Putting My Pix in DMZ? 2

[mRgEE]

Hi,
I have been posting a couple of questions lately about the best way I can add a 501 into my home network to make extra services available and have better port forwarding control into my LAN. I have a Netgear DG834G (which is an all-in-one Router / Firewall /ADSl modem / Wireless Access Point).

The netgear has a DMZ option available. I would like to put the pix into the DMZ to control access to my services. Would this be possible and secure? I think it would work.

Internet > Netgear (10.0.0.254) > (DMZ) PIX (10.0.0.253) > LAN Servers (HTTP, HTTPS).

Any Thoughts?

 

[KiscoKid]

People are generally encouraged to build defense in depth so placing a firewall behind another firewall is not a bad thing, it will just mean you are adding additional complexity to your network. If that's fine, then proceed.

 

[horus42]

If you already have this gear then what you described above is just fine, all you need to do is make your firewalls IP the server in the DMZ and then control access with your firewall. If however you already don't have this and you are about to start shopping for this I would take a different route, I would actually buy Cisco 877 router with IOS-firewall, this acts as a basic IDS, state-full firewall and a router.


Hope that helps

 

[mRgEE]

Thanks, I already have the hardware purchased so cannot change it to a cisco router.
Update: -
I have set up SSH on the Pix, downloaded Putty and can connect to the outside interface from inside my LAN no probs...
However, when I try to connect to the Pix outside interface via SSH from the Internet I always receive a "connection timed out".

My setup is as follows: -
internet (public ip) > Router (10.0.0.254) > DMZ - PIX (10.0.0.253) > Services
I can see a rule match hitting my router when trying to putty in from the Internet to my pulic ip, this then never arrives at the pix? Any ideas?

 

[Supergrrover]

Do you have this in your config

ssh 0.0.0.0 0.0.0.0 outside



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[mRgEE]

Yes - I have also done a 'write mem' command to save it into the config. It is strange because I can ssh onto the outside interface of the pix when I am on the LAN (10.0.0.0/8) but when I try to connect from over the Internet I get the timeout. I wonder if it has something to do with NAT being carried out by the router and / or the pix config not configured correctly for this? For example, the outside interface of my router (Internet interface) has my public IP address, then the Router has NAT enabled. Now that the Pix is listed as the DMZ address all incoming traffic should be forwarded to it (I actually see a rule match for the SSH connection on Port 22 hitting my router).

 

[Supergrrover]

Does the pix register an ssh hit in the logs to see if it is actually getting to the pix?

Without actually seeing the config, it sounds like it could be the router.

I am thinking it would be smarter (and more traditional setup) is to have it go this way

Internet > PIX (10.0.0.253) as the DMZ - w/ servers (HTTP, HTTPS)) > Netgear (10.0.0.254) > Internal users.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[mRgEE]

Unfortunately I am unable to use the configuration suggested above due to the fact that the netgear must perform the ADSL authentication (PPPoa) as well as I want to keep the Wireless functionality of the Netgear.

So, I have been thinking about this further, and I am thinking that I have not set up any access lists on the pix to allow ssh. This may be the problem although it is strange that I can ssh onto the outside interface when on my LAN and not through Internet. Any thoughts on this?

I am at work now and so cannot get to my pix right now but I will post up the config when I get back toninght.

 

[mRgEE]

here is my config: -

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ######## encrypted
passwd ########## encrypted
hostname CP501
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.253 255.0.0.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:96a828e393893c13a6962af089522790
: end

 

[Supergrrover]

You don't need an ACL to allow SSH to the pix. The SSH statements take care of that. You would need one if you had an SSH server on the inside. The wireless won't suffer if you move the netgear but the pppoa is the catch.

Your config looks good and you can SSH from just outside the pix, so I think it is the netgear. Have you tried port forwarding instead of selecting the pix as the dmz?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[mRgEE]

I have ditched the DMZ as suggested and enabled a simple port forward for SSH (SSH is predefined within the routers port forward rules just needed to be enabled) to my Pix.
Unfortunatley I still get a timeout.

I am using Putty SSH Client and I get the following errors in the client log file: -
Event Log: Writing new session log (SSH packets mode) to file: putty.log
Event Log: Looking up host "x.x.x.x" (my public ip)
Event Log: Connecting to x.x.x.x port 22
Event Log: Failed to connect to x.x.x.x: Network error: Connection timed out
Event Log: Network error: Connection timed out

I look in the Netgear and see a rule match each time I try to connect to the Pix via SSH as follows: -
Tue, 2006-11-21 20:32:42 - TCP Packet - Source:x.x.x.x,2196 Destination:x.x.x.x,22 - [SSH rule match]
I get these rule matches when traffic I have port forwarding configured for passes through the router sucessfully such as my https traffic as shown below, which works fine, as does smtp, and http.
Tue, 2006-11-21 20:33:30 - TCP Packet - Source:x.x.x.x,2497 Destination:x.x.x.85,443 - [HTTPS rule match]

So I know that the traffic is definatley being passed through the router to the pix but the timeout still occurs. Is their a way to log SSH packets on the pix?
Any other ideas?

 

[Supergrrover]

Add a route statement
route outside 0.0.0.0 0.0.0.0 [gatewayIP]

The next thing is to hit the pix logs at the debug level and see what is happening on there.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[mRgEE]

YES
You beauty, that did it.
So the reason this was occuring was that the traffic was getting to the pix but the pix did not have a default route setup for the outside to send traffic back.

Great stuff and many thanks!