ā02-19-2010 03:14 AM - edited ā03-11-2019 10:12 AM
hello. My pix 525 has 3 enabled interfaces(outside,dmz,inside).I have configured it but I cannot acceed to my webserver by the inside interface. If I try with the outside, no problem.
for example, outside of my corporate, if I type www.mycorp.com, no problem but on the corporate network, it doesn't respond.
I use a proxy(in dmz) to allow the corporate computers to go on the net.
Please help.
here is my config.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname Pix525
domain-name corp.com
access-list acl-outside permit tcp any host X.Y.Z.2 eq www
access-list acl-outside permit tcp any host X.Y.Z.1 eq domain
access-list acl-outside permit udp any host X.Y.Z.1 eq domain
access-list acl-outside permit tcp any host X.Y.Z.1 eq smtp
access-list acl_dmz permit tcp 10.0.0.0 255.255.255.0 any eq www
access-list acl_dmz permit tcp host 10.0.0.1 any eq smtp
access-list acl_dmz permit tcp host 10.0.0.1 any eq domain
access-list acl_dmz permit udp host 10.0.0.1 any eq domain
access-list acl_dmz permit tcp 10.0.0.0 255.255.255.0 any eq https
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
ip address outside X.Y.Z.3 255.255.255.0
ip address inside 192.168.0.252 255.255.255.0
ip address dmz 10.0.0.254 255.255.255.0
global (outside) 1 X.Y.Z.10 netmask 255.255.255.255
nat (dmz) 1 10.0.0.0 255.255.255.0 0 0
#the dmz hosts go to internet with ip X.Y.Z.10
# I use a proxy :10.0.0.4 with port 8080
#my dmz mailserver is 10.0.0.1 and my webserver 10.0.0.2
# the public ip of webserver is X.Y.Z.2
# the public ip of mail and dns server is X.Y.Z.1
# on the lan, users acceed to the proxy by ip 192.168.0.252 that is the inside address of the pix
static (dmz,inside) tcp interface 8080 10.0.0.4 8080 netmask 255.255.255.255 0 0
static (dmz,inside) udp interface 8080 10.0.0.4 8080 netmask 255.255.255.255 0 0
static (dmz,outside) X.Y.Z.1 10.0.0.1 netmask 255.255.255.255 0 0
static (dmz,outside) X.Y.Z.2 10.0.0.2 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
access-group acl-outside in interface outside
access-group acl_dmz in interface dmz
ā02-24-2010 01:50 AM
Access from the DMZ to the public IP of the webserver is a bit more tricky since packets from the webserver back to the client will not pass the firewall.
If you really want/need to use the public IP, then something like this should do it:
global (dmz) 1 10.0.0.x (some free address on the DMZ)
static (dmz,dmz) x.y.z.2 10.0.0.2
same-security-traffic permit intra-interface
access-list
i.e you will be translating both the client and the server address (to avoid asymmetric paths, let me know if you'd like me to explain in more detail )
Personally I consider this a rather 'messy' solution (and to be honest I've never tried it), so you may want to consider alternatives like using hosts files or using an external DNS (that is not in the DMZ), then you can do DNS doctoring as explained previously.
hth
Herbert
ā02-24-2010 05:31 AM
So, you really didn't do what I had suggested you to do in my second post?
-KS
ā02-24-2010 05:45 AM
sorry,
for your second post, I have read the dns doctoring and I didn't looked very
well your static rule.
It's done and I can access to www.corp.com on inside.
Now I'm trying to permit the dmz machines to acceed to my website by its
name www.corp.com;
I wonder if I could read your suggestion.
I
ā02-25-2010 08:33 AM
Hello,
nobody to help me to fix my problem?
Please I am waiting for your solution.
ā02-25-2010 09:12 AM
Did you see the reply I posted yesterday?
Access from the DMZ to the public IP of the webserver is a bit more tricky since packets from the webserver back to the client will not pass the firewall.
If you really want/need to use the public IP, then something like this should do it:
global (dmz) 1 10.0.0.x (some free address on the DMZ)
static (dmz,dmz) x.y.z.2 10.0.0.2
same-security-traffic permit intra-interface
access-list
permit tcp any host x.y.z.2 eq 80
i.e you will be translating both the client and the server address (to avoid asymmetric paths, let me know if you'd like me to explain in more detail )Personally I consider this a rather 'messy' solution (and to be honest I've never tried it), so you may want to consider alternatives like using hosts files or using an external DNS (that is not in the DMZ), then you can do DNS doctoring as explained previously.
hth
Herbert
ā02-25-2010 10:31 AM
ā02-25-2010 10:34 AM
You are on a PIX, so the following command is not supported: same-security-traffic permit intra-interface
The method recommended to you will not work. You will not be able to access a server by it's public IP from behind the firewall, thus the need for DNS doctoring. Use the domain name instead of IP directly and you should be fine.
James
ā02-25-2010 11:06 AM
busterswt wrote:
You are on a PIX, so the following command is not supported: same-security-traffic permit intra-interface
Incorrect.
"same-security-traffic permit intra-interface" is available on both Pix and ASA in software version 7.2(1) and later.
busterswt wrote:
The method recommended to you will not work. You will not be able to access a server by it's public IP from behind the firewall, thus the need for DNS doctoring. Use the domain name instead of IP directly and you should be fine.
Incorrect.
DNS doctoring will not work in this scenario. The DNS server is also on the DMZ, so the DNS requests never pass the FW, so the FW cannot modify them.
So why would my method not work (provided that the Pix runs 7.2(1) or later) ?
The client (e.g. .100) sends a packet with s:10.0.0.100,d:n.n.n.2, the Pix translates the source (because of the nat/global combo) to 10.0.0.x and the destination (because of the static(dmz,dmz)) to 10.0.0.2 so the new packet has s:10.0.0.x,d:10.0.0.2.
The webserver responds with s:10.0.0.2,d:10.0.0.x. The Pix gets this packet (because it responds to arp requests for 10.0.0.x) and translates both source & dest again to s:n.n.n.2, d:10.0.0.100.
ā02-25-2010 11:18 AM
ok, I guess James meant "you're on a Pix 6.x" so this command is not supported - which is correct.
So the only solution I can think of (besides upgrading to 7.2 or later and trying my suggested config) is to use hosts files on the clients. Or have them use the proxy and put hosts file on the proxy.
ā02-25-2010 11:23 AM
Hi Herbert,
I'm sorry, you are correct about 'same-security-traffic permit intra-interface' on 7 code. I hastily assumed a code upgrade wasn't possible or considered, and since he's running 6 code your idea wouldn't work. - EDIT: ignore what i put here earlier... -
As well, I forgot that the DNS servers resides in the same network as the client. One way to resolve this would to simply add a hosts file entry on the client pointing www.corp.com to 10.0.0.2. If your local DNS server is not authoritative for the corp.com zone, then you can modify the zone file to use the pirvate IP instead of public IP. This should not affect public lookups to the domain since your DNS server is not authoritative.
James
ā02-25-2010 11:26 AM
Seydou Barra,
It makes more sense to configure things correctly rather than trying to use all sorts of hack to fix what has been configured out of the normal.
Inside hosts should get the inside IP handed when they resolve for the domain name and not the external IP address.
Just add a host file in the machines that are in the DMZ and refer the domain name and the dmz IP address.
Depending on which code you run on the PIX same security permit traffic may not may not be available.
-KS
ā02-25-2010 11:42 AM
Hello,
I thank you very much.
I have added the line 10.0.0.2 www.corp.com in the hosts file of my proxy
and it works very well.
Your experiencies have helped me very much.
I don't know how to reward you.
Thanks again
ā02-25-2010 12:35 PM
Glad to hear. You should rate the postings that helped you.
-KS
ā02-25-2010 11:30 PM
Ok,
I would like to rate these postings but how to rate a posting?
ā02-25-2010 11:54 PM
Seydou, glad to hear we were able to help.
Below each message you can see 2 sets of 5 stars (when you are logged in, otherwise you will only see the second set but not the first).
Click on the stars in the left set to grade a post (first star = 1point, etc.)
cheers
Herbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide