topic Hi Marius, in Network Security

PIX version 8.0(4) problem to configure DMZ

cbemobile — Tue, 12 Mar 2019 08:57:17 GMT

HI,

I have a pix 515E firewall and have some issue with the configuration (I am a beginner).

Multiple clients connected to a switch using VLANs and the switch is connected to a PIX using a trunk.

The PIX is connected to the ISP router using the OUTSIDE interface.

For each VLAN i create a sub interface on the pix.

I have a DMZ1 with a specific server inside.

This server in the DMZ1 must be accessed from the internet and also from all the inside vlan.

INSIDE VLANS -> INTERNET

INSIDE VLANS -> DMZ1

DMZ1 -> INTERNET

INTERNET->DMZ1

With the configuration i did :

The Inside VLANs can access INTERNET

The DMZ1 can access INTERNET

I forward (NAT) all the traffic comming on the outside interface to the DMZ1 server to permit the access from INTERNET to DMZ1. (I suppose there are other solution).

From VLANS i cannot access to the DMZ1 server.

I am not fluent with NAT, NO NAT and ACL and perhaps this is the origin of the problems.

I joint the version informations of my PIX and the running configuration

I will appreciate your help

Thanks

You need to use PAT and not

Marius Gunnerud — Mon, 20 Feb 2017 16:12:57 GMT

You need to use PAT and not static NAT all ports from outside to DMZ1

for example, you can use the following to NAT 172.30.70.9 port TCP/80 to the outside interface

static (DMZ1,OUTSIDE) tcp interface 172.30.70.9 80 netmask 255.255.255.255

You can also test your configuration by using the packet tracer and see if it is successful or if it fails, where it fails.

packet-tracer input OUTSIDE tcp 4.2.2.2 12345 <Outside Int IP> 80

Please remember to select a correct answer and rate helpful posts

Hi Marius,

cbemobile — Tue, 21 Feb 2017 11:38:52 GMT

Hi Marius,

Thanks for your help.

I change the NATt according to your example and it's work (i join my new configuraion file).

But have an issue to submit to your analysis :

when i use HTTPS from outside "https:\\192.168.220.200" i get the ASDM index.html page "https://192.168.220.200/admin/public/index.html". If i want to get for example the admin console of my web server (10.100.70.9) in the DMZ1 i need to use "https://192.168.220.200/console/" and it's work. But in normal use the outside client use only "HTTPS:://mywebserver" to get the public secure access banner. It is possible to get the ASDM only using the managment interface and one inside administrator vlan and to redirect all the https traffic from the outside to the Webserver in the DMZ1.

why administrator VLAN : In the future i would like, if possible, to use a VPN client from outside to manage using remote access the firewall. But if it is to complex my first goal is to get all HTTPS traffic with my webserver.

Thanks for your help

HI Marius,

cbemobile — Tue, 21 Feb 2017 15:06:05 GMT

HI Marius,

I hope i found the solution for the ASDM access.

I had a look on the command "HTTP SERVER" and i saw that it is possible to change the port allocated to the ASDM (443 is the default). So, i change it using the command :

"http server enable 10500"

I also add an access to asdm from outside :

"http 192.168.220.0 255.255.255.0 OUTSIDE"

and now when i use "https:\\192.168.220.200" i get the DMZ1 webserver HTTPS login page.

When i was on an outside computer i use the ASDM launcher adding the port to address

"Decive IP Address/ Name : 192.168.220.200:10500"

It seem to work according to my expectations.

What do you think about.

Regards

Claude

This is a common practice

Marius Gunnerud — Tue, 21 Feb 2017 22:50:42 GMT

This is a common practice when you have a server on the inside which has port TCP/443 NATed to it using the outside interface IP. When this is the case you need to do as you say, assign a different port to access the ASDM via the outside interface. If you do not then traffic to the ASDM will not work on port 443.

Please remember to select a correct answer and rate helpful posts

Hi Marius,

cbemobile — Wed, 22 Feb 2017 07:35:25 GMT

Hi Marius,

I want to thank you for you precious help.

Regards