Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problem accessing the DMZ from the Inside 1

Status
Not open for further replies.

APlant

Technical User
Aug 2, 2001
45
GB
Hello,
I'm having a problem connecting to my DMZ from the inside network. Connection from the Internet into the DMZ is working fine.
My internal network is 10.10.0.0/16
The DMZ is 10.0.0.0/16

I need to do two things. One is to connect to the DMZ from the Inside network and secondly for the Web server to talk to the AS/400. I can't seem to do either of these.
The web server's address on the DMZ is 10.0.1.100, the AS/400 on the inside is 10.10.1.1.
I have turned on debugging on the PIX and can see a PC on the inside network trying to communicate with the Web server on the DMZ, so I know my routing is OK.
I've been looking at this for ages, I have even tried a completely different subnet for my DMZ (192.168.1.0/24) but this had the same problem.
I can telnet to the Ethernet-T/R router and ping the Web serve from there and I can also ping the Web server from the PIX. I can't ping the internal network from the Web server.
The company also has a T/R network hence the mention of 136.44.1.0 in this config.The ethernet to T/R is bridged via a Cisco 2601 router.
I'd really appreciate it if someong could look at my config and tell me where I'm going wrong. Many thanks.

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname xxxxxxxxxx
domain-name secure.xxxxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list v3vpn permit ip 10.10.0.0 255.255.0.0 172.16.50.0 255.255.255.0
access-list v3vpn permit ip 136.44.1.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list no-nat permit ip 10.10.0.0 255.255.0.0 172.16.50.0 255.255.255.0
access-list no-nat permit ip 136.44.1.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list fromout permit tcp any host 194.x.x.245 eq www
access-list fromdmz permit tcp host 10.0.1.100 host 10.0.1.20
pager lines 24
logging on
logging monitor debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1514
mtu inside 1514
mtu dmz 1500
ip address outside 194.x.x.249 255.255.255.240
ip address inside 10.10.2.1 255.255.0.0
ip address dmz 10.0.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclients 172.16.50.1-172.16.50.100
ip local pool pptp-pool 172.16.50.101-172.16.50.200
pdm location 10.10.2.1 255.255.255.255 inside
pdm location 10.10.3.1 255.255.255.255 inside
pdm logging emergencies 100
pdm history enable
arp timeout 14400
global (outside) 1 194.x.x.248
global (dmz) 1 10.0.1.200
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 194.x.x.245 10.0.1.100 netmask 255.255.255.255 0 0
static (inside,dmz) 10.0.1.20 10.10.1.1 netmask 255.255.255.255 0 0
access-group fromout in interface outside
access-group fromdmz in interface dmz
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 194.x.x.254 1
route inside 136.44.1.0 255.255.255.0 10.10.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.10.0.0 255.255.0.0 inside
http 10.10.3.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set vpndes esp-des esp-sha-hmac
crypto dynamic-map vpn3 4 set transform-set vpndes
crypto map dyn-map 30 ipsec-isakmp dynamic vpn3
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local vpnclients outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup barrett address-pool vpnclients
vpngroup barrett default-domain secure.xxxxxxxx.com
vpngroup barrett split-tunnel v3vpn
vpngroup barrett idle-time 1800
telnet 10.10.0.0 255.255.0.0 inside
telnet 136.44.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 10
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn enable outside
terminal width 80
Cryptochecksum:694e8b4107825860f8bbc57527ad8c40




 
Try this config on your pix:
static (inside,DMZ) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
!---Host on inside mantain addresses
access-list fromdmz permit icmp any any
!---Allows icmp packets inside network
access-list fromdmz permit tcp host 10.0.1.100 host 10.10.1.1
!---Allows tcp packets from 10.0.1.100 to 10.10.1.1
no global (dmz) 1 10.0.1.200
!---This global statement can be removed


 
HI.

I don't see any related problem with the configuration that you've posted, so try to reboot the pix and also the web server if needed, check ip addressing (subnet mask) on the web server, and other IP related configurations.

I think that your config is better then "rgoolsby" suggestions because I think that it is better to use static only for the ip address of the AS/400 and not for all inside network.

> .. nd can see a PC on the inside network trying to communicate with the Web server ..
Can you post the exact messages?
How did you try to access the web server?
Try this from an inside host:

> access-list fromdmz permit tcp host 10.0.1.100 host 10.0.1.20
It is better to open only the ports that you need.

> conduit permit icmp any any
Try not to mix access-list and conduit. This only makes your management and troubleshooting more dificult.


You should know that allowing any direct access from the web server to internal network, exposes your network to an outside possible attacker that might gain control or run code on the web server.
An attacker might also find a way to access non-published data (or even modify data?) on your AS/400 without even attacking the web server itself, but using the web application that runs on it as a proxy to attack the AS/400.

I can not telling you what is best for your scenario, but try to be as restrictive as possible, and think like an attacker.

Bye
Yizhar Hurwitz
 
Regarding the last point.
If you need the web server accessible from outside, and you need the web server to access the AS/400, is there a better way of doing it?

 
Many thanks for the reply. The problem did lay at the IIS end of things. I proved my configuration by configuring a test Lotus Domino server and then looked again at the IIS end of things. I think the problem was to do with the IIS server hosting multiple sites. I had removed the Conduit command shortly after posting my config. I have also tied down the Web server access to the AS/400 by restricting it to the specific port used by the application.
I still need to test access from the Internal network to the DMZ, but it may be a routing issue and I have asked for a couple of changes on the default router.
 
HI.

qwasd wrote:
> .. is there a better way of doing it?

My answer:
Yes, you can add another SQL server on the DMZ (either on the web server itself or another box), and to implement some way to upload the updated data (but only the data that you want to publish) from the AS/400 to the dedicated DMZ server.
There are additional costs of course, but it is an option.

Bye
Yizhar Hurwitz
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top