Configuring PIX

rmrahman0302 · ‎03-07-2005

I am trying to configure pix 515e. I have inside address 192.168.1.1 and outside address 63.67.x.x

ip address inside 192.168.1.1 255.255.255.0

ip address outside 63.66.x.x 255.255.255.0

nat (inside) 1 0 0

global (outside) 1 interface

My router address 63.66.x.y.I have setup the workstation gateway address 192.168.1.1. The problem I can not go out from workstation. Any idea? Also If I want add a server with the public address 63.66.z.z on the DMZ, how I can create that?

Thanks

jon-wyatt · ‎03-07-2005

Workstation problem

Have you set an access-list up yet?

If not you will need to apply an access-list which allows access from the device on the inside of the firewall to the device on the outside. You should also create an access-group to allow yourself to reference the inside interface easily.

i.e.

access-group acl_in in interface inside

access-list acl_in permit tcp host 192.168.1.x host 63.66.x.y eq telnet|ssh

501's don't support DMZ's as such, although you could place a server on the inside of your firewall and static map an external IP address to it. IS that what you want to do?

Patrick Iseli · ‎03-08-2005

You do not need an access-list as JON-WYATT mentioned, remember higher lever can access lower levels. You just need an access-list to allow lower to higher level access.

Have you added a default route?

example:

route outside 0.0.0.0 0.0.0.0 63.66.x.x

Second have you done a:

clear xlate

After you have changed the Port Address Translation setup (NAT).

See also Establish connectivity:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

sincerely

Patrick

rmrahman0302 · ‎03-08-2005

I am trying to set DMZ. I have a host with ip address 192.168.2.2. I want to access this host from outside by assigning 63.66.107.15. When I tried to access from outside, I can not see from outside. I have attached the config file.

Thanks

Patrick Iseli · ‎03-08-2005

1.) Looks good but configure your access-list much more restrictive and do not open the whole ICMP and IP protocol to the DMX Host. You do not want to get hacked in the first couple of hours right.

Example config:

access-list outside_access_in permit tcp any host 63.66.107.15 www

access-list outside_access_in permit tcp any host 63.66.107.15 ftp

access-group outside_access_in in interface outside

static (dmz,outside) 63.66.107.15 192.168.2.2 netmask 255.255.255.255

2.)# This disables NAT between the inside and the DMZ and you can access your webserver with 192.168.2.2

static (inside,dmz) Inside-Network Inside-Network netmask 255.255.255.0

3.) This access-list in your config permits icmp and block all other traffic outgoing from the DMZ to any other interfaces. Note: Established connections from the outside to the DMZ on the other access-list will still work and are not controlled by that access-list. Note after a permit statement in an access-list follows a deny any any line that is never shown. Other thing is that this permit icmp any any opens also the access to all other interfaces for example the inside interface. Take care with any any on access-lists.

access-list acl_ping permit icmp any host 63.166.107.15

access-group acl_ping in interface dmz

4.) After removing unnecessary stuff:

no access-list acl_out

no global (dmz) 1 test

5.) Do also a:

conf t

clear xlate

write mem

Example config on CCO:

Configuring the PIX Firewall with Mail Server Access on DMZ Network:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

sincerely

Patrick

rmrahman0302 · ‎03-08-2005

Patrick,

I tried that but still I can not ping 63.67.107.15 but i can ping 192.168.2.2. Any idea

Thanks

Patrick Iseli · ‎03-09-2005

Note that ICMP is not a stateful protocol !

To allow access through two interfaces you need permit it on an access-list. If you want to ping the same interface that your client is connected to you need to configure the "ICMP" command.

Try this to be able to ping your web server:

access-list outside_access_in permit icmp any any echo

access-list outside_access_in permit icmp any any time-exceeded

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit tcp any host 63.66.107.15 www

access-list outside_access_in permit tcp any host 63.66.107.15 ftp

access-group outside_access_in in interface outside

Second: The access-list on the DMZ interface is there to permit access to the inside interface or to limit the access for DMZ host on outbound connections.

This helps to prevent dmz host to establish connections to the internet.

Examples for config icmp:

icmp permit any echo-reply outside

icmp permit host 1.1.1.1 echo outside

icmp permit any echo-reply inside

icmp permit host 192.168.1.x echo inside

Handling ICMP Pings with the PIX Firewall:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

sincerely

Patrick

mhussein · ‎03-09-2005

I am not sure about:

access-list acl_ping permit icmp any host 63.166.107.15

access-group acl_ping in interface dmz

I thought ACL processing takes precedence over translation, i.e. this acl will block outbound traffic and will prevent subsequent flows from being established. What purpose does it serve?

Just a thought.

Regards,

Mustafa

Patrick Iseli · ‎03-09-2005

Mustafa,

The pix allows established connection (ASA) back to the interface it came from in the oder of the 3 way handshake = SYN (from Intenet and outside ACL) - SYN ACK (From DMZ Webserver alloed back without checking in ACL on DMZ) - ACK. (From Internet Host)

The access-list on the DMZ does just restrictions on connections from the DMZ hosts to the other interfaces. This helps to mitigate in case that your Web Server was HACKED for example. The Web server would be owned by a hacker but he would not be able to download any other software to ceate a ZOMBIE host. Because the dmz access-list would block all outbound connections.

Patrick