11-05-2008 07:06 AM - edited 03-11-2019 07:08 AM
I am trying to fix a similar situation.
I need the "Masters" to review my configs so I can share the knowledge.
I can get to the Internet from the DMZ and the inside interfaces.
I'm trying to allow the inside interface to be able to access anything in the DMZ.
I would like to be able to browse the webpages.
Also I am trying to allow remote desktop into the DMZ...I want to keep the DMZ limited to the access rules and ports defines.
I've got several public IPs that go to go to the DMZ and Inside depending on the port and service.
I've attached a clean detailed config.
Solved! Go to Solution.
11-14-2008 12:41 PM
My first thought is to cut back on your ACLs
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
I would take all of the ones that are outbound off, leaving only the inbound access lists.
When you did your statics, did you clear your xlate table? (clear xlate
--John
11-05-2008 07:40 AM
Add global (DMZ) 1 interface
You should be able to remove these statements-
global (inside) 10 interface
global (DMZ) 5 interface
Hope that helps.
11-05-2008 03:09 PM
I added the "global (DMZ) 1 interface"
and removed
global (inside) 10 interface
global (DMZ) 5 interface
cl xlate after saving the config.
There doesn't seem to bee any change.
I do see how the global (inside) 10 interface
global (DMZ) 5 interface were not needed.
Any other ideas?
11-06-2008 06:18 AM
Is there anything in the log?
11-06-2008 02:51 PM
I appreciate the help.
I'm attaching the Logs.
This morning I was able to ping from (192.168.0.10)within the DMZ and even remote into \\192.168.0.100\c$ without any configuration changes...this lasted 20 minutes. Then back to normal without any changes.
I find it strange that when I try and ping from the inside it shows the source as the destination I am trying to ping.
Basically, I've got a PC on the DMZ and a PC on the Inside Interfaces.
11-06-2008 03:05 PM
Let's be clear on what needs to be working-
+Inside to DMZ, whatever ports and protocols you deem necessary.
Do you need DMZ to Inside to work? All IP's or just some?
11-07-2008 06:45 AM
What needs to work:
Need Inside network to be able to able to reach anything and use any service in the DMZ. Want to be able to service the webservers and use admin tools. no limits. RDP
I would like to limit the services and traffic from the DMZ into the inside.
For example...
would ike to allow 192.168.154.2 to be able to pop3 192.168.0.4.
I would like to allow any DMZ server to be able to send SMTP to 192.168.04
access-list DMZ_access_out extended permit tcp host 192.168.154.2 eq pop3 host 192.168.0.4 eq pop3
access-list DMZ_access_out extended permit tcp any host 192.168.0.4 eq smtp
Thanks
11-07-2008 08:01 AM
It looks like everything is in place. Can you try, from a DMZ server, telnet to 192.168.0.4 on port 25. Then can you capture the log for it (show logg | i dmz_server_ip)? Thanks.
11-07-2008 11:39 AM
6 Nov 07 2008 12:20:07 302014 192.168.154.10 1181 Exchange-192.168.0.4 25 Teardown TCP connection 65 for DMZ:192.168.154.10/1181 to inside:Exchange-192.168.0.4/25 duration 0:00:30 bytes 0 SYN Timeout
6 Nov 07 2008 12:19:37 302013 192.168.154.10 1181 Exchange-192.168.0.4 25 Built inbound TCP connection 65 for DMZ:192.168.154.10/1181 (192.168.154.10/1181) to inside:Exchange-192.168.0.4/25 (Exchange-192.168.0.4/25)
This repeats
11-07-2008 01:10 PM
Are you still seeing the NAT translations too? I see there are 0 bytes across 30 seconds. This usually means it's not getting to the destination or there is a restriction on the application. On the Exchange server are there any restrictions (ie relaying)? Do you see anything in the Exchange server event viewer for the connection?
11-07-2008 01:43 PM
Hello John,
According to your ACLs and explaination one post above, I think you are confused about the directions of applying ACLs, in or out.
When you apply and ACL as out, that ACL will filter the traffic departs from firewall destined to the HOST in applied interface. Let me explain with an example
"Need Inside network to be able to able to reach anything and use any service in the DMZ"
So you want any inside host to use any service in DMZ.
Inside host say A with IP address of 192.168.0.200 want to connect a web page on host B 192.168.154.220. This connection attempt will be filtered in 2 points. 1) When entering the inside interface "inside_access_in in interface inside" 2) Departing from forwarded interface (Which is DMZ interface in this case), "dmz_access_out out interface dmz"
So you are actually filtering the inside->dmz access which you initially permitted with inside_access_in ACL, by applying an outbound ACL to DMZ interface. This also affects connections from outside interface. So if these ACLs were formed when the former was unsure about directions, I recommend removing them and start with a fresh understanding.
