05-12-2008 02:52 AM - edited 03-11-2019 05:43 AM
I am using a pix 525 version 6.3 firewall and wanted to allow access to the the mail server in the DMZ to access the AD in inside. I can ping or make any access from inside to dmz area. But not form DMZ to inside.
what i have done is created a static map to AD's real ip with a map address which in the same range as in the DMZ area. then in the access-list in the DMZ inside, allowed access to "permit ip any any".
but still seems can't make connection form the DMZ area(mail server) to inside.
any help on this..
05-12-2008 03:21 AM
hi,
would do you mean by AD's real IP ? is it the actual IP of the AD ?? can you post your configuration plz
05-12-2008 03:46 AM
static (inside,dmz) inside_ip inside_ip netmask x.x.x.x
that will do the trick.
05-12-2008 06:01 PM
I have already done this for a range of inside_IPs.
static (inside,dmz1) 10.70.4.0 10.70.4.0 netmask 255.255.255.0 0 0
by doing so I was able to ping inside IPs from DMZ area. But couldn't make telnet or other kind of access.
can someone advice why only able to ping by doing so?
I have aplied an access-list also to in-side of DMZ and allowed
permit ip any any
permit ICMP any any
Please advice.
05-12-2008 05:05 AM
Could you post the configuration that you did?... We can verify better where's the problem...
Adriano Porcaro
05-13-2008 02:52 AM
I have already done a stattic nat for range of inside_IPs.
static (inside,dmz1) 10.70.4.0 10.70.4.0 netmask 255.255.255.0 0 0
by doing so I was able to ping inside IPs from DMZ area. But couldn't make telnet or other kind of access.
can someone advice why only able to ping by doing so?
I have aplied an access-list also to in-side of DMZ and allowed
permit ip any any
permit ICMP any any
further I want to know that allowing "ip any any" will allow all TCP and UDP access automatically?
see the diagrame and configurations for more details.
Please advice.
05-13-2008 05:50 PM
Hi
Adriano, sadam or someone kindly advice in this issue since urgently I need to fix this.
I have uploaded all the details in the above post.
soonest responce would be appreciated.
05-15-2008 07:43 PM
Hi there,
I've done this before and here is what you could do.
Outside interface
nameif ethernet0 outside security0
DMZ Interface
nameif ethernet2 DMZ security70
Inside Interface
nameif ethernet1 inside security100
I used NAT for my DMZ interface and its network is 192.168.100.0
nat (DMZ) 1 192.168.100.0 255.255.255.0 0 0
access-list 101 is my access list for my DMZ interface. Don't forget to apply:
access-group 101 in interface DMZ
Then i create access list 101 so that my mail server, Bridgehead talk to my inside AD 10.0.0.13
access-list 101 remark Permit BridgeHead talks to AD
access-list 101 permit tcp host 192.168.100.67 host 10.0.0.13 eq domain
access-list 101 permit udp host 192.168.100.67 host 10.0.0.13 eq domain
access-list 101 permit tcp host 192.168.100.67 host 10.0.0.13 eq 88
access-list 101 permit udp host 192.168.100.67 host 10.0.0.13 eq 88
access-list 101 permit tcp host 192.168.100.67 host 10.0.0.13 eq 135
access-list 101 permit tcp host 192.168.100.67 host 10.0.0.14 eq ldap
access-list 101 permit tcp host 192.168.100.67 host 10.0.0.13 eq ldap
access-list 101 permit udp host 192.168.100.67 host 10.0.0.13 eq 389
access-list 101 permit tcp host 192.168.100.67 host 10.0.0.13 eq 3268
access-list 101 permit tcp host 192.168.100.67 host 10.0.0.13 eq 445
access-list 101 permit tcp host 192.168.100.67 host 10.0.0.13 eq 1027
access-list 101 permit icmp host 192.168.100.67 any
I hope this help and it works for your situation.
05-15-2008 08:08 PM
Many thanks for your reply and I hope this would help me.
But before that I need to get some advice about existing nat entries. so let me give my current configus.
nameif ethernet1 dmz1 security50
nameif gb-ethernet0 inside security100
nameif gb-ethernet1 dmz2 security50
* my DMZ network is 10.50.4.0 255.255.255.0 00
* inside 10.70.4.0 255.255.255.0
* I have applied an access-list call 50 to DMZ inside.
access-list 50 permit icmp any any
access-list 50 permit ip any any
access-group 50 in interface dmz1
* bellow NAT entries already there.
global (outside) 2 interface
global (dmz1) 1 interface
global (dmz1) 2 10.50.4.4
nat (inside) 2 10.70.4.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,dmz1) 10.50.4.13 10.70.4.15 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.70.4.0 10.70.4.0 netmask 255.255.255.0 0 0
Kindly advice will that your command works for me with existing configuration and if not what need to change.
many thanks once again and kindly response ASAP.
05-15-2008 08:49 PM
I think it should work since you use global command to do port address translation. I would have a test machine, XP with RDP turn on, then access it from your inside network to this machine. You should be able to. Open a port 3389 and apply access-group 50 to dmz1 interface. Then see if you could access an internal machine using RDP from your XP machine in DMZ1. I'm not an pix expert so some one could point us to the right directions but I think this should work. If it does, then use open those ports that AD requires.
05-15-2008 09:47 PM
Thanks for the advice.
* first I just want to confirm that your command
"nat (DMZ) 1 192.168.100.0 255.255.255.0 0 0" will work for me also since I already have rule 1 created as I mention before.
* next is I have created an tempory static map to a inside xp pc from DMZ as
static (inside,dmz1) 10.50.4.13 (insidePC_IP 10.70.4.15) netmask 255.255.255.255 0 0
by doing so I was able come to insidePC_ Ip when I try to connect to 10.50.4.13 from DMZ pc. so I feel it should work for all tcp and udp since I have allow permit ip any any in the acces-list 50.
* now my fear is, I have another static map form outside to AD(same private ip) since our mail gateway is hosted in out side and it is communicating with AD. so is there any posibility of nating go crazy since one outside IP and DMZ ip is natted to the same AD's ip?
I want to get to know this before I go live today since already I failed once.
kindly advice me.
05-15-2008 10:53 PM
If you permit ip any any from dmz to inside, you should be able to access inside machines. Basically, you open dmz to inside. have you tried to use RDP from DMZ1 to inside network? does that work? you said you were able to ping inside from dmz. also, do a netstat -a on the exchange server and see if it talks to AD.
05-16-2008 12:18 AM
Let me explain bit more for you.
when first time I moved the AD form DMZ to inside I was unable to ping or telnet form the DMZ to inside. At thet time acces-list was applied as permiting everything. But there were no NATing. so on that day I failed and reveted back everything.
* then next day i have added
static (inside,dmz1) 10.70.4.0 10.70.4.0 netmask 255.255.255.0 0 0
(10.70.4.0 is my inside). by doing so I only was able to ping form DMZ to any inside ip. not other than any type of connectivity.
* later I have temporly created a static nat to access a PC in inside form DMZ. as
static (inside,dmz1) 10.50.4.13 10.70.4.15 netmask 255.255.255.255 0 0
(10.70.4.15 is the one actually existing)
by doing so now I can make remote desktop form any DMZ side PC to 10.70.4.15(above)PC.
please note that still I didn't move the AD for second time and want to make sure about connectivity before getting in to trouble again when moving the AD to inside. So, is there any way to confirm?
kind advice is appreciated.
your netstat -a command will be very usefull when checking the connectivity.
05-16-2008 10:02 AM
I think if you are able to rdp from dmz to inside, then you should be able to access the AD server. Try RDP from your dmz to your AD server. Make sure remote destkop option is turn on. also, try \\myadserver\c$ or somthing like that. if you can access, then you have your dmz wide open with your permit ip any any command.
05-20-2008 09:01 PM
Many thanks for spending your valuble time on advicing me.
I have another doubt related to this issue and hope you would advice on that too.
we have hosted our main gateway with outside ISP and it is also accessing the AD for LAD quaries. for that I have already added a static NAT as
static (dmz1,outside) 203.**.**.** 10.50.4.12 netmask 255.255.255.255 0 0
and it is working fine.
But when I move the AD to inside I will have to change it as
static (dmz1,outside) 203.**.**.** 10.70.4.21 netmask 255.255.255.255 0 0
to allow access with new AD ip.
again another nat have to create to access AD from DMZ for mail server as
static (inside,dmz1) 10.50.4.13(any DMZ side Ip) 10.70.4.21 netmask 255.255.255.255 0 0
my doubt is creating two NAT for same inside ip 10.70.4.21(AD) will create any confusion on NATing or not?
kindly advice.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide