Solved: 501 pix questions to protect two dns servers

jjj092353 · ‎03-09-2011

first off - these are not my real ip addresses.

I have a couple of dns servers that are currently exposed to the world - no firewall in front of them and I want to get them protected.

My internal network is protected by a Microsoft firewall where we use natting and I have ip forwarding to a few webservers also through the isa firewall, but our dns servers get a lot of traffic so I do not want to run them through the isa firewall because it's already getting beat up with all the traffic.

so - I bought a cisco pix 501 and want to set that up and put the dns servers on that.

I can write rules for the isa firewall just fine but the cisco pix presents a learning curve for me.

perhaps you guys can help me. we have 128 ip addresses assigned to us by our provider (91.114.187.2 through .128 )

right now my internal network (10.0) is natted out as 91.114.187.3 and it's running fine

my isa firewall is 91.114.187.3
my dns servers are 91.114.187.4 and .5
my gateway is 91.114.187.1
and we have a voip phone system on 91.114.187.2

I'd to setup the cisco pix as .10 and and leave the published ip addresses of the dns servers as .4 and .5 if at all posible.

I have a couple of webservers whose published ips are .15 and .16 and they're routed through the isa firewall and I don;t want to disturb them or change their ip addresses.

when I setup the cisco pix with an ip address of 91.114.187.10 with a subnet mark of 255.255.255.128 it will be set to listen to all traffic from 91.114.187.1 through .64 correct? and even though it's listening to the same traffic as my ISA firewall I assume it will not interfere with any traffic to the isa. The ISA and 501 will be plugged into the same hub which also has my dns servers plugged in right now and the line to my service provider.

my question is this... can I setup my my dns servers on the 501 pix to use their external addresses and still have the cisco pix protect them.

I read somewhere that I can have the cisco facing out with one of my external ip addresses and also have some of my external addresses assigned to computers on my internal network too and have the pic protect them - is that correct?

how is this done?

my rules would be simple. I'd like to allow my dns servers to be pinged and also open upd traffic on port 53 to them from the outside world.

does this sound like a plan?

If this is doable I just need some guidance on how to set this up through pdm3.0

thanks in advance. I'm anxious for some enlightened feedback since I kind of struggle through all of this.

PAUL GILBERT ARIAS · ‎03-09-2011

you are right on all your statements.

You will need a few things on the pix in order to make this work.

1. Static nat translation, for example:

DNS Server IP: 10.0.0.4 and 10.0.0.5

PIX configuration will need the following NAT rules:

static (inside,outside) 91.114.187.4 10.0.0.4 netmask 255.255.255.128

static (inside,outside) 91.114.187.5 10.0.0.5 netmask 255.255.255.128

And the following access rules:

access-list outside_in permit icmp any host 91.114.187.4

access-list outside_in permit icmp any host 91.114.187.5

access-list outside_in permit udp any host 91.114.187.4 eq 53

access-list outside_in permit udp any host 91.114.187.5 eq 53

access-group outside_in in interface outside

write memory

You have to remove the rules related to those two public IPs from your ISA so that they don't interfere and the PIX will not interfere in the other IPs since they are being used on the ISA so avoid configuring the other public IPs on the ASA.

You will also need to set the default gateway of the two DNS servers to be the inside IP of the PIX so that the return traffic coming from the internet could return to the PIX.

If the default gateway is set to something else like the ISA it will not work due to asymetric routing.

Sorry for all the commands but it is easier and faster. I don't remember well all the steps on the PDM.

View solution in original post

PAUL GILBERT ARIAS · ‎03-09-2011

the inside interface of the PIX could not be on the same subnet as the outside interface. These two DNS servers will not be accesible by the inside users, right?

If that is right then you can configure the inside interface to any ip subnet sucn as 10.10.1.0/24 your inside interface could be 10.10.1.1 255.255.255.0, the DNS servers could be 10.10.1.4 and 10.10.1.5, the default gateway will be 10.10.1.1.

That will allow your servers to talk to the PIX and to reply to the DNS requests from the internet.

Is that clear my friend?

View solution in original post

PAUL GILBERT ARIAS · ‎03-09-2011

you are right on all your statements.

You will need a few things on the pix in order to make this work.

