topic Re: Pix 515e DMZ problems in Network Security

Pix 515e DMZ problems

bob — Fri, 21 Feb 2020 07:10:33 GMT

Hi guys, mind looking at my config and helping me figure out why any box in the DMZ can not be accessed from the outside.. They also have no access to the net? I looked at couple example configurations and i must be missing something every single time? What i am currently attempted to do is move 2 of my servers into the DMZ. Currently using a unix box with apache and qmail as my test machine.

Thanks

-Bob

--------------

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security10

hostname Guardian

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

no fixup protocol http 80

names

access-list smtp permit tcp any host nnn.nnn.nnn.226 eq smtp

access-list smtp permit tcp any host nnn.nnn.nnn.226 eq pop3

access-list smtp permit tcp any host nnn.nnn.nnn.226 eq www

access-list smtp permit tcp any host nnn.nnn.nnn.228 eq www

pager lines 24

logging on

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside nnn.nnn.nnn.226 255.255.255.224

ip address inside 192.168.4.1 255.255.255.0

ip address DMZ 192.168.5.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 2 interface

global (inside) 3 interface

global (DMZ) 4 nnn.nnn.nnn.228

nat (inside) 2 192.0.0.0 255.255.0.0 0 0

nat (DMZ) 4 192.168.5.0 255.255.255.0 0 0

static (inside,outside) tcp interface smtp 192.168.4.2 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 192.168.4.1 pop3 netmask 255.255.255.255 0 0

static (DMZ,outside) tcp nnn.nnn.nnn.228 www 192.168.5.5 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.4.2 www netmask 255.255.255.255 0 0

access-group smtp in interface outside

route outside 0.0.0.0 0.0.0.0 nnn.nnn.nnn.225 1

route inside 10.10.1.0 255.255.255.0 191.0.32.1 1

route inside 10.10.2.0 255.255.255.0 191.0.32.1 1

route inside 192.168.3.0 255.255.255.0 192.168.4.1 1

route inside 192.168.2.0 255.255.255.0 192.168.4.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

terminal width 80

Re: Pix 515e DMZ problems

mostiguy — Mon, 29 Dec 2003 18:59:53 GMT

static (DMZ,outside) tcp nnn.nnn.nnn.228 www 192.168.5.5 www netmask 255.255.255.255 0 0

that is the only static statement referencing the dmz. Are you able to connect to that web server?

Re: Pix 515e DMZ problems

bob — Mon, 29 Dec 2003 20:58:09 GMT

Nope i am unable to connect to it from the outside. right now i havnt added the static statement for smtp yet.

Re: Pix 515e DMZ problems

mostiguy — Mon, 29 Dec 2003 21:13:09 GMT

have you done a clear xlate to wipe clean the translation slot table?

Re: Pix 515e DMZ problems

bob — Mon, 29 Dec 2003 23:24:11 GMT

No sir i havnt. I will try this once i get back into the office. I got the feeling that my static was working correctly as when i would use telnet to port 80 it would just hang, not just die. My thinking was that the requests were getting through but the replies were not?

Re: Pix 515e DMZ problems

bob — Tue, 30 Dec 2003 14:39:37 GMT

I have cleard the xlate and still same problem. IE just sits there stating that its opening the page.

Re: Pix 515e DMZ problems

ciscoacs — Tue, 30 Dec 2003 14:53:11 GMT

from looking at your config you have and access list for the outside interface to allow only the following access:

tcp any host nnn.nnn.nnn.226 eq smtp

tcp any host nnn.nnn.nnn.226 eq pop3

tcp any host nnn.nnn.nnn.226 eq www

tcp any host nnn.nnn.nnn.228 eq www

but as you only have one static command referencing dmz interface:

static (DMZ,outside) tcp nnn.nnn.nnn.228 www 192.168.5.5 www netmask 255.255.255.255 0 0

only this one would be allowed.

also you have no fixup protocol http? you should use fixup protocol i think.

sam

Re: Pix 515e DMZ problems

bob — Tue, 30 Dec 2003 18:48:34 GMT

That is correct, the reason is, is because im trying to move services from the inside interface (first three access-list) to the DMZ (last access-list). Currently i only allowing 80 to get into the dmz and thats all im concentrating right now. As soon as i have http traffic running smoothly i should be easily able to allow smtp.

The fixup protocol is a personal preference from my readings. I may choose to enable it once again in the near future.

Re: Pix 515e DMZ problems

ciscoacs — Fri, 02 Jan 2004 11:02:47 GMT

have you tried to debug this making sure that the traffic is leaving the dmz interface of the pix and getting to the server?

command is= debug pack dmz src any dst xxx.xxx.xxx.228 proto tcp dport 80 tx

then you could debug from the server for the replies

command=

debug packet dmz src xxx.xxx.xxx.228 dst any proto tcp dport 80 tx

will show you where the trouble is. otherwise get a packet sniffer on that interface because your config looks fine.

sam

Re: Pix 515e DMZ problems

j.cusick — Tue, 06 Jan 2004 19:42:04 GMT

I would check the default gateway on the web server. Make sure this is pointing to the DMZ interface. You may also want to remove the global statement and NAT for the DMZ as your statics should take care of that (depends on the rest of your setup). You probably will want to allow the WWW server to talk to some DNS server either internal or external.