroup adminvpn address-pool VPNpool
vpngroup adminvpn dns-server Venus
vpngroup adminvpn default-domain ftechi.com
vpngroup adminvpn idle-time 1800
vpngroup adminvpn password ********

Thanks in advanced for your help.

 

[lgarner]

Webserver doesn't need any ACL to access the Internet, but there needs to be an inbound ACL for connectionless traffic to get back to Webserver.

An ACL called "out2in" is applied to the outside i/f, but I don't see it defined. ACL 110 is defined, but I don't see it applied. If you include those it would help troubleshoot the problem.

For VPN users, check out Cisco's instructions on setting up "split-tunnel". If you decide the security issues aren't a major concern, that's how you'd allow VPN clients to surf the web.

 

[fdiskboy]

Thank you Lgarner for your response. I'll try out your recommendation.

Thanks again.

 

[martinp05]

Hello!

I do not agree. The pix is a statefull-firewall. So if the dmz-server starts the connections, the HOLE traffic will be routed back to the server. you do not need an inbound rule for the traffic, which is going back.

The only thing you need, if the connections is going from the dmz (higher sec-level) to the internet (lower sec-level), is a static/nat/pat.
This depends on the webserver in the dmz. if the webserver in the dmz should be accessable via the internet you will need a static for this server. otherwise you need a pat, or whatever.

the most importaint thing is, that you make any kind of nat/pat/static.

i can see you did such a static.
ok, if you did not make a access-rule on the dmz-interface, the hole traffic will be allowed (this is a feature of the pix).

access-group dmz_access_in in interface dmz

but, you made a access-group. this group is applied to the dmz-interface.


The access-list, you did, does not do anything, because it is not applied to any interface.
access-list 110 permit tcp host Webserver any eq www
access-list 110 permit tcp host Webserver any eq domain
access-list 110 permit udp host Webserver any eq domain

you need something like this
access-list dmz_access_in permit tcp host webserver any eq www

access-list dmz_access_in permit tcp host webserver any eq domain

access-list dmz_access_in permit udp host webserver any eq domain

This WILL work!! And please do not open an access-list on the outside interface for "retour-pakets", this is not necessary.

martin






martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator

 

[lgarner]

... an inbound ACL for connectionless traffic... "

Try pinging an outside address through the Pix without an external ACL applied to permit icmp echo-reply to come in. This is a common issue that is often overlooked.

 

[martinp05]

hello,


sure, if you want to ping a webserver, behind a pix, you need to make an acl on the outside interface.

but, if a connection is started on the inside network, you do not need an acl for the traffic back to the system (of course for icmp you need it, because it is not statefull on the pix).

but to solve his problem (to get internet access from the dmz, you do not need to make an acl for the traffic back to the dmz).

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator

 

[lgarner]

He didn't indicate the type of access, and I didn't make an assumption.

 

[martinp05]

hello,

sorry, i don not understand you.

to solve his problem, he only need so enable the dmz-server to get access to the internet.

there are two ways:
no acl (then outbound traffic is allowed), or he makes an an acl (applied to the dmz-interface)

in both ways he needs some sort of nat/pat/static...

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator

 

[fdiskboy]

Thank you Martinp05 for your response, i have applied your ACL and i can get outbound http access:
access-list dmz_access_in permit tcp host webserver any eq www
access-list dmz_access_in permit tcp host webserver any eq domain
access-list dmz_access_in permit udp host webserver any eq domain

However, i still don't understand why when i do an NSlookup, it does not resolve to any ip address, but i can still surf the web!!

On the split-tunnel, i have added:
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.0.0

but when i vpned i can do an NSlookup and it resolved, but i can't surf the web.

Here is my config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password wccvB77.a7ep26V/ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.11 Venus
name 192.168.0.12 Jupiter
name 4.21.101.233 ASW_SCILAN
name 217.3.3.13 Mailx_and_OWA
name 192.168.1.10 Webserver

access-list inside_outbound_nat0_acl permit ip any 10.0.0.0 255.255.255.240
access-list inside_outbound_nat0_acl permit ip any 10.0.0.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.0 255.255.255.240
access-list outside_cryptomap_dyn_40 permit ip any 10.0.0.0 255.255.255.224

access-list dmz_access_in permit udp host Webserver eq 1434 host Jupiter eq 1434
access-list dmz_access_in permit tcp host Webserver eq 1434 host Jupiter eq 1434
access-list dmz_access_in permit tcp host Webserver eq 1433 host Jupiter eq 1433
access-list dmz_access_in permit udp host Webserver eq 1433 host Jupiter eq 1433
access-list dmz_access_in permit tcp host Webserver host Jupiter

access-list dmz_access_in permit tcp host webserver any eq www
access-list dmz_access_in permit tcp host webserver any eq domain
access-list dmz_access_in permit udp host webserver any eq domain

pager lines 24
logging on
logging facility 16
logging device-id ipaddress inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 217.3.3.10 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip address dmz 192.168.1.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 10.0.0.1-10.0.0.20
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) Mailx_and_OWA Saturn netmask 255.255.255.255 0 0
static (inside,outside) 217.3.3.12 Venus netmask 255.255.255.255 0 0
static (dmz,outside) 217.3.3.14 Webserver netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
access-group out2in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 217.3.3.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map interface inside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

vpngroup admin address-pool VPNpool
vpngroup admin dns-server Venus
vpngroup admin default-domain domain.com
vpngroup admin inside_outbound_nat0_acl
vpngroup admin idle-time 1800
vpngroup admin password ********

Thank you very much for all of your help Gents.