Windows server in DMZ going over PIX 515E to obtain Norton updates

[hellboy101]

Hello everyone-

I have a Windows 2000 server within a DMZ environment that needs to obtain Norton antivirus updates from a NAV server from within our secured LAN going over the PIX 515E..

The drawing looks something like this and any help that anyone could provide would be great! Please be aware that
the server in need of Norton updates in connected to a Cisco CAT 3550 switch and that switch has a connection to the PIX 515E(on FE port 2) and the inside port on this PIX is connecting to a 2948 which then connects to a 6509 core switch where the Norton Antivirus server resides.. sheesh! there is alot going on here and my drawing only shows the correlation between server(LAN) to PIX to Server(DMZ -that needs updates).. Would an access-list do on the PIX do the trick?? How to begin? thanks again.. drawing below..


(Inside Eth port 1) PIX 515E (DMZ Eth port 2)
| |
Secured LAN-------------| |------------DMZ
172.16.x.x 172.17.x.x
Norton the server
Antivirus server that
needs
updates
from
norton
server

Hellboy101

 

[ixleplix]

1. Pick a number on your DMZ that will represent the Norton Server.
2. Create an access-list statement(s) that allows whatever port(s) norton needs open and apply it to the DMZ interface.
**If you already have an ACL applied to the DMZ interface you can add to it and don't need to re-apply it to the DMZ interface.**
3. Create a static mapping from the NortonDMZ IP address to the NortonInside IP address.
4. When referencing the NortonInside Server from the DMZ, use the NortonDMZ IP address--point the DMZ device that needs the updates to 172.17.x.15.

example:

*using 172.17.x.15 as ip that will be mapped to the Nortom Server
*It looks like Norton NavServer needs ftp and http open--but I'm not positive.

access-list DMZin permit tcp host 172.17.x.x host 172.17.x.15 eq 80
access-list DMZin permit tcp host 172.17.x.x host 172.17.x.15 eq 21
access-group DMZin in interface DMZ
**See note above. If you are adding to an existing ACL then don't do the previous step.**
static (inside,DMZ) 172.17.x.15 172.16.x.x netmask 255.255.255.255 0 0

What's ADD again?

 

[hellboy101]

Hi ixleplix,

Thanks for all your help thus far.. Heres my pix config, the obvious IPs have been removed of course but was wondering if you could peek at the logic in what we were trying to figure out yesterday.. perhaps there is a mismatch within the acls / static (inside/dmz) area.. can't seem to figure it out..

Thank you so much
hb101


Written by enable_15 at 07:04:17.072 UTC Thu Sep 1 2005
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security98
nameif ethernet3 homs12 security99
nameif ethernet4 homs14 security98
nameif ethernet5 intf5 security10
enable password zJ4GGEgR.kgf1bsy encrypted
passwd zJ4GGEgR.kgf1bsy encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.17.XX.XX sales_server
name 172.17.XX.XX dmz_as400
name 172.17.XX.XX dmz_dns_server
name 172.16.XX.XX inside_as400
name 172.17.XX.XX sales_server_dns
name 172.16.XX.XX inside_dns_server
access-list acl_dmz permit tcp any host dmz_as400 eq telnet
access-list acl_dmz permit tcp any host dmz_as400 eq 445
access-list acl_dmz permit tcp any host dmz_as400 eq 8471
access-list acl_dmz permit tcp any host dmz_as400 eq 8476
access-list acl_dmz permit tcp any host dmz_as400 eq 8475
access-list acl_dmz permit tcp any host dmz_as400 eq 4004
access-list acl_dmz permit udp any host dmz_dns_server eq domain
access-list acl_dmz permit tcp any host dmz_as400 eq 449
access-list acl_dmz permit ip host sales_track host 172.16.xx.xx
access-list acl_dmz permit ip host sales_server host 172.16.xx.xx
access-list acl_dmz permit ip host sales_server host inside_dns_server
access-list acl_dmz permit ip host sales_server host 172.16.xx.xx
access-list acl_dmz permit ip host sales_server host inside_as400
access-list acl_dmz permit icmp 172.17.xx.xx 255.255.255.0 172.17.xx.0 255.255.25
5.0
access-list acl_dmz permit ip host sales_server host 172.16.xx.54
access-list acl_dmz permit tcp host sales_server host 172.16.xx.54 eq www
access-list acl_dmz permit tcp host sales_server host 172.16.xx.54 eq ftp
access-list acl_dmz permit tcp host 172.16.79.6 host 172.16.xx.54 eq www
access-list acl_dmz permit tcp host 172.16.79.6 host 172.16.xx.54 eq ftp
access-list outside_cryptomap_dyn_20 permit ip 172.16.0.0 255.255.0.0 172.16.79.
0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 172.16.0.0 255.255.0.0 192.168.15
0.0 255.255.255.0
access-list acl_homs12 permit ip any any
access-list acl_homs14 permit ip any any
access-list acl_in permit tcp any host 69.74.xx.113 eq https
access-list acl_in permit tcp any host 69.74.xx.113 eq www
access-list acl_in permit tcp any host 69.74.xx.110
access-list acl_in permit tcp any host 69.74.xx.114 eq ident
access-list acl_in permit tcp any host 69.74.xx.114 eq smtp
access-list acl_in permit tcp any host 69.74.xx.114 eq www
access-list acl_in permit tcp any host 69.74.xx.114 eq https
access-list acl_in permit tcp any host 69.74.xx.114 eq 8999
access-list acl_in permit tcp any host 69.74.xx.114 eq 992
access-list acl_in permit tcp any host 69.74.xx.114 eq 3666
access-list acl_in permit tcp any host 69.74.xx.114 eq 5000
access-list acl_in permit tcp any host 69.74.xx.112 eq ftp
access-list acl_in permit tcp any host 69.74.xx.112 eq ident
access-list acl_in permit tcp any host 69.74.xx.116
access-list acl_in permit tcp host 209.74.xx.xx eq pptp any
access-list acl_in permit gre host 209.74.xx.xx any
access-list acl_in permit udp any any eq ntp
access-list acl_in permit udp any host sales_track eq snmp
access-list acl_in permit ip host 209.74.xx.xx any
access-list acl_in permit ip any host 209.74.xx.x
access-list acl_in permit ip host 172.16.79.6 any
access-list acl_in permit ip host sales_server any
access-list HOMS14_VPN permit ip host 10.133.xx.xx 192.168.150.0 255.255.255.0
access-list HOMS14_VPN permit ip host 10.133.xx.xx 192.168.150.0 255.255.255.0
access-list ww5group_splitTunnelAcl permit ip 172.16.0.0 255.255.0.0 192.xx.xx
.0 255.255.255.0
access-list ww5group_splitTunnelAcl permit ip 10.133.14.0 255.255.255.0 192.168.
150.0 255.255.255.0
no pager
logging on
logging buffered notifications
logging queue 500
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu homs12 1500
mtu homs14 1500
mtu intf5 1500
ip address outside 69.74.xx.xx 255.255.255.224
ip address inside 172.16.xx.xx 255.255.0.0
ip address dmz 172.17.xx.x255.255.0.0
ip address homs12 10.133.xx.x 255.255.255.192
ip address homs14 10.133.xx.x 255.255.254.0
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool clients 192.168.150.1-192.168.150.15
failover
failover timeout 0:00:00
failover poll 5
failover ip address outside 69.74.53.99
failover ip address inside 172.16.79.253
failover ip address dmz 172.17.79.2
failover ip address homs12 10.133.12.3
failover ip address homs14 10.133.14.2
no failover ip address intf5
pdm location dmz_dns_server 255.255.255.255 dmz
pdm location inside_as400 255.255.255.255 inside
pdm location 172.16.80.0 255.255.255.0 inside
pdm location sales_track 255.255.255.255 dmz
pdm location 172.17.79.0 255.255.255.0 dmz
pdm location 10.133.14.0 255.255.255.0 inside
pdm location 172.16.80.54 255.255.255.255 inside
pdm location 172.16.80.99 255.255.255.255 inside
pdm location 10.133.12.8 255.255.255.255 inside
pdm location 172.16.79.59 255.255.255.255 inside
pdm location 172.16.80.5 255.255.255.255 inside
pdm location 172.16.80.27 255.255.255.255 inside
pdm location 172.16.80.40 255.255.255.255 inside
pdm location 172.16.80.175 255.255.255.255 inside
pdm location 10.15.1.0 255.255.255.0 homs12
pdm location 10.133.12.2 255.255.255.255 homs12
pdm location 10.0.0.0 255.0.0.0 homs12
pdm location 209.74.98.51 255.255.255.255 homs12
pdm location 209.74.98.105 255.255.255.255 homs12
pdm location 209.74.98.130 255.255.255.255 homs12
pdm location 209.74.98.227 255.255.255.255 homs12
pdm location 209.74.98.228 255.255.255.255 homs12
pdm location 209.74.98.230 255.255.255.255 homs12
pdm location 209.74.98.240 255.255.255.255 homs12
pdm location 209.74.98.0 255.255.255.0 homs12
pdm location 209.74.98.130 255.255.255.255 outside
pdm location 10.133.16.0 255.255.255.0 homs12
pdm location 69.74.53.97 255.255.255.255 inside
pdm location 69.74.53.97 255.255.255.255 homs12
pdm location 209.74.97.92 255.255.255.255 homs12
pdm location 209.74.98.106 255.255.255.255 homs12
pdm location 10.133.14.51 255.255.255.255 homs14
pdm location 69.74.53.97 255.255.255.255 homs14
pdm location 69.74.53.97 255.255.255.255 dmz
pdm location 12.14.71.155 255.255.255.255 outside
pdm location 155.212.0.49 255.255.255.255 outside
pdm location 192.168.150.0 255.255.255.0 outside
pdm location 209.74.97.60 255.255.255.255 homs12
pdm location 209.74.97.215 255.255.255.255 homs12
pdm location 209.74.97.0 255.255.255.0 homs12
pdm location 10.133.14.52 255.255.255.255 homs14
pdm location 209.74.121.5 255.255.255.255 outside
pdm location 209.74.112.0 255.255.240.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 69.74.53.101
global (dmz) 1 172.17.79.200-172.17.79.220
nat (inside) 0 access-list outside_cryptomap_dyn_20
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
nat (homs12) 1 10.133.12.0 255.255.255.192 0 0
nat (homs14) 0 access-list HOMS14_VPN
nat (homs14) 1 10.133.14.0 255.255.254.0 0 0
static (inside,dmz) dmz_as400 inside_as400 netmask 255.255.255.255 0 0
static (dmz,outside) 69.74.53.113 sales_track netmask 255.255.255.255 0 0
static (dmz,inside) 172.16.79.6 sales_track netmask 255.255.255.255 0 0
static (inside,dmz) sales_track_dns 172.16.80.99 netmask 255.255.255.255 0 0
static (inside,homs12) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
static (inside,homs14) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
static (homs14,homs12) 10.133.xx.0 10.133.xx.0 netmask 255.255.254.0 0 0
static (homs12,homs14) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (homs12,homs14) 209.74.xx.0 209.74.xx.0 netmask 255.255.255.0 0 0
static (inside,dmz) dmz_dns_server inside_dns_server netmask 255.255.255.255 0 0

static (inside,outside) 69.74.xx.116 172.16.xx.5 netmask 255.255.255.255 0 0
static (inside,outside) 69.74.xx.115 10.133.xx.8 netmask 255.255.255.255 0 0
static (inside,outside) 69.74.xx.114 inside_as400 netmask 255.255.255.255 0 0
static (inside,outside) 69.74.xx.112 172.16.xx.175 netmask 255.255.255.255 0 0
static (inside,outside) 69.74.xx.110 172.16.xx.27 netmask 255.255.255.255 0 0
static (homs12,homs14) 209.74.xx.0 209.74.xx.0 netmask 255.255.255.0 0 0
static (inside,dmz) 172.16.80.54 sales_track netmask 255.255.255.255 0 0
access-group acl_in in interface outside
access-group acl_dmz in interface dmz
access-group acl_homs12 in interface homs12
access-group acl_homs14 in interface homs14
route outside 0.0.0.0 0.0.0.0 69.74.53.97 1
route homs12 10.0.0.0 255.0.0.0 10.133.12.2 1
route homs12 209.74.xx.60 255.255.255.255 10.133.xx.2 1
route homs12 209.74.xx.92 255.255.255.255 10.133.xx.2 1
route homs12 209.74.xx.215 255.255.255.255 10.133.xx.2 1
route homs12 209.74.xx.51 255.255.255.255 10.133.xx.2 1
route homs12 209.74.xx.105 255.255.255.255 10.133.xx.1 1
route homs12 209.74.xx.106 255.255.255.255 10.133.xx.2 1
route homs12 209.74.xx.130 255.255.255.255 10.133.xx.2 1
route homs12 209.74.xx.227 255.255.255.255 10.133.xx.2 1
route homs12 209.74.xx.228 255.255.255.255 10.133.xx.2 1
route homs12 209.74.xx.230 255.255.255.255 10.133.xx.2 1
route homs12 209.74.xx.240 255.255.255.255 10.133.xx.2 1
route outside 209.74.112.0 255.255.240.0 69.74.53.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport xx
aaa-server radius-acctport xx
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host inside_dns_server wwradius timeout 10
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup ww4group idle-time 1800
vpngroup ww5group address-pool clients
vpngroup ww5group dns-server inside_dns_server
vpngroup ww5group wins-server inside_dns_server
vpngroup ww5group default-domain getko
vpngroup ww5group split-tunnel ww5group_splitTunnelAcl
vpngroup ww5group idle-time 86400
vpngroup ww5group password ********
telnet 172.16.0.0 255.255.0.0 inside
telnet 69.74.xx.97 255.255.255.255 inside
telnet 69.74.xx.97 255.255.255.255 dmz
telnet 69.74.xx.97 255.255.255.255 homs12
telnet 10.133.xx.2 255.255.255.255 homs12
telnet 69.74.xx.97 255.255.255.255 homs14
telnet 10.133.xx.52 255.255.255.255 homs14
telnet 69.74.xx.97 255.255.255.255 intf5
telnet timeout 5
ssh 155.xxx.0.49 255.255.255.255 outside
ssh 12.14.xx.155 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:1f64860b644dac33bda8709fcbbe2220
pixfirewall#

 

[ixleplix]

Hi. I'm just focusing on the Norton server issue here.

access-list acl_dmz permit tcp host sales_server host 172.16.xx.54 eq www
access-list acl_dmz permit tcp host sales_server host 172.16.xx.54 eq ftp
access-list acl_dmz permit tcp host 172.16.xx.6 host 172.16.xx.54 eq www
access-list acl_dmz permit tcp host 172.16.xx.6 host 172.16.xx.54 eq ftp

These look like the ones that you've created to access the Norton server.

You have to create what is essentially a Virtual IP address for the Norton Server and then map it to the server.
The way you do that is by first refrencing it in the access-list and then creating a static mapping. Also, is the 172.16.xx.6 supposed to be 172.17.xx.6?
So call the Norton Server 172.17.XX.54.
Map it to 172.16.XX.54.

Example:

access-list acl_dmz permit tcp host sales_server host 172.17.xx.54 eq www
access-list acl_dmz permit tcp host sales_server host 172.17.xx.54 eq ftp
access-list acl_dmz permit tcp host 172.17.xx.6 host 172.17.xx.54 eq www
access-list acl_dmz permit tcp host 172.17.xx.6 host 172.17.xx.54 eq ftp
**This opens up these ports on the 172.17.xx.54 IP address.**

static (inside,dmz) 172.17.xx.54 172.16.xx.54 netmask 255.255.255.255 0 0
**This takes the port traffic that you've opened and sends it to the 172.16.xx.54 machine.**



Is sales_track a server or an IP address that is supposed to be mapped to a server?

static (inside,dmz) 172.16.X.54 sales_track netmask 255.255.255.255 0 0--this command would need to be removed for the static mapping above to work.
static (dmz,inside) 172.16.X.6 sales_track netmask 255.255.255.255 0 0
**What are you trying to do here? They are structured wrong, but I'm not sure what you are aiming for.**




****Notes****
A static mapping allows traffic--that you've allowed via ACL--to flow from a less trusted zone to a more trusted zone.
To break down the static mapping command:

For a whole (one to one) static mapping:
static (IntDest,IntSource) ExternalIP InternalIP netmask Mask MaxConnections MaxEmbrionicConnections
i. IntDest: This is the interface the traffic is being mapped to.
ii. IntSource: This is the interface the traffic is coming from.
iii. ExternalIP: This is the External or less trusted IP address—-that the traffic is coming in on.
iv. InternalIP: This is the Internal IP address—-where the traffic is headed.
v. Mask: This tells the PIX whether this is an IP to host mapping or a Network range to Network range mapping.
vi. MaxConnections: The maximum number of active connections allowed.
1. Set this to a reasonable number.
a. For main Webpage access I’ve allowed 5000 active and embryonic connections; for the LPD daemon from blah to Non-blah I’ve allowed 50 each.
vii. MaxEmbrionicConnections: The maximum number of partially open connections allowed.
1. See notes above.



Example:



Using this ACL example:

access-list 100 line 25 permit tcp host 200.36.2.15 host X.116.46.207 eq 569
access-list 100 line 26 permit tcp any host X.116.46.194 eq 80
access-list 100 line 30 permit udp 30.20.5.0 255.255.255.192 host X.116.46.220 eq 500

You want to map X.116.46.207 to X.20.1.50—on the DMZ—and X.116.46.194 to X.16.0.53—inside network—and X.116.46.220 to X.20.1.60—DMZ—and you want to allow max embryonic and total connections of 1000 per mapping...
Your static statements would look like this:

static (DMZ,outside) X.116.46.207 X.20.1.50 netmask 255.255.255.255 1000 1000
static (inside,outside) X.116.46.194 X.16.0.53 netmask 255.255.255.255 1000 1000
static (DMZ,outside) X.116.46.220 X.20.1.60 netmask 255.255.255.255 1000 1000



**I hope this info helps.**

What's ADD again?

 

[ixleplix]

One other thing...

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security98
nameif ethernet3 homs12 security99
nameif ethernet4 homs14 security98
nameif ethernet5 intf5 security10

**The two interfaces e2 and e4 should not have the same security level. Change one of them to 97 or something different. The security level tells the PIX how trusted a network is and if two of them are the same it can cause logic issues.**

What's ADD again?

 

[hellboy101]

hello ixleplix,

Thanks again..

Well. 172.16.XX.6 was once the sales_server within our LAN, but we then put it in the DMZ so it's IP changed (static IP) to 172.17.XX.6.. BUT the 172.16.XX.6 address still pertains to this server because people from within our LAN access intranet https:// websites which are on this sales_server (I hope this makes sense to you) essentially this server has two IP's..

Yes sales_server is defined in the PIX under NAME as
name 172.17.XX.6 sales_server (this is the server in the DMZ that needs to point to the Norton server in our lan and needs to get updates from it) the static IP address of this sales_server is 172.17.XX.6 (hope this clarifies this )

So my static map is wrong then eh? The static map below

static (inside,dmz) 172.16.X.54 sales_server netmask 255.255.255.255 0 0 - is incorrect?? ok.

the correct one is the one you wrote in the previous email?
static (inside,dmz) 172.17.xx.54 172.16.xx.54 netmask 255.255.255.255 0 0 - this is the correct one? but I don't have a box with the IP 172.16.xx.54... I DO have a box with the IP 172.16.xx.54 (this is my Norton server that resides in the LAN) so should I change the static mapping to reflect this?

Essentially this is what we have here:
172.16.XX.6 and 172.17.xx.6 are two addresses on the Sales_server.. the 172.17 is part of the DMZ and the 172.16 is used for intranet stuff for users that access in our LAN on the 172.16.XX.XX network.

the 172.16.XX.54 server is the Norton Antivirus server.. So we would need the right access-lists so that the DMZ'd sales_server can access the Norton server for antivirus updates. I think we nailed those access-lists in the previous email no? now all we need is the correct static mapping based on what info I gave you above for clarity in case there were any questions..

Just to point out, this sales_server witin the DMZ directly plugs into a Cisco 3550 switch and then the switch plugs into the FE2 port (DMZ) on the PIX.. The switch has VLAN2 enabled and the sales_server is within this VLAN. Does this cause an extra question mark here?? or can we assume that if our access-lists are correct and our static maps are right, VLANS shouldn't matter?? just curious and thanks for any help you can provide.. I believe we are quite close to resolving this

hb101

My Norton

 

[ixleplix]

Hi hellboy101,
I just want to let you know that I'm trying to make sure you understand what I'm doing. You know teach the man to fish...
I just happen to be geeky enough to really enjoy this kind of thing and I always want to know "why", not just "how".
So I applogize if I seems like I'm telling you what to do or talking down to you. That isn't my intention. At the bottom are the actual commands with no commentary.



"the correct one is the one you wrote in the previous email?
static (inside,dmz) 172.17.xx.54 172.16.xx.54 netmask 255.255.255.255 0 0
- this is the correct one? but I don't have a box with the IP 172.16.xx.54...
I DO have a box with the IP 172.16.xx.54 (this is my Norton server that resides in the LAN)
so should I change the static mapping to reflect this?"
Those address in bold are both the same. I'm going to assume the first one is supposed to be 172.17.xx.54--correct?



access-list acl_dmz permit tcp host sales_server host 172.17.xx.54 eq www
access-list acl_dmz permit tcp host sales_server host 172.17.xx.54 eq ftp

These access-list statements say take any port 80 and port 21 traffic that comes from the host sales_server and allow it in on IP address 172.17.xx.54--which lives on the PIX.
Then you send that traffic to the 172.16.xx.54--Norton--server with a static mapping. So you don't need a server with an IP of 172.17.xx.54.
That IP address exists soley for the purpose of sending traffic to the 172.16.xx.54 server and is created by the first access-list statement that uses it.
172.17.xx.54 is the address that any device on the DMZ that wants to communicate with the norton server must use.

Then the static mapping:
static (inside,dmz) 172.17.xx.54 172.16.xx.54 netmask 255.255.255.255 0 0

Says take the port traffic that is destined for the 172.17.xx.54 address and send it to the NortonServer (172.16.xx.54)




Don't enter these two since they are actually duplicate entries of the two above--they just use the IP instead of the name and I should have caught that.
access-list acl_dmz permit tcp host 172.17.xx.6 host 172.17.xx.54 eq www
access-list acl_dmz permit tcp host 172.17.xx.6 host 172.17.xx.54 eq ftp

Remove these. They aren't doing anything since the IP addresses in bold aren't on the DMZ. Or you can leave them if you want.
access-list acl_dmz permit ip host sales_server host 172.16.xx.54
access-list acl_dmz permit tcp host sales_server host 172.16.xx.54 eq www
access-list acl_dmz permit tcp host sales_server host 172.16.xx.54 eq ftp
access-list acl_dmz permit tcp host 172.16.79.6 host 172.16.xx.54 eq www
access-list acl_dmz permit tcp host 172.16.79.6 host 172.16.xx.54 eq ftp



static (inside,dmz) 172.16.X.54 sales_track netmask 255.255.255.255 0 0--Yes, remove this. It will conflict with the access-list statement above.

static (dmz,inside) 172.16.X.6 sales_track netmask 255.255.255.255 0 0--I can't see this doing anything. To work it would need to read:
static (inside,dmz) sales_track 172.16.X.6 netmask 255.255.255.255 0 0--but the sales_track is a computer not a representive IP address that lives on the PIX...
**If you are unsure, then leave it. It's not hurting anything.**



"So my static map is wrong then eh? The static map below..."

"static (inside,dmz) 172.16.X.54 sales_server netmask 255.255.255.255 0 0 - is incorrect?? ok."
Yes. For a few reasons.
1. A static mapping from the DMZ to inside needs to have the DMZ IP address first and the inside IP address 2nd.
sales_server 172.16.xx.54
2. You can't map a device to a device. You have to create an IP address that represents the internal device and map from it to the internal device.

*********************************

To paste it in the PIX, from the enable prompt, it would look like this:


config t
no access-list acl_dmz permit ip host sales_server host 172.16.xx.54
no access-list acl_dmz permit tcp host sales_server host 172.16.xx.54 eq www
no access-list acl_dmz permit tcp host sales_server host 172.16.xx.54 eq ftp
no access-list acl_dmz permit tcp host 172.16.79.6 host 172.16.xx.54 eq www
no access-list acl_dmz permit tcp host 172.16.79.6 host 172.16.xx.54 eq ftp
access-list acl_dmz permit tcp host sales_server host 172.17.xx.54 eq www
access-list acl_dmz permit tcp host sales_server host 172.17.xx.54 eq ftp
no static (inside,dmz) 172.16.X.54 sales_track netmask 255.255.255.255 0 0
static (inside,dmz) 172.17.xx.54 172.16.xx.54 netmask 255.255.255.255 0 0


Once that's done, test it and don't write to memory until you are happy with the results.

Also, the VLAN shouldn't affect anything.

*********************************

Sorry I'm so long winded. If it doesn't work after this, then there may need to be additional ports opened.

You can check to see if the access-list statements are being hit by using the show access-list acl_dmz command and looking at the hit counters.

Please let me know.

Roland

What's ADD again?

 

[hellboy101]

Hi Roland,

I would never take offense to a super willing person such as yourself. I salute you for your ultimate help and no offense was/is taken. I'm going to review your notes here and implement your ideas.. I'll let you know what transpires


hb101

 

[ixleplix]

Thank you.

What's ADD again?

 

[hellboy101]

Hello ixleplix-

Hope all is well and your enjoying somewhat of a sunny weekend. Don't know what part of the world you reside in but NY is facing good weather!

Still having trouble with my PIX/DMZ to NAV issue but more interestingly I had a question..

We know that the real IP address of my Norton server in our LAN is 172.16.XX.54, hence the:
static (inside,dmz) 172.17.xx.54 172.16.xx.54 netmask 255.255.255.255 0 0

what I'm still not truly getting is this 172.17.XX.54 number's presence.. I guess I'm trying to wrap it around my mind that this is a true IP address but it's not. It's only a virtual representation of an IP number that resides as part of my DMZ? If that's the case, I find that amazing how you can just randomly pick any IP address and use it within your DMZ and with proper access list's pass traffic thru it. Am I correct in my above statement or completely off? LOL!

Since I essentially need NAV updates to move between my NAV server (IP 172.16.XX.54) to my sales_server (IP 172.17.XX.6 and for intranet stuff it uses IP 172.16.XX.6), where in the PIX are acl's stating that traffic is moving between these two devices..in sort of a tranceiving fashion, because essentially, that would be needed no?

you see, while logged onto the sales_server (in DMZ) I start to install the Norton client and then go to My Network Places in Windows 2000 in order to point to the NAV server within our LAN (different child domain from where sales_server resides) but I can never see the domain that the Norton server resides in, therefore I could never truly finish my Norton client installation on the sales_server becuase it needs to point to a Parent NAV server for the install to complete.. I agree with you that probably at a layer 2/3 level domains mean nothing here because access-lists should overrule what Windows needs (at the IP level) to see amongst disparate domains but maybe I need a domain trust established eh? what do you think? please let me know

I truly appreciate all of your efforts and especially time you've provided !

Cheers

hb101

 

[ixleplix]

Hi There,
I'm on the opposite coast--Oregon. The weather topped at about 75 or so over the weekend and it was sunny. Nice and relaxing.

"what I'm still not truly getting is this 172.17.XX.54 number's presence.. I guess I'm trying to wrap it around my mind that this is a true IP address but it's not. It's only a virtual representation of an IP number that resides as part of my DMZ? If that's the case, I find that amazing how you can just randomly pick any IP address and use it within your DMZ and with proper access list's pass traffic thru it. Am I correct in my above statement or completely off? LOL!"

To answer the question above; It's not really a randomly chosen number. It has to reside within the Network Range that you've defined for the DMZ by the ip address dmz 172.17.xx.x 255.255.0.0 command and it must not conflict with any other IP address that exists in the DMZ. I just chose 172.17.xx.54/16 because the last octet matches the inside addresses. So it seemed logical.

And...your statement is pretty close to how it works.

If I'm using the network 10.40.1.0/24 for my DMZ--done by using the ip address dmz 10.40.1.1 255.255.255.0
command, then the PIX knows that all addresses 10.40.1.1-10.40.1.254 can exist on the DMZ. Now , if I need to pass traffic from a server on the DMZ to a server on the inside--I need a way to send it through the PIX. So I take an IP address that is on the defined network and use it to allow that traffic--done through an access-list statement. Once that access-list statement is active then when the PIX hears a broadcast for that IP, it says, "Hey that's mine!" and responds to the broadcast... Then the static mapping sends the traffic to the protected device.

"Since I essentially need NAV updates to move between my NAV server (IP 172.16.XX.54) to my sales_server (IP 172.17.XX.6 and for intranet stuff it uses IP 172.16.XX.6), where in the PIX are acl's stating that traffic is moving between these two devices..in sort of a tranceiving fashion, because essentially, that would be needed no?"

access-list acl_dmz permit tcp host sales_server host 172.17.xx.54 eq www
access-list acl_dmz permit tcp host sales_server host 172.17.xx.54 eq ftp

These two handle the traffic between the sales_server and the NortonServer. As far as traffic between 172.16.xx.54 and 172.16.xx.6--that shouldn't pass through the PIX--which is why there are no ACL statments regarding it.

On my DMZ, these are the ports I had to open to allow a Domain controller to communicate with one on the inside:

access-list dmz100 permit tcp host NS1 host PDC1_DMZ eq 42
access-list dmz100 permit tcp host NS1 host PDC1_DMZ eq domain
access-list dmz100 permit tcp host NS1 host PDC1_DMZ eq 88
access-list dmz100 permit tcp host NS1 host PDC1_DMZ eq 135
access-list dmz100 permit tcp host NS1 host PDC1_DMZ eq netbios-ssn
access-list dmz100 permit tcp host NS1 host PDC1_DMZ eq ldap
access-list dmz100 permit tcp host NS1 host PDC1_DMZ eq 445
access-list dmz100 permit tcp host NS1 host PDC1_DMZ eq 464
access-list dmz100 permit tcp host NS1 host PDC1_DMZ eq ldaps
access-list dmz100 permit tcp host NS1 host PDC1_DMZ range 3268 3269
access-list dmz100 permit udp host NS1 host PDC1_DMZ eq domain
access-list dmz100 permit udp host NS1 host PDC1_DMZ eq 88
access-list dmz100 permit udp host NS1 host PDC1_DMZ range netbios-ns netbios-dgm
access-list dmz100 permit udp host NS1 host PDC1_DMZ eq 389

You may need to open some of these. I'm not sure you need a Domain Trust. I know we used to have a number of Win98 PCs that used our Norton server. And Win98 isn't Domain aware.

One thing I've done in the past is to sniff the ports of the devices in question and look for the port traffic that is getting lost, or that isn't getting passed through the firewall and then open those ports.

Hope that helps. Please let me know.
And you're welcome for the help and time. Besides, it helps me stay sharp too.

Roland


*****************

What's ADD again?

 

[hellboy101]

Thank you Roland,

I think I may have to add more acls to my DMZ. Perhaps some including what you've cut and pasted above, netbios-ns /dgm and/or 445..

I'm determined to making this work and with the support you've provided I couldn't be more thankful!

Oregon is an awesome place to build on the land... I'll get there someday with my wife and child!

cheers
hb101

 

[hellboy101]

Hi there ixleplix,

I just realized something that may help my situation and thought I'd pass it by you first..

My actual IP address for the sales_server within the DMZ is 172.17.79.6 and I'm trying to pass it thru to the address you were explaining above which is 172.17.xx.54 (in actuality I'm using 172.17.80.54.. doesn't the address 172.17.80.54 conflict with my range such as the IP 172.17.79.6, I'm using .79.6 for the sales server but .80.54 for the IP that traffic will pass thru from the DMZ, thru the pix and then passed on to the Norton server which is 172.16.80.54 (actual address of Norton server).. Shouldn't my ranges within the DMZ all fall within the 172.17.79 range.. (not sure if what I'm saying here is correct but if I am correct in what I'm saying then the address of 172.17.80.54 won't work.. I'd need to make the address 172.17.79...correct? this is a class B so I thought only the first two octet starting from the left get affected? maybe I'm wrong but thought I'd ask and perhaps you could clarify my mistake here before I changed it on the PIX.

Thanks again kind mentor!!
hb101

 

[ixleplix]

Actually, as it is a class B Network, anything on the 172.17.xxx.xxx/16 network will work on the DMZ--or any number between 172.17.0.1 and 172.17.255.254--that's not already in use. So there is no conflict there.

Keep me posted.

Roland


*****************

What's ADD again?

 

[hellboy101]

Hi ixleplix,

I'm hoping all is well with you. I'm wondering what these statements do below..

Especially the netbios-dgm issue, looks promising but wanted the experts advice first.. Perhaps these acls's will support my issue with not being able to have the sales_server (DMZ box) not see/have packets sent to and from the NAV server (inside LAN)


access-list dmz100 permit tcp host NS1 host PDC1_DMZ eq netbios-ssn
access-list dmz100 permit tcp host NS1 host PDC1_DMZ eq ldap
access-list dmz100 permit udp host NS1 host PDC1_DMZ range netbios-ns netbios-dgm

Cheers
hb101

 

[ixleplix]

Hi hb101--do you read HellBoy?
Things are good here, thanks. And thank you, but I'm not an expert, just a Cisco geek.

I copied this info from the

http://www.grc.com/port_389.htm

website, just plug in the port number you're looking for.

********************************************************

ldap--tcp 389
Purpose:
Lightweight Directory Access Protocol
Description:
LDAP (which is what people call it) is a modern and popular Internet directory access protocol used by many systems and services. Most Windows users will encounter it because Microsoft's NetMeeting uses and opens the LDAP port 389 while it is running.


netbios-ssn--tcp 139
Purpose:
NETBIOS Session Service
Description:
TCP NetBIOS connections are made over this port, usually with Windows machines but also with any other system running Samba (SMB). These TCP connections form "NetBIOS sessions" to support connection oriented file sharing activities.


netbios-dgm--udp 138
Purpose:
NETBIOS Datagram Service
Description:
UDP NetBIOS datagrams packets are exchanged over this port, usually with Windows machines but also with any other system running Samba (SMB). These UDP NetBIOS datagrams support non-connection oriented file sharing activities.


netbios-ns--udp 137
Purpose:
NetBIOS Name Service
Description:
UDP NetBIOS name query packets are sent to this port, usually of Windows machines but also of any other system running Samba (SMB), to ask the receiving machine to disclose and return its current set of NetBIOS names.

********************************************************

I know ldap is necessary to Microsoft server communication. The others have to do with directory access.

Right now all of the servers on my DMZ are set to run Symantec--Norton--in a stand alone mode. So they just pull their updates directly from the Internet.

But, I'm going to set up a test--it would be helpfull here to use that setup too. I'll let you know what I find out.

I'll get back to you soon.

Roland


*****************

What's ADD again?

 

[hellboy101]

thanks ixleplix,

Wondering to see how you'll make out. for now, I'll apply tcp 389 ldap.. and tcp 139 Netbios and I'll see if we make any headway..

CAn't wait to see how your works out!

cheers
hb101

* no I haven't read any of the comics but the movie was incredible.. don't you think?

 

[Triplejolt]

I didn't see a sollution to your original question, so I'm providing you one here.

The portrange used by NAV is:

object-group service Liveupdate tcp
  description Ports used by Norton Liveupdate.
  port-object range 2847 2848

The access-list entry to use:

access-list dmz100 line 1 permit tcp host [insert the IP-address to your NAV server here] host gateways.dis.symantec.com object-group Liveupdate

NAV Clients use UDP 2301 to get updates. Incase you feel comfortable to allow clients to update their definitions themselves


A firm beleiver of "Keep it Simple" philosophy
Cheers
/T

 

[hellboy101]

Thanks Triple Jolt.. I'll add my access-list and give it a try..

I'm assuming the CODE portion of your response what just for information purposes only and not used for a specific PIX entry..

hb101

Thanks again!

 

[hellboy101]

Hi triplejolt..

I'm wondering ..

In your access-list.. where it says host gateways.dis.symantec.com object-group Liveupdate


Where it says host.. do I place the name of my host name within my dmz? is this access list allowing this host in my dmz to communicate with my NAV server inside my LAN? or is it looking to do a Live Update.. I'd really like the DMZ'd host to look at the NAV server in my LAN..

thanks for any support you can provide.

hb101