Re: Help with Pix

jjwahl · ‎08-19-2003

Hi all,

I've got a pix 515 with a dmz interface. I'm trying to do a relatively simple thing but my lack of experience with configuring a pix from scratch is showing. Please forgive the newbie nature of the question :).

What i'm trying to do:

Outside (public) : x.x.x.233 - x.x.x.238/255.255.255.248

DMZ : 192.168.1.1 - 192.168.1.254/24

Inside : 10.1.1.1 - 10.1.1.254/24

On the DMZ I want to host 3 web servers and a video server. 2 of the web servers need to speak with a db server on the inside via 1433 The other web server is an OWA front end server(windows 2k) and needs to speak with a domain controller and mail server on the inside over a variety of ports.

The video server has no need to communicate to the inside.

I've created a set of rules and the result is that none of the web servers are accessible from the outside - in fact as far as I can tell, there is no communication from the DMZ to the outside whatsoever. I can't browse from the DMZ, I can't hit a DMZ server, I can't ping from the DMZ... - nothing.

The database server is accessible from the DMZ to the inside as well as DNS servers from the DMZ to the inside and I haven't tested owa. The problem is that I don't have much of a window of opportunity for installing/testing this - on the order of 2 hrs. I tried to install last night and basically my 2 hrs were up with no (very limited) success.

Following is the configuration (sanitized for public consumption) – anything jump out at anyone????

Thanks in advance for any help/suggestions!

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security10

hostname fw1

domain-name domain.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz1 1500

ip address outside x.x.x.237 255.255.255.248

ip address inside 10.1.1.1 255.255.255.0

ip address dmz1 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.1.1.100 255.255.255.255 inside

pdm location 10.1.1.116 255.255.255.255 inside

pdm location 10.1.1.117 255.255.255.255 inside

pdm location 192.168.1.100 255.255.255.255 dmz1

pdm location 192.168.1.101 255.255.255.255 dmz1

pdm location 192.168.1.102 255.255.255.255 dmz1

pdm location 192.168.1.103 255.255.255.255 dmz1

pdm location 192.168.1.0 255.255.255.0 dmz1

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.238

nat (inside) 1 10.1.1.0 255.255.255.0 0 0

nat (dmz1) 1 192.168.1.0 255.255.255.0 0 0

static (inside,outside) tcp x.x.x.234 5151 10.1.1.100 5151 netmask

255.255.255.255 0 0

static (dmz1,outside) x.x.x.236 192.168.1.102 netmask 255.255.255.255 0 0

static (dmz1,outside) x.x.x.235 192.168.1.100 netmask 255.255.255.255 0 0

static (dmz1,outside) x.x.x.234 192.168.1.103 netmask 255.255.255.255 0 0

static (inside,dmz1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0

static (inside,outside) x.x.x.237 10.1.1.114 netmask 255.255.255.255 0 0

conduit permit tcp host x.x.x.237 eq www any

conduit permit tcp host x.x.x.237 eq ftp any

conduit permit tcp host x.x.x.237 eq 5150 any

conduit permit tcp host x.x.x.237 eq 443 any

conduit permit tcp host x.x.x.236 eq www any

conduit permit tcp host x.x.x.235 eq www any

conduit permit tcp host x.x.x.234 eq 4550 any

conduit permit tcp host x.x.x.234 eq 5550 any

conduit permit udp host x.x.x.234 eq 5550 any

conduit permit udp host x.x.x.234 eq 4550 any

conduit permit tcp host x.x.x.234 eq 8080 any

conduit permit tcp host x.x.x.234 eq www any

conduit permit tcp host 10.1.1.116 eq 1433 host 192.168.1.101

conduit permit tcp host 10.1.1.116 eq 1433 host 192.168.1.102

conduit permit tcp host 10.1.1.116 eq 389 host 192.168.1.100

conduit permit tcp host 10.1.1.116 eq 3268 host 192.168.1.100

conduit permit tcp host 10.1.1.116 eq 88 host 192.168.1.100

conduit permit tcp host 10.1.1.116 eq domain host 192.168.1.100

conduit permit tcp host 10.1.1.116 eq 135 host 192.168.1.100

conduit permit udp host 10.1.1.116 eq domain host 192.168.1.100

conduit permit udp host 10.1.1.116 eq 88 host 192.168.1.100

conduit permit udp host 10.1.1.116 eq 389 host 192.168.1.100

conduit permit tcp host 10.1.1.117 eq www host 192.168.1.100

conduit permit tcp host 10.1.1.117 eq 143 host 192.168.1.100

conduit permit tcp host 10.1.1.117 eq pop3 host 192.168.1.100

conduit permit tcp host 10.1.1.117 eq smtp host 192.168.1.100

conduit permit tcp host 10.1.1.117 eq 691 host 192.168.1.100

conduit permit tcp host 10.1.1.116 eq domain host 192.168.1.101

conduit permit udp host 10.1.1.116 eq domain host 192.168.1.101

conduit permit icmp any any echo-reply

conduit permit icmp any any unreachable

conduit permit icmp any any time-exceeded

conduit permit udp host 10.1.1.116 eq domain 192.168.1.0 255.255.255.0

conduit permit tcp host 10.1.1.116 eq domain 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 x.x.x.233 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.1.1.117 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

jmia · ‎08-19-2003

Hi -

Firstly, I'd suggest that you convert your conduit to ACL - please see URL:

http://www.cisco.com/en/US/products/sw/cscowork/ps3992/products_user_guide_chapter09186a0080177d5c.html

I'm currently looking through your config.

Thanks -

jmia · ‎08-19-2003

Here’s a config example of a PIX with three interface using ACLs.

PIX Config:

Nameif e0 outside sec0

Nameif e1 inside sec100

Nameif e2 DMZ sec50

Network consisting of the following (example only):

DMZ = Email server and Web Server

Inside has two subnets = 192.168.3.0/24 and 192.168.4.0/24

Global addresses are: 200.200.200.100 trough 200.200.200.253

Perimeter Router: 192.168.1.2/24

Inside Router: 192.168.2.2/24

PIX Config:

In configuration mode:

Global (outside) 1 200.200.200.10 – 200.200.200.253 netmask 255.255.255.0

Nat (inside) 1 0 0

Nat (dmz) 1 0 0

Static (dmz,outside) 200.200.200.1 192.168.5.5

Static (dmz,outside) 200.200.200.2 192.168.5.6

Static (inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

Access-list NO_NAT permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

Access-list NO_NAT permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0

Access-list NO_NAT permit ip 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255.0

Nat (inside) 0 access-list NO_NAT

- And here's a cisco document:

http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/tech/pixcg_cg.pdf

and also, example from world renowned cisco expert used his papers on many problem - excellent tutor -

http://www.netcraftsmen.net/welcher/papers/pix01.html

http://www.netcraftsmen.net/welcher/papers/pix02.html

Hope this helps and if you need a full explanation / help then contact me via : noc1@vodafone.net

Let me know how you get on.

jjwahl · ‎08-19-2003

Thank you for your reply. I appreciate the well thought response. I am going to try to convert the conduit commands to their acl equivelants manually because at the moment I am a "registered guest" in Cisco's eyes.

The only thing that may not convert easily is this:

IP x.x.x.237 is static'd into 192.168.1.101 *except* port 5150 which is static'd into 10.1.1.101. Is this even do-able???

Thanks again for your assistance.

Jon Wahl