topic Re: Pix DMZ and IIS in Network Security

Pix DMZ and IIS

mitchell_kohn — Fri, 21 Feb 2020 07:12:02 GMT

Hi All,

I have a interesting problem that I can not figure out. I have a Pix 520 running 6.2.2 and I have a DMZ zone. In this zone I have a Web Server. People can get to the web server pages fine. I can not do a nslookup, a windows update or an anti virus download. This used to work before and now it doesn't. At first I thought it was a os problem, but I upgraded the server and it is still does not work. I changed the network cable and port. There is nothing showing up in my logs indicating that this server is not allowed out (no deny statements). Anyone have an idea of where else I can look ? I probably did something in the firewall config to tightened down the security, but I guess I made it too tight. 😉

Thanks in advance.

Mitch

Re: Pix DMZ and IIS

ali-franks — Fri, 16 Jan 2004 14:32:44 GMT

Hi Mitch,

Can you post the config - having removed public IP addresses of course?

Re: Pix DMZ and IIS

mitchell_kohn — Fri, 16 Jan 2004 15:47:28 GMT

The sanitized version: Thanks !

PIX Version 6.2(2)

nameif ethernet0 Internet security50

nameif ethernet1 inside security100

nameif ethernet2 DMZ security75

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol ils 389

names

pager lines 24

logging on

logging buffered alerts

logging trap notifications

logging host inside w.x.y.z

interface ethernet0 100full

interface ethernet1 auto

interface ethernet2 100full

icmp deny any Internet

icmp deny host 10.0.0.0 inside

icmp permit w.x.y.z 255.255.255.0 inside

icmp deny any DMZ

mtu Internet 1500

mtu inside 1500

mtu DMZ 1500

ip address Internet w.x.y.z 255.255.255.252

ip address inside w.x.y.z 255.255.255.240

ip address DMZ w.x.y.z 255.255.255.0

ip verify reverse-path interface Internet

ip verify reverse-path interface inside

ip verify reverse-path interface DMZ

ip audit name internet-ids info action alarm

ip audit name dmz-ids info action alarm

ip audit name dmz-ids2 attack action alarm drop reset

ip audit name inside-ids info action alarm

ip audit name inside-ids2 attack action alarm drop reset

ip audit name internet-ids2 attack action alarm drop reset

ip audit interface Internet internet-ids

ip audit interface inside inside-ids

ip audit interface inside inside-ids2

ip audit interface DMZ dmz-ids

ip audit interface DMZ dmz-ids2

ip audit info action alarm

ip audit attack action alarm drop reset

pdm logging critical 100

pdm history enable

arp timeout 14400

global (Internet) 1 w.x.y.z

nat (inside) 1 a.b.c.d 255.255.0.0 0 0

static (DMZ,Internet) a.b.c.d w.x.y.z netmask 255.255.255.255 0 0

conduit permit icmp any any echo-reply

conduit permit tcp host a.b.c.d eq www any

conduit deny icmp host a.b.c.d any

outbound 1 deny 0.0.0.0 0.0.0.0 194 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 139 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 750 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 750 udp

outbound 1 deny 0.0.0.0 0.0.0.0 137 udp

outbound 1 deny 0.0.0.0 0.0.0.0 389 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 49 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 161 udp

outbound 1 deny 0.0.0.0 0.0.0.0 135 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 137-138 udp

outbound 1 deny 0.0.0.0 0.0.0.0 445 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 445 udp

outbound 1 deny 0.0.0.0 0.0.0.0 389 udp

outbound 1 deny 0.0.0.0 0.0.0.0 593 udp

outbound 1 deny 0.0.0.0 0.0.0.0 593 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 4444 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 69 udp

outbound 1 deny 0.0.0.0 0.0.0.0 6060-6080 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 707 tcp

apply (inside) 1 outgoing_src

route Internet 0.0.0.0 0.0.0.0 1.2.3.4 1

route DMZ 1.2.3.4 255.255.255.0 1.2.1.1 1

route inside a.b.c.d 255.255.0.0 a.b.c.d 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host ssss vbnm timeout 2

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication telnet console TACACS+

aaa authentication serial console TACACS+

aaa authentication enable console TACACS+

aaa authentication http console TACACS+

http server enable

no snmp-server location

no snmp-server contact

snmp-server community

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

: end

[OK]

Re: Pix DMZ and IIS

ramesh.krishnan — Sat, 17 Jan 2004 00:07:56 GMT

hi,

you probably messed it out here

"outbound 1 deny 0.0.0.0 0.0.0.0 194 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 139 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 750 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 750 udp

outbound 1 deny 0.0.0.0 0.0.0.0 137 udp

outbound 1 deny 0.0.0.0 0.0.0.0 389 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 49 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 161 udp

outbound 1 deny 0.0.0.0 0.0.0.0 135 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 137-138 udp

outbound 1 deny 0.0.0.0 0.0.0.0 445 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 445 udp

outbound 1 deny 0.0.0.0 0.0.0.0 389 udp

outbound 1 deny 0.0.0.0 0.0.0.0 593 udp

outbound 1 deny 0.0.0.0 0.0.0.0 593 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 4444 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 69 udp

outbound 1 deny 0.0.0.0 0.0.0.0 6060-6080 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 707 tcp

apply (inside) 1 outgoing_src "

The correct way of doing this is

You first need to issue a deny all, then "except" the allowed ports/protocols back in

outbound 101 deny 0 0 0

outbound 101 except 0 0 23 tcp

outbound 101 except 0 0 80 tcp

[etc]

apply (inside) outgoing_src

outbound 101 deny 0 0 0

outbound 101 permit 0 0 23 tcp

outbound 101 permit 0 0 80 tcp

[etc]

apply (inside) outgoing_src

Hope this solves your problem.

thanks,

ramesh

Re: Pix DMZ and IIS

mitchell_kohn — Tue, 20 Jan 2004 14:47:18 GMT

I have to keep those denys in, because We allow anything to go out. I added in those denys to keep any of those types (ports) of information from going back out. I have not changed over to ACL's yet. Any other suggestions?

Thanks,

Mitch

Re: Pix DMZ and IIS

ramesh.krishnan — Wed, 21 Jan 2004 04:58:31 GMT

i think you implemented all these security settings in one go. but just loosen all these security outbound, and then put one by one and see...

ramesh

Re: Pix DMZ and IIS

mitchell_kohn — Wed, 21 Jan 2004 14:22:39 GMT

BTW, everything is now working....I guess, by telling the machine I was going to TAC, it got scared. All, I did (I swear) was a sh traffic, connection, interface, xlate and a few clear xlate and by magic, it stated working again. I went an immediately closed the TAC case.

Thanks for all of your suggestions.

Cheers,

Mitch