Pix Firewall Static Translation

[Guest_imported]

I am trying to configure a Pix 515 with 3 interfaces, Inside, Outside and dmz. I am using version 6.1.
Internal uses 10.0.0.0 addresses all on the same subnet.
DMZ uses public addresses in the 203.63.x.x range.
External uses public addresses in a similar range to the DMZ but on a different subnet.
I can telnet from inside to the external router so traffic from inside to outside seems OK.
The web and mail servers on the dmz can access the internet and vice-versa.
People inside cannot reach the dmz and vice versa.
I think it's probably a translation problem but can't seem to find the answer. All the examples in the Cisco manuals use private addressing in the dmz, which get translated.
My dmz addresses don't need to be translated but how do I get access to the dmz from inside?
I would be grateful for any assistance.
Here is a partial configuration. fred and jane are web and mail servers in the dmz.
global (outside) 203.63.x.43-203.63.x.44 netmask 255.255.255.255 0.0
global (outside) 1 interface
nat (inside) 1 10.1.50.0 255.255.255.0 0 0
static (dmz,outside) fred fred netmask 255.255.255.255 0 0
static (dmz,outside) jane jane netmask 255.255.255.255 0 0
static (inside,outside) 203.63.x.41 10.1.50.240 netmask 255.255.255.255 0 0
static (inside,outside) 203.63.x.42 10.1.50.253 netmask 255.255.255.255 0 0
static (inside,dmz) 10.1.50.0 10.1.50.0 netmask 255.255.255.0 0 0
tia Rob

 

[ChrisAC]

Firstly, your users on the inside network on the 10.0.0.0 addresses need to be translated to get into the DMZ. You need a global (DMZ) command to allow inside users to get to the DMZ in the same way that you use a global (outside) to allow them internet access.

Secondly, never configure servers with live IP addresses. Your DMZ should be using private IP's in the DMZ. For example you could use 172.16.10.0 /24 for your DMZ. You would then do static translations from the global live IP to the privte actual IP. You then control access to these servers access-lists or conduits.

I see if I can find a config example!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[ChrisAC]

Okay, here's an example.

In this example the inside network is 10.1.1.0 /24, the DMZ is on the 172.16.1.0 /24 range and for this example the live routeable IP range is 192.168.2.0 /24 (not really routeable I know but it works for this example .. I'm not giving you my IP's!! LOL!)

So, the inside users can get to the outside using NAT ..

global (outside) 1 192.168.2.10-192.168.2.200 netmask 255.255.255.0
nat (inside) 1 10.1.1.0 255.255.255.0 0 200

Each inside users will get a dymanic IP between 192.168.2.10 - .200. You could also use global (outside) 1 interface to use PAT in the external interface address.

The inside users can also get to the DMZ ..

global (dmz) 1 172.16.1.150 netmask 255.255.255.0

Each users will get the IP address 172.16.1.150 on the DMZ.

The web and ftp server on the DMZ has an address of 172.16.1.101 with a global address of 192.168.2.210.

static (dmz,outside) 192.168.2.210 172.16.1.101 netmask 255.255.255.255 0 200

I can then allow the outside to access the server with an access list ..

access-list acl_in permit tcp any host 192.168.2.210 eq www
access-list acl_in permit tcp any host 192.168.2.210 eq ftp
access-list acl_in permit icmp any any
access-list acl_in deny ip any any
access-group acl_in in interface outside

So, the internal users can get to the internet and to the server on the DMZ and external users can only get to the server on the DMZ on http or ftp!

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname firewall-b
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.2.2 router-b
name 192.168.100.100 server
access-list acl_in permit tcp any host 192.168.2.210 eq www
access-list acl_in permit tcp any host 192.168.2.210 eq ftp
access-list acl_in permit icmp any any
access-list acl_in deny ip any any
pager lines 24
logging on
logging timestamp
logging trap debugging
logging history debugging
logging host inside 10.1.1.20
logging host outside server
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.168.2.1 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip address dmz 172.16.1.100 255.255.255.0
ip audit name ids_system info action alarm
ip audit name ids_attack attack action alarm drop
ip audit interface outside ids_system
ip audit interface outside ids_attack
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 192.168.2.10-192.168.2.200 netmask 255.255.255.0
global (dmz) 1 172.16.1.150 netmask 255.255.255.0
nat (inside) 1 10.1.1.0 255.255.255.0 0 200
static (dmz,outside) 192.168.2.210 172.16.1.101 netmask 255.255.255.255 0 200
access-group acl_in in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 router-b 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
no sysopt route dnat
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address 10.1.1.10-10.1.1.50 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:f06dbdbba30ab3f9a0050ae4e93ea5f5
firewall-b#

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[Guest_imported]

Chris, Thanks very much for taking the time to make such a comprehensive reply. Your suggestion has worked and the inside users can now access the dmz.
I will review the use of public addresses in the dmz. Originally it was an employee of a Cisco dealer who recommended it be done that way.
Regards
Rob

 

[ChrisAC]

I'm here to help (and to be helped!!)

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************