Re: PIX DMZ to inside

andyirving · ‎03-07-2003

Running PIX 515 with one DMZ. Problem is I cannot initiate any sessions from the DMZ side. Ping is the really strange one. I cannot ping from the DMZ to inside, the packets do not hit the debug packet dmz.

Packet sniffer shows the requests being sent to the PIX interface, it seems as though the PIX just ignores the ping requests (they do not increment the ACL counter).

However if I ping from the inside to the host on DMZ it works, I can then ping from the DMZ to the inside. This is the same for all traffic even with a permit ip any any on bothe the inside and DMZ ACLs.

shannong · ‎03-07-2003

It would be much more helpful if you posted your ACL, static, nat, and global items.

Turn on logging. Run a continous ping. The Pix should tell you exactly why the pings are being dropped.

-Shannon

andyirving · ‎03-07-2003

What level of logging do you advise

access-list acl_outside permit tcp any host x.x.x.x eq www

access-list acl_outside permit tcp any host x.x.x.xeq https

access-list acl_outside permit tcp any host x.x.x.x eq www

access-list acl_outside permit tcp any host x.x.x.x eq https

access-list acl_outside permit tcp host 194.201.48.1 host x.x.x.x eq 8080

access-list acl_outside permit tcp host 180.10.39.14 host x.x.x.x eq 8080

access-list acl_outside permit tcp host 194.201.48.8 host x.x.x.x eq 8080

access-list acl_outside permit tcp host 194.200.92.82 host x.x.x.x eq 8080

access-list acl_outside permit tcp 195.212.0.0 255.255.255.240 host x.x.x.x eq 8080

