Routing traffic to a network off the DMZ

[ndog4ever]

I have a hardware vpn client hanging off of my dmz. It gets a 172.16.x.x address on the secure tunnel side. I need to make sure that traffic on the inside that wants to route to the 172.16.x.x network goes out the dmz instead of the outside. I added the following route statement, let me know if i am headed in the right direction.

route dmz 172.16.x.x 255.255.255.0 10.x.x.1 1

Thanks for any info.

 

[dopehead]

Well, if 10.x.x.1 is the ip of the router on your dmz then yes.

Remember nat (inside) 0 some-acl to make the pix pix translate (if you don't want that of course)

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[ndog4ever]

thanks, actually my statement is going to read

route dmz 172.16.x.x 255.255.255.0 10.x.x.2 1

since the .2 is the private side of the hardware client

i am going to use this statement to prevent any transalations, is this correct

static (inside,dmz) 10.5.5.0 10.5.5.0 netmask 255.255.255.0

Thanks for the info.

 

[dopehead]

Well, correct yes....but not the way to do it today...you should do an acl that specifies from where and to where you don't wan't to translate and then use that acl in a nat (inside) 0 <acl name> command.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[ndog4ever]

Dopehead, ok, i worked on this crazy thing for hours and i must be doing something twice or forgetting a step. here is my entire config minus the isakmp, vpn stuff.

PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
interface ethernet2 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname pix101
domain-name ourdomain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_dmz_in permit ip 10.5.5.0 255.255.255.0 10.60.4.0 255.255.255.0
access-list acl_dmz_in permit ip 172.16.2.0 255.255.255.0 10.5.5.0 255.255.255.0
access-list acl_dmz_in permit ip 10.60.4.0 255.255.255.0 10.5.5.0 255.255.255.0
access-list acl_dmz_in permit icmp any any echo-reply
access-list acl_dmz_in permit icmp any any
access-list acl_outside_in deny udp any any eq 99
access-list acl_outside_in deny udp any any eq 1434
access-list acl_outside_in deny tcp any any eq 6667
access-list acl_outside_in deny udp any any eq 6667
access-list acl_outside_in deny tcp any any eq 445
access-list acl_outside_in deny tcp any any eq 4444
access-list acl_outside_in deny tcp any any eq 593
access-list nonat permit ip 10.5.5.0 255.255.255.0 10.60.4.0 255.255.255.0
access-list nonat permit ip 10.60.4.0 255.255.255.0 10.5.5.0 255.255.255.0
pager lines 24
icmp permit any echo-reply inside
icmp permit any echo inside
icmp permit any echo dmz
icmp permit any echo-reply dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.1xx.2 255.255.255.224
ip address inside 10.5.5.1 255.255.255.0
ip address dmz 10.60.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 10.1.1.1-10.1.1.30
ip local pool vendors 192.168.150.1-192.168.150.10
pdm history enable
arp timeout 14400
global (outside) 1 2xx.2xx.1xx.xx0 netmask 255.255.255.224
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list nonat
static (dmz,inside) 10.60.4.10 10.5.5.230 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.11 10.5.5.231 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.12 10.5.5.232 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.13 10.5.5.236 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.14 10.5.5.237 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.15 10.5.5.238 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.22 10.5.5.241 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.16 10.5.5.242 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.17 10.5.5.243 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.18 10.5.5.244 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.19 10.5.5.246 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.20 10.5.5.247 netmask 255.255.255.255 0 0
static (dmz,inside) 10.60.4.23 10.5.5.248 netmask 255.255.255.255 0 0
static (inside,dmz) 10.5.5.0 10.5.5.0 netmask 255.255.255.0 0 0
access-group acl_dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 2xx.2xx.x0.xx2 1
route dmz 172.16.2.0 255.255.255.0 10.60.4.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 128.227.205.3 source outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.5.5.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.5.5.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd address 10.5.5.50-10.5.5.150 inside
dhcpd dns xx.xx.xx.xx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ourdomain
dhcpd enable inside
terminal width 80

 

[dopehead]

Hi

There is no need to specify both directions in the nonat acl, you should remove this line :

access-list nonat permit ip 10.60.4.0 255.255.255.0 10.5.5.0 255.255.255.0

Also i think you might be missing a statement in the nonat acl for the 172.16.2.0/24 network, right now it is not translated at all because you also don't have a global on the dmz.

Network Systems Engineer
CCNA/CQS/CCSP

 

[ndog4ever]

dopehead thanks for the info. I removed the access-list entry you mentioned. Also, what sort of global do i need on the dmz. What i have read there are several options, is this the correct one

global (dmz) 1 interface

sorry for all questions it's just this thing is driving me crazy.

 

[dopehead]

You could do that, it will then translate all requests from the inside to the address of the dmz interface. Also remember a clear xlate after fiddling with the nat setup.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[ndog4ever]

well i am close, i have solved all of my problems except for one, and that being that my dmz hosts cannot access anything on the outside. i am posting my cleaned up config. i am pretty sure all of my nat and global statements are right and they they are matching..

: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname pix1
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list no_nat permit ip 10.5.5.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list acl_dmz permit ip 172.16.1.0 255.255.255.0 10.5.5.0 255.255.255.0
access-list acl_dmz permit icmp any any echo
access-list acl_dmz permit icmp any any echo-reply
access-list acl_outside_in permit tcp any host 2xx.2xx.1xx.10 eq www
pager lines 24
logging on
logging buffered informational
logging trap debugging
logging host inside 10.5.5.50
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 2xx.2xx.1xx.2 255.255.255.224
ip address inside 10.5.5.1 255.255.255.0
ip address dmz 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 2xx.2xx.1xx.29
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list no_nat
nat (dmz) 2 172.16.1.0 255.255.255.0 0 0
static (dmz,outside) 2xx.2xx.1xx.10 172.16.1.2 netmask 255.255.255.255 0 0
access-group acl_outside_in in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 128.10.10.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.5.5.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0

 

[dopehead]

Well, your acl for the dmz interface specifies only icmp echo and echo reply is allowed from the dmz, which is why it does not work, if you need the dmz pc's to reach something on the internet you need to allow that.

If you just need ping, then you have to enable echo reply in the outside acl from any to the global (outside) 2 address.


Jan

Network Systems Engineer
CCNA/CQS/CCSP