Solved: PIX: Allowing DMZ servers to access Inside servers

tkadri · ‎04-20-2003

Hi,

I am building a PIX 520 from scratch using 6.2(2) and PDM 2.1(1). I have 3 interfaces:

outside (sec0) - xx.xx.xx.xx

inside (sec100) - 10.100.1.0/24

dmz (sec10) - 172.16.254.0/24

All was going well with the rulebase until I started on the task of allowing dmz hosts to access inside hosts. I'm having problems as soon as I create an access rule e.g:

access-list dmz_access_in permit tcp host 172.16.254.20 host 10.100.1.35 eq ldap

Problem 1:

pdm alerts to say that a static translation is needed for 10.100.1.35 between the inside network and the dmz. I would like the 172.16.254.20 server to access the 10.100.1.35 server using its actual address of 10.100.1.35. Can I simply assign these commands:

static (inside,dmz) 10.100.1.0 10.100.1.0 netmask 255.255.255.0 0 0

access-list dmz_inbound_nat0_acl permit ip any 10.100.1.0 255.255.255.0

nat (dmz) 0 access-list dmz_inbound_nat0_acl outside

and then:

access-list dmz_access_in permit tcp host 172.16.254.20 host 10.100.1.35 eq ldap

access-group dmz_access_in in interface dmz

...will this work without problems?

Problem 2:

The implicit outbound rule for the DMZ is broken - why? I need the DMZ servers to be able to access the internet without hindrance.

When I try and insert another rule to allow this, the following command is inserted into the PIX config:

access-list dmz_access_in permit ip 172.16.254.0 255.255.255.0 any

This command now allows any DMZ server to access all devices on my internal network! How can I solve this?

Hope someone can help... Thanks in advance,

Tariq.

mklaphek · ‎04-21-2003

One Problem 1, you don't need the nat 0 statement and correospnding access-list. The static is sufficient.

Problem 2: Since you applied an access-list to the DMZ interface, you must expand it to include Internet access as well. If this is what you need, I would try something like this:

access-list dmz_access_in permit tcp host 172.16.254.20 host 10.100.1.35 eq ldap

access-list dmz_access_in permit tcp host 172.16.254.30 host 10.100.1.35 eq ldap

...

etc. to allow all required access inside.

access-list dmz_access_in deny ip any 10.0.0.0 255.0.0.0

access-list dmz_access_in permit ip any any

Of course, you will want to tweak this as required.

View solution in original post

mklaphek · ‎04-21-2003

One Problem 1, you don't need the nat 0 statement and correospnding access-list. The static is sufficient.

Problem 2: Since you applied an access-list to the DMZ interface, you must expand it to include Internet access as well. If this is what you need, I would try something like this:

access-list dmz_access_in permit tcp host 172.16.254.20 host 10.100.1.35 eq ldap

access-list dmz_access_in permit tcp host 172.16.254.30 host 10.100.1.35 eq ldap

...

etc. to allow all required access inside.

access-list dmz_access_in deny ip any 10.0.0.0 255.0.0.0

access-list dmz_access_in permit ip any any

Of course, you will want to tweak this as required.

tkadri · ‎04-26-2003

Guys - thank you for your help - my firewall is now up and running!

dsamaan · ‎04-21-2003

Problem 1)

Using the PDM is harder because you tend to forget alot of other options to configure.

what does your global syntax configuration(PAT) look like? You should have a global (inside) 1 10.0.100.1.x and a corresponding nat statement NAT (dmz) 1 172.16.254.0 255.255.255.0. This says that the hosts on the DMZ network will be NAT's to PAT address specified in the global statement.

Also, I agree you don't need the NAT 0 and corresponding ACL either.