topic Re: Access Through PIX Between DMZ and Inside in Network Security

Access Through PIX Between DMZ and Inside

daniel.bowen — Mon, 11 Mar 2019 09:04:13 GMT

Hi Everyone,

A quick question in relation to allowing two DMZ servers communicate with an Inside server.

I understand that to enable the DMZ servers to initiate comms with the Inside server I need to put in the following commands:

NAT(INSIDE) 1 10.0.0.52 255.255.255.255 (address of the Inside server)

GLOBAL(DMZ) 1 10.1.0.100 255.255.255.255 (address to be translated to on the DMZ)

But how do I permit the Inside server to communicate with the DMZ servers, or will this happen automatically due to it being sourced on a higher security interface?

Many thanks,

Dan

Re: Access Through PIX Between DMZ and Inside

a.kiprawih — Mon, 04 Dec 2006 15:25:25 GMT

Assuming your inside segment is 10.0.0.0/24, you can use:

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

This will allow the inside segment to talk to DMZ, and vice-versa via their respective IP Addresses.

HTH

Re: Access Through PIX Between DMZ and Inside

daniel.bowen — Mon, 04 Dec 2006 15:57:48 GMT

Thanks for you reply.

I only want to allow comms between 2 servers on the DMZ (10.1.0.27 and 31) and 1 inside server (10.0.0.52).

How can I allow these two to communicate on all ports but not any other servers on the DMZ or inside?

Many thanks,

Dan

Re: Access Through PIX Between DMZ and Inside

a.kiprawih — Mon, 04 Dec 2006 16:16:01 GMT

Maintain the previous "static (inside,dmz) ..." command, and use access-list (ACL) to nail the two. Apply the ACL on both DMZ and Inside interfaces.

Example - add to existing. or add new:

Inside interface:

access-list inside permit ip host 10.0.0.52 host 10.1.0.27 --> permitted to talk to dmz's 10.1.0.27

access-list inside permit ip host 10.0.0.52 host 10.1.0.31 --> permitted to talk to dmz's 10.1.0.27

access-list inside deny ip 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0 --> deny inside to talk to any dmz, except the above

access-list inside permit ip 10.0.0.0 255.255.255.0 any --> permit inside to talk to other subnet/address, i.e internet (with nat/global config)

access-group inside in interface inside --> bind acl to inside interface

access-list dmz permit ip host 10.1.0.27 host 10.0.0.52 --> permit dmz's 10.1.0.27 talking to inside's 10.0.0.52 via any ports

access-list dmz permit ip host 10.1.0.31 host 10.0.0.52 --> permit dmz's 10.1.0.31 talking to inside's 10.0.0.52 via any ports

access-list dmz deny ip 10.1.0.0 255.255.255.0 10.0.0.0 255.255.255.0 --> deny other dmz talking to inside, except the above

access-list dmz permit ip 10.1.0.0 255.255.255.0 any --> allow dmz talking to other subnet, excpet specific subnet on inside

access-group dmz in interface dmz --> bind acl 'dmz' to dmz interface

HTH

Re: Access Through PIX Between DMZ and Inside

daniel.bowen — Tue, 05 Dec 2006 11:57:40 GMT

Hi there,

Are you sure this is all that is required for NATting between subnets? I have limited knowledge of NAT on a PIX but it would seem to me that we would need a static going in both directions?

Could you possibly elobarate?

Many thanks,

Dan

Re: Access Through PIX Between DMZ and Inside

a.kiprawih — Tue, 05 Dec 2006 12:23:51 GMT

Yes, this is the most common you can use. It works between higher security to lower security level subnet natting/mapping, i.e inside-outside, or dmz-outside.

The - static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 - command allows your inside and dmz segment to access each other via their original IP. DMZ can access inside servers via inside server's original IP of 10.0.0.xx, while inside can access DMZ original IP of 10.1.0.xx. Use ACL on both end to control which hosts can access across and vice-versa.

Apart from the above subnet mapping, you can also use the following method to map inside servers with DMZ IP address, as follow:

static (inside,dmz) 10.1.0.100 10.0.0.52 netmask 255.255.255.255

This will allow your DMZ hosts (10.1.0.27 & 10.1.0.31) to access the Inside server using DMZ's NATted IP of 10.1.0.100 instead of Inside server original IP of 10.0.0.52 (opposite to the above static command). Logically, this make inside server like sitting in DMZ segment as well.

To allow Inside host 10.0.0.52 access both DMZ servers (10.1.0.27 & 10.1.0.31), just define nat (inside)/global (dmz) pair with ACL to control the access:

nat (inside) 3 10.0.0.52

global (dmz) 3 10.1.0.101

access-list inside permit ip host 10.0.0.52 host 10.1.0.27

access-list inside permit ip host 10.0.0.52 host 10.1.0.31

access-list inside deny ip 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0

access-list inside permit ip 10.0.0.0 255.255.255.0 any

access-group inside in interface inside

The above will allow only 10.0.0.52 to access dmz's 10.1.0.27 & 10.1.0.31

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1112345

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html#wp1069973

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

HTH

Re: Access Through PIX Between DMZ and Inside

daniel.bowen — Fri, 08 Dec 2006 10:10:00 GMT

Sorry to bother you again with this, but I have a quick question regarding your config.

You said that "static (inside,dmz) 10.1.0.100 10.0.0.52 netmask 255.255.255.255

This will allow your DMZ hosts (10.1.0.27 & 10.1.0.31) to access the Inside server using DMZ's NATted IP of 10.1.0.100 instead of Inside server original IP of 10.0.0.52 "

But the 10.1.0.100 Natted address is on the same subnet as the DMZ hosts, shouldnt it be on the inside LAN of 10.0.0.0?

You also said

nat (inside) 3 10.0.0.52

global (dmz) 3 10.1.0.101

Shouldnt the 10.1.0.101 address on the global pool be 10.1.0.100 ie the address from the earlier static (inside,dmz) command?

Many thanks again my friend,

Dan