1. Static nat translation, for example:

DNS Server IP: 10.0.0.4 and 10.0.0.5

PIX configuration will need the following NAT rules:

static (inside,outside) 91.114.187.4 10.0.0.4 netmask 255.255.255.128

static (inside,outside) 91.114.187.5 10.0.0.5 netmask 255.255.255.128

And the following access rules:

access-list outside_in permit icmp any host 91.114.187.4

access-list outside_in permit icmp any host 91.114.187.5

access-list outside_in permit udp any host 91.114.187.4 eq 53

access-list outside_in permit udp any host 91.114.187.5 eq 53

access-group outside_in in interface outside

write memory

You have to remove the rules related to those two public IPs from your ISA so that they don't interfere and the PIX will not interfere in the other IPs since they are being used on the ISA so avoid configuring the other public IPs on the ASA.

You will also need to set the default gateway of the two DNS servers to be the inside IP of the PIX so that the return traffic coming from the internet could return to the PIX.

If the default gateway is set to something else like the ISA it will not work due to asymetric routing.

Sorry for all the commands but it is easier and faster. I don't remember well all the steps on the PDM.

jjj092353 · ‎03-09-2011

fantastic - ok...

I really hate to ask this, but once I connect to the cisco pix with the terminal....what commands do I enter to start posting in the rules you've come up with - trust me - I'm really good and setting the pix back to it's default state and doing a reload but have yet to figure out what commands to type in to start entering the actual rules.

thanks in advance.

jeff

PAUL GILBERT ARIAS · ‎03-09-2011

you will get something like this:

pixfirewall>

type the command "enable" and you will be asked for a password, by default you don't have a password so just hit enter

pixfirewall>enable

prompt will change:

pixfirewall#

you will need to get into configuration mode by typing the command "configure terminal"

prompt will change

pixfirewall(config)#

Now you can add the commands I provided before. The command "write memory" will save the config.

Make sure you connect the cables to the right ports and to test connectivity you can use the command "ping "

that is all.

jjj092353 · ‎03-09-2011

"You have to remove the rules related to those two public IPs from your ISA so that they don't interfere and the PIX will not interfere in the other IPs since they are being used on the ISA so avoid configuring the other public IPs on the ASA.

You will also need to set the default gateway of the two DNS servers to be the inside IP of the PIX so that the return traffic coming from the internet could return to the PIX."

I do not have rules in my isa right now that look for traffic on dot 4 and dot 5.

the isa servers are plugged into the same hub that the external line from my isp and my isa firewall and dns servers are plugged into.

let's talk about what address I set in the pix as it's internal address (which I assume will be the default gateway for my two dns servers). I'm open here to anything that's easy and simple because I'll be plugging the two dns servers directly into the cisco pix device.

what would you recommend? a 10.0 type address or a 98. address because I would like the cisco pix box to be available to me over the web if I want to remotely administer it through telnet from my natted external address here or my static ip address from home.

thanks in advance.

Jeff

PAUL GILBERT ARIAS · ‎03-09-2011

the inside interface of the PIX could not be on the same subnet as the outside interface. These two DNS servers will not be accesible by the inside users, right?

If that is right then you can configure the inside interface to any ip subnet sucn as 10.10.1.0/24 your inside interface could be 10.10.1.1 255.255.255.0, the DNS servers could be 10.10.1.4 and 10.10.1.5, the default gateway will be 10.10.1.1.

That will allow your servers to talk to the PIX and to reply to the DNS requests from the internet.

Is that clear my friend?

jjj092353 · ‎03-09-2011

correct: the two dns servers will not be accessible by their internal ips on the inernal network - primarily because they'll be plugged into the back of the pix and the balance of my internal network is plugged into other hubs. They will of course be accessible via their external ip's just like they will be to every other computer on the internet.

and from reading your comment the internal ip address of the pix would be 10.10.1.1 - correct - since that would be the default gateway for the dns servers.

I assume there's is not problem setting the external ip address of the pix to 91.114.187.10 - correct?

thanks again!

you have been a tremendous help to me in my quested to gain an understanding of what I need to do.

PAUL GILBERT ARIAS · ‎03-09-2011

again, all of your statements are correct. You should be fine. Remember to set the outside IP address on your ASA and to configure the default gateway on the PIX with the command "route outside 0.0.0.0 0.0.0.0 91.114.187.X

Good luck.