access-list acl_outside permit tcp host 62.172.133.97 host x.x.x.x eq 8080

access-list acl_outside permit icmp any any

access-list acl_dmz permit tcp host 10.254.3.2 host 10.254.0.6 eq smtp

access-list acl_dmz permit tcp host 10.254.3.3 host 10.254.0.6 eq smtp

access-list acl_dmz permit tcp host 10.254.3.3 host 185.1.30.1 eq 1414

access-list acl_dmz permit tcp host 10.254.3.2 host 185.1.30.1 eq 1414

access-list acl_dmz permit tcp host 10.254.3.2 host 185.1.30.1 eq 1415

access-list acl_dmz permit tcp host 10.254.3.3 host 185.1.30.1 eq 1415

access-list acl_dmz permit icmp any any

access-list acl_inside permit tcp host 185.1.30.1 host 10.254.3.3 eq 1414

access-list acl_inside permit tcp host 185.1.30.1 host 10.254.3.2 eq 1414

access-list acl_inside permit tcp host 185.1.30.1 host 10.254.3.2 eq 1415

access-list acl_inside permit tcp host 185.1.30.1 host 10.254.3.3 eq 1415

access-list acl_inside permit tcp 185.2.0.0 255.255.0.0 host 10.254.3.2 eq 3700

access-list acl_inside permit tcp 185.2.0.0 255.255.0.0 host 10.254.3.3 eq 3700

access-list acl_inside permit tcp 185.1.0.0 255.255.0.0 host 10.254.3.2 eq 3700

access-list acl_inside permit tcp 185.1.0.0 255.255.0.0 host 10.254.3.3 eq 3700

access-list acl_inside permit tcp 10.0.0.0 255.255.255.0 host 10.254.3.2 eq 3700

access-list acl_inside permit tcp 10.0.0.0 255.255.255.0 host 10.254.3.3 eq 3700

access-list acl_inside permit tcp 185.1.0.0 255.255.0.0 host 10.254.3.2 eq www

access-list acl_inside permit tcp 185.1.0.0 255.255.0.0 host 10.254.3.2 eq https

access-list acl_inside permit tcp 185.1.0.0 255.255.0.0 host 10.254.3.3 eq www

access-list acl_inside permit tcp 185.1.0.0 255.255.0.0 host 10.254.3.3 eq https

access-list acl_inside permit tcp 185.2.0.0 255.255.0.0 host 10.254.3.2 eq www

access-list acl_inside permit tcp 185.2.0.0 255.255.0.0 host 10.254.3.3 eq www

access-list acl_inside permit tcp 185.2.0.0 255.255.0.0 host 10.254.3.2 eq https

access-list acl_inside permit tcp 185.2.0.0 255.255.0.0 host 10.254.3.3 eq https

access-list acl_inside permit tcp host 185.1.123.89 host 185.2.254.2 eq https

access-list acl_inside permit tcp 185.1.0.0 255.255.0.0 host 10.254.3.2 eq 8080

access-list acl_inside permit tcp 185.1.0.0 255.255.0.0 host 10.254.3.3 eq 8080

access-list acl_inside permit tcp 185.2.0.0 255.255.0.0 host 10.254.3.3 eq 8080

access-list acl_inside permit tcp host 10.254.0.6 host 10.254.3.2 eq smtp

access-list acl_inside permit tcp host 10.254.0.6 host 10.254.3.3 eq smtp

access-list acl_inside permit icmp any any

access-list acl_inside permit tcp 185.2.0.0 255.255.0.0 host 10.254.3.2 eq 8080

access-list acl_inside permit tcp 185.1.0.0 255.255.0.0 host 10.254.3.2 eq ftp

access-list acl_inside permit tcp 185.2.0.0 255.255.0.0 host 10.254.3.2 eq ftp

access-list acl_inside permit tcp 185.2.0.0 255.255.0.0 host 10.254.3.3 eq ftp

access-list acl_inside permit tcp 185.1.0.0 255.255.0.0 host 10.254.3.3 eq ftp

access-list acl_inside permit tcp 185.1.0.0 255.255.0.0 host 10.254.3.3 eq ftp-data

access-list acl_inside permit tcp 185.1.0.0 255.255.0.0 host 10.254.3.2 eq ftp-data

access-list acl_inside permit tcp 185.2.0.0 255.255.0.0 host 10.254.3.2 eq ftp-data

access-list acl_inside permit tcp 185.2.0.0 255.255.0.0 host 10.254.3.3 eq ftp-data

icmp permit any green

icmp permit any orange

..

nat (green) 0 0.0.0.0 0.0.0.0 0 0

static (orange,red) 62.172.133.109 10.254.3.2 netmask 255.255.255.255 0 0

static (orange,red) 62.172.133.111 10.254.3.3 netmask 255.255.255.255 0 0

access-group acl_outside in interface red

access-group acl_inside in interface green

access-group acl_dmz in interface orange

shannong · ‎03-07-2003

Officially, you cannot access a host on a higher security interface from a low security interface (orange to green) without a static statement. For your DMZ hosts to ping inside, there must be something to hold their translations up. Functionally, you should be able to do this with the nat 0 command as long as the host on the inside has already initiated traffic to the DMZ and the translation has not timed out yet.

Use logging buffered 7. You'll probably see complaints about no translation group found.

-Shannon

andyirving · ‎03-07-2003

As it is at the moment once the xlate has been set up from inside (by pinging to the dmz host) the dmz host can ping inside. So what you're saying is to actually initiate the communication I need a xlate statement in the form of a static command to map the dmz ip address through the firewall?

amir.safayan · ‎03-07-2003

Shannon,

Sorry for this interruption! : )

You had posted a reply to a different question with a perl script to provide an alerting mechanism for the IEV/IDM application (Cisco IDS platform). I have run that script and get an error message which states:

C:\perl\bin>perl.exe idsalert.txt

Can't locate DBI.pm in @INC (@INC contains: C:/perl/lib C:/perl/site/lib .) at i

dsalert.txt line 3.

BEGIN failed--compilation aborted at idsalert.txt line 3.

I appreciate your help...

shannong · ‎03-07-2003

Those first two lines in the script are calling perl modules that need to installed. I don't know what distribution of perl you're using, but you'll need to follow the instructions appropriate for that vendor to install the following modules:

DBI

DBD:mysql

Mail:Sender

bwestbrook · ‎03-07-2003

I had a similiar problem.

your internet addresses are not recognized in the dmz, and are not translated in,

Here is what worked for me:

static (orange,red) 10.254.3.3 10.254.3.2 netmask 255.255.255.255 0 0

static (orange,red) 10.254.3.3 10.254.3.3 netmask 255.255.255.255 0 0

clear xlate

bwestbrook · ‎03-07-2003

sorry, I have one of yorur IP's wrong. it should look like this:

static (orange,red) 10.254.3.2 10.254.3.2 netmask 255.255.255.255 0 0

static (orange,red) 10.254.3.3 10.254.3.3 netmask 255.255.255.255 0 0

clear xlate

shannong · ‎03-08-2003

Actually, he's trying to give his DMZ hosts access to inside. So something like this would work:

static (green, orange) 185.1.30.1 185.1.30.1 netmask 255.255.255.255

Normally you do a "clear xlate", but you won't need to in this case because the address translation isn't changing to a different IP as NAT 0 is being used for everything already.