PIX 520 Firewall Setting up DMZ - HELP!!!!!

[psolis]

Hello, I have been working on our company's fire wall for about a week now because we lost some people. Everything works fine. My goal is to set up a web server on the DMZ1 and be able to get to it from the Internet. We have a router Cisco 2621 (I will give you fake IP's for this question - 65.85.4.251 - inside Ethernet Interface) on the outside with a T1 coming in from ISP - from there it goes to a PIX 520 (inside) interface (65.85.4.249). The global IP is (65.85.4.250). Inside Interface (10.123.123.2) We have 6 total interfaces = inside, outside, dmz1,dmz2,dmz3,dmz4. I just recieved a new scope of real world IP's and configured the inside Ethernet Int on the router to rout for this new network (.80 network). I assigned it (Ethernet Int on router) the default gateway for the new scope (62.80.3.81). I can ping it from our webserver which I telneted into (it is located in a different state in the U.S.) I assigned the DMZ1 interface one of the available IP's from the new scope (62.80.3.82)and then consoled into the router but can't ping it from the router. I CAN ping the IP of the outside interface of the PIX (65.85.4.249) which belongs to a different IP scope.

I'm running nat so everyone on the 10.123.123.0 network are able to surf the interent. The one computer I have set up on the DMZ1 (62.80.3.83) can also surf the Internet because the 65.85.4.250 (global) on the outside interface is doing its thing.

global (outside) 1 65.85.4.250 netmask (subnetmask)
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Can I assume that all traffic from the DMZ1 has to go out the (outside) interface.

Oh, I set up a

global (dmz1) 1 62.80.3.90 netmask (subnetmask)
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0

for the DMZ1.

I can ping the computer on the DMZ1 from the 10.123.213.0 internal network but cant ping 10.123.123.0 network from the computer on the DMZ1. (I am ok with that). I just want the 10.123.123.0 network to be able to access this computer from the inside - which it can - and I want people on the internet to be able to access this computer (it will be a webserver).

Why can't I ping the DMZ1 interface or the computer on the DMZ1 from the router? - I set the router up to route for this new scope of IP's.

So I telneted into our webserver (in other state) from the computer on the DMZ1 and then checked the login status and it said that the Ip logged in was the global Ip for the (outside) interface. Because of this I am assuming that the DMZ1 traffic headed outbound goes through the (outside) interface to get out. Is this correct? if so, how do I set up a static route to the computer on the DMZ1 from the (outside) interface and am I wasting my time putting real world IP's on the DMZ1 interface and on the computer on the DMZ1?

 

[yizhar]

HI.

I didn't follow your whole post in details, but it seems like a simple misconfiguration problem.

To access a DMZ host from outside you need both the following:
1) a STATIC command.
2) access-list or conduit.

To check your problem, better use TCP connections instead of ping. Try telnet from outside router to an open port on your server, and/or connect a workstation to outside either directly or via modem connection to ISP and use it for testing.
You can also go to this site:

http://www.samspade.org/

and use the http (3rd) tool to check connectivity to your web server.

To debug, use syslog messages of the pix (start with level 4 or higher).
In many cases it will point you to the source of problem if any.

To learn more on the pix, see the documentations and samples:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix

Go to the configuration guide and command reference, read in details about the STATIC command and about ASA.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/examples.htm

To use a GUI interface that can help you with pix configuation and management, implement PDM if your pix is ver 6.0 or above.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ChrisAC]

Phew!!! That's a confusing message!! You sure have got yourself in a pickle there!!

I've just got one point as I'm confused as hell!!

With regard to your IP's on your DMZ, I would use private IP's if I were you and do a static NAT for the webserver.

static (dmz, outside) 1 <routable_IP> <private_IP>

You can then give the DMZ interface something like a 172.16.x.y IP. Saves on live IP's!! So, you could make your DMZ a 172.16.1.0 /24 network. Give the DMZ interface 172.16.1.254 (for example) and the web server 172.16.1.10. Your outside NAT address could be the same as the outside interface using the command,

global (outside) 1 interface

So, you only need to use two live IP's, one for the outside interface and one for the web server, although it's &quot;actual&quot; configured IP would be 172.16.1.10.

Don't forget to create an ACL or conduit to allow access to the web server! The only route you should need to configure should be the default route out to the router (unless you have routers behind the firewall as well!!).

One more thing ....

&quot;Why can't I ping the DMZ1 interface or the computer on the DMZ1 from the router? - I set the router up to route for this new scope of IP's.&quot;

The router will be on the outside interface (security 0) and the DMZ has a higher security level, so connections from the outside to the DMZ won't be allowed unless you create the rules to let them in. You would need to allow icmp in to the DMZ, which I wouldn't recommend!

Best of luck!

Chris.


************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[psolis]

Cool - I understand that a static and access-list is needed to get to the server through the firewall - would the static command be from the outside global ip to the dmz1 ip address of the server and am should I be using private IP's for the dmz1 - and was I correct that all traffic inbound or outbound to and from the DMZ goes through the outside interface? Oh - it is version 5.1 (2)

Thanx

P.S. Thanks for replying so soon - you're awesome. Very nice to have someone who cares to help other people.

 

[psolis]

Thanks Cris - you said that the outside nat could be the same as the outside interface - can that cause any problems? Right now I have one real world IP for the outside interface and one running the nat (example: (outside) 65.54.10.249 and another for the global (outside) 65.54.10.250 - your saying that I can change the global ip for the outside to 65.54.10.249? If I do that and make a static entry from that Ip to the server (lets say 172.16.1.10) on the DMZ, will it mess up the web requests from the inside network 10.123.123.0? Wont is send all the traffic coming back in over to the server on dmz1 or is that a stupid question?

 

[ChrisAC]

Kind of!

You would need a different IP for the web server to the outside interface. Let's day for arguments sake that your outside IP address is 65.54.10.249. If you enter the commands ...

nat (inside)1 0.0.0.0 0.0.0.0
global (outside) 1 interface

... then all traffic fro the inside network will go out via the external interface with the IP address 65.54.10.249. I actually think that you need to upgrade to version 6.0 to do this. Otherwise you need to use another IP to do NAT as you already have done. But, if you can upgrade to version 6.0 then use the &quot;interface&quot; command to save on IP's.

You also need to assign a routeble IP to your web server. Let's say that the DNS record for

http://www.yourcompany.com

points to 65.54.10.252, then your static map would map that address to the actual address on the DMZ (like 172.16.1.10).

static (dmz, outside) 65.54.10.252 172.16.1.10

You would also create the conduit to allow port 80 to the web server:

conduit permit host 65.54.10.252 any eq 80

So, when traffic comes into the PIX from the outside interface with a destination address of 65.54.10.252 on port 80, the conduit allows it and then the PIX routes the packets to 172.16.1.10 on the DMZ.

Is this any help??

Chris.



************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[psolis]

I understand the need for the static rout from 65.54.10.252 to the 172.16.1.10 but where do I assign the IP 65.54.10.252? The global IP for the making the requests of the inside network is 65.54.10.250 - were you thinking it was .252? If you knew it was .250, were do I assign the IP .250? Also - can I do this with keeping my current version? 5.1 (2)

 

[ChrisAC]

OK ... .252 was just an example!! So, if your web server is on 65.54.10.250 (for example) then you use that on your static map,

static (dmz, outside) 65.54.10.252 172.16.1.10

I'm just using an example there of what the servers actual IP might be, 172.16.1.10. You don't actually configure the 65.54.10.250 address on anything! It's like a &quot;virtual&quot; address. The outside world see's the address of the web server as 65.54.10.250, but it's actual address is 172.16.1.10 (or whatever private IP's you use on your DMZ). The PIX does the translation from global IP to actual IP (local IP).

Note, this has nothing to do with the IP address of the outside interface!! This is the IP address of your web server.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[ChrisAC]

Sorry, that static map should be,

static (dmz, outside) 65.54.10.250 172.16.1.10

I must be really confusing you now!!

LOL!!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[psolis]

Thanks Chris - I noticed the error in the static map and I was going to reply to it before I looked down and noticed you corrected it - thanks - I'm going to try this out and let you know how it goes - here I go - Paul

 

[psolis]

YES!!!!!! It worked - now I just need to set up the access list to allow for

http://www -

right?

 

[ChrisAC]

WOO HOO!!!!

Yes! Allow port 80 into your webserver and you're cooking!!

Well done!!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[psolis]

I got it! It works - thanks Chris - your awesome!

 

[psolis]

One more question - I installed an Exchange server on this machine and can sed out mail with no problem - I also changed the DNS records to point to this IP address and the default website comes up when I type in the domain name so I know its pointing to the right place - I also ping domain name and it replys with the correct IP address (static mapped IP). 2 things actually - when someone replys to me from an email sent from this exchange server (on dmz), I'm not recieving it - do I need to enter into the PIX config something that allows mail to come in - MX records are pointing to the correct IP (static mapped IP) - the website shows up. Or is this an issue with the exchange server?

 

[ChrisAC]

Could be an Exchange issue I guess!! Have you got an access list on the PIX that allows port 25 in?

What's your domain??

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[psolis]

I have no access lists configured at this time - the only line in my config that has smtp in it is:
fixup protocol smtp 25

What access-list would I need to allow the mail to be sent to this exchange through the firewall - now that I remember, i set up exchange from home (cable modem) and pointed DNS records to the home IP address and everthing worked fine - probably because there wasn't a firewall - this is only relavent because I think it isn't an exchange issue.