Besides,
*The ACEs that DMZ hosts are stated as source and x destination permitted in dmz_access_out are logically incorrect
*The ACEs that other interface's subnet is stated as source and permitted in any inbound applied ACLs makes firewall vulnerable to spoofing attacks.
*A normal TCP session NEVER establishes a connection with same source port as destination port "access-list DMZ_access_out extended permit tcp host 192.168.154.2 eq pop3 host 192.168.0.4 eq pop3 ", source port always is a dynamically assigned port between 1024-65535
But somehow logs do not contain denies, just SYN time outs. I suggest you to use a service 1)Which you certainly know that it is up
2)Not requires special inspections by firewalls,
while testing capabilities. So use RDP instead port 25, and make sure RDP is enabled at destination client.
Last, make sure that there are no software firewall like windows firewall enabled in clients/servers. If enabled, configure required exceptions.
11-10-2008 01:38 PM
I agree that I am confused. Good points about the RDP and Firewall settings etc...I've checked these in my testing. I've been testing this build rules to match others on a Juniper device. I know this is part of the trouble.
I've been adding acl's ans statics based on cisco references that either leave something out or don't show even a reference to a working running-config to support the document. I've used both CLI and ASDM examples. They tend to be a little vague.
I am configuring using the ASDM and the CLI to understand what both sides look like.
The from higher to lower security defaults don't appear to work so I've added statics and rules.
I will rebuild again and test. Even the basic tests make me think I'm missing something.
Does anyone have a basic working example of a DMZ?
11-10-2008 02:00 PM
int e1
nameif inside
sec 100
dup au
no shu
ip add 192.168.10.1 255.255.255.0
int e2
nameif dmz
sec 50
dup au
no shu
ip add 172.16.5.1 255.255.255.0
int e0
nameif outside
sec 0
dup au
no shu
ip add 88.247.156.65 255.255.255.248
nat (inside) 1 0 0 (For inside hosts to connect internet)
nat (dmz) 1 0 0 (For dmz hosts to connect internet)
global (outside) 1 interface
name 172.16.5.10 WEBSERVER
static (dmz,outside) 88.247.156.66 WEBSERVER
static (dmz,inside) 172.16.5.0 172.16.5.0 netmask 255.255.255.0
access-list outside_access_in permit tcp any host 88.247.156.66 eq 80
access-group outside_access_in in interface outside
In above config, any host in DMZ can connect to hosts at outside interface including internet, but cant access inside. Inside can access both DMZ and outside hosts including internet. And outside hosts can only access to 88.247.156.66 IP address on tcp port 80 of your firewall, which is statically natted to your webserver.
11-12-2008 11:29 AM
Thanks for the sample working config.
When I use the config above...I get the following errors.
Tried to remote desktop to dmz
3|Nov 12 2008|18:20:23|305006|172.16.5.10|80|||portmap translation creation failed for tcp src inside:192.168.10.100/2671 dst dmz:172.16.5.10/80
3|Nov 12 2008|18:20:02|305006|172.16.5.10|445|||portmap translation creation failed for tcp src inside:192.168.10.100/2671 dst dmz:172.16.5.10/445
3|Nov 12 2008|18:20:02|305006|172.16.5.10|139|||portmap translation creation failed for tcp src inside:192.168.10.100/2672 dst dmz:172.16.5.10/139
3|Nov 12 2008|18:19:56|305006|172.16.5.10|445|||portmap translation creation failed for tcp src inside:192.168.10.100/2671 dst dmz:172.16.5.10/445
3|Nov 12 2008|18:19:56|305006|172.16.5.10|139|||portmap translation creation failed for tcp src inside:192.168.10.100/2672 dst dmz:172.16.5.10/139
Ping from inside to dmz
3|Nov 12 2008|18:18:35|305006|172.16.5.10||||portmap translation creation failed for icmp src inside:192.168.10.100 dst dmz:172.16.5.10 (type 8, code 0)
3|Nov 12 2008|18:18:30|305006|172.16.5.10||||portmap translation creation failed for icmp src inside:192.168.10.100 dst dmz:172.16.5.10 (type 8, code 0)
I'll keep trying to figure out what is missing. I'd welcome any other ideas.
11-13-2008 04:25 AM
my typo,
no static (dmz,inside) 172.16.5.0 172.16.5.0 netmask 255.255.255.0 (this cant be used while a nat statement exists)
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide