07-17-2007 05:05 AM - edited 03-11-2019 03:45 AM
I have a PIX 515e with 3 interfaces,
Inside (sec100) 10.0.10.1
DMZ (sec50) 10.0.20.4
Outside (sec0) 64.69.117.1
I have a server on the DMZ with RDP enabled, and from that server I can ping outside IPs by number, but not name. I can ping the server itself from outside and inside fine as well. The server IP is 10.0.20.10
I know I have an ACL problem but I am afraid of opening up certain ports for fear of defeating the DMZ's purpose altogether. So I ask you all what I need to do :)
I am attaching my config.
please let me know what I need to do to get to enable my servers on the DMZ to query the DNS servers on the inside network, also please let me know what I need to do to get Active directory logons working..currently when I try to logon to the server on the DMZ, it tells me that the System cannot log you on because the domain is not available. I assume port 389 needed to be opened on the DMZ ACL but there may be others as well.
If oyu see any other problems let me know. I will be moving all of the servers on this config to the DMZ once I get everything working properly.
Rob
07-17-2007 05:08 AM
07-17-2007 05:11 AM
This will get the dns working. If dns server is 10.0.10.100...
access-list dmz permit udp any host 10.0.10.100 eq domain
access-list dmz deny ip any 10.0.10.0 255.255.255.0
access-list dmz permit ip any any
access-group dmz in interface DMZ
edit: I'll edit this since your config is now posted.
07-17-2007 05:24 AM
ok, can you help explain that answer some and what each entry accomplishes?
I mean prior to you postinbg I had screwed up and placed access-list dmz permit TCP any host 10.0.10.100 eq domain
I forgto DNS is UDP, I am so burnt out right now, but I understand that entry, but what is the purpose of the DENY entry and then the permit IP any any?
I assume the order has a lot of signifigance as well. At any rate the DNS is now working but I am still getting denials on AD logon. This is really something I should know I am a CCSP, but there were no real details on the PIX exam regarding DNS configurations and I need to get up to speed on this stuff so it is all second nature.
Thanks, Rob
07-17-2007 05:24 AM
Ok, now I can see your config.
access-list acl_dmz permit icmp any any
access-list acl_dmz permit udp any host
access-list acl_dmz permit tcp any host
access-list acl_dmz deny ip any 10.0.10.0 255.255.252.0
access-list acl_dmz permit ip any any
07-17-2007 05:29 AM
The acl for the dmz is written in a particular order. You want to...
1. Permit what you need from dmz hosts to inside hosts(dns, active directory ports etc.)
2. Deny everything else from dmz hosts to inside hosts.
3. Permit ip any any. (This allows dmz access outbound, internet etc.)
You may need more ports for the AD logon. Kerberos possibly, tcp 88.
07-17-2007 05:38 AM
ok so when I open additional ports I need to put the permits above the deny that I have already entered?
I am not sure I understand what you're saying in regards to my ACL being written improperly, how should it look? I am lost with what you're saying about the sourse addresses, etc
07-17-2007 05:46 AM
"ok so when I open additional ports I need to put the permits above the deny that I have already entered?"
-Yes.
"I am not sure I understand what you're saying in regards to my ACL being written improperly, how should it look? I am lost with what you're saying about the sourse addresses, etc"
-Sorry, this may be my fault, it takes longer to figure out an acl when it's using object groups etc. Forget what I said. What you had originally allows any on the dmz to public servers. Was this working?
07-17-2007 05:54 AM
yes I was able to get outbound PINGS to public IPs, just not public website names, now it is working with the DNS entry you supplied. Thanks for your help there!
Now I just need to get the darn logons to work, I hate to dual home the servers. that would defeat the whole purpose of a DMZ IMO.
I have the LDAP opened in line 1 of the dmz acl, but maybe like you said there are others needed although my syslog isn't showing much
Although I do see this:
07-17-2007 09:52:32 Local4.Warning 10.0.10.1 Jul 17 2007 09:43:45: %PIX-4-106023: Deny udp src outside:207.190.222.91/389 dst dmz:SP2DMZPUB/1182 by access-group "acl_outside"
I think I need to open LDAP on the outside ACL?
07-17-2007 05:59 AM
I can't imagine why that would be needed and is probably a bad idea. Here are the ports I use for the AD. You may not need them all but they work for me...
tcp 389
udp 389
udp 53
tcp 53
tcp 88
udp 88
tcp 445
tcp 135
tcp 1025
tcp 636
Hope these help.
07-17-2007 06:24 AM
ok I will try those, but I am still thinking that would need to be open on my otuside interface because my statics are
static (dmz,outside) SP2DMZPUB SP2DMZPRI netmask 255.255.255.255 0 0
the SP2DMZPUB is a public outside IP address and the SP2DMZPRI is a 10.0.20.0/24 address. so wouldnt that stuff need to be allowed through my outside interface as well?
07-17-2007 06:26 AM
But you are not coming from the outside interface. You are coming from the dmz interface.
The source of the traffic is the dmz address 10.0.20.x, not the public address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide