Solved: Re: Accessing servers in the Inside from DMZ

admin_2 · ‎02-18-2003

People:

I have a PIX 515E and I need to access a SQL server that is located on the inside network.... I'm not sure whether I should enable NAT on the dmz to be able to "see" the servers on the inside...

I tried a

>static (dmz, inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

to enable servers on the dmz to access the inside network without translation... but I cannot create a static from a low security to a high security interface.....

I wonder if somebody has the same problem configuration???

should I try enabling NAT on the DMZ also?

this is my actual configuration!

thanks a lot!

Luis

-------------------------------------------

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

access-list 100 permit tcp any host 200.200.200.37 eq smtp

access-list 100 permit tcp any host 200.200.200.37 eq pop3

access-list 100 permit tcp any host 200.200.200.37 eq domain

access-list 100 permit udp any host 200.200.200.37 eq domain

access-list 100 permit tcp any host 200.200.200.35 eq www

access-list 100 permit tcp any host 200.200.200.35 eq 443

access-list 100 permit tcp any host 200.200.200.36 eq www

access-list 100 permit tcp any host 200.200.200.36 eq 443

access-list 100 permit icmp any any

access-list 100 permit tcp any host 200.200.200.35 eq ftp

access-list 100 permit tcp any host 200.200.200.36 eq ftp

access-list 100 permit tcp any host 200.200.200.36 eq 3389

access-list 100 permit tcp any host 200.200.200.35 eq 3389

access-list 100 permit tcp any host 200.200.200.36 eq domain

access-list 100 permit udp any host 200.200.200.36 eq domain

access-list 100 permit tcp any host 200.200.200.38 eq www

access-list 100 permit tcp any host 200.200.200.38 eq 443

access-list 100 permit tcp any host 200.200.200.38 eq 3389

access-list 100 permit tcp any host 200.200.200.37 eq www

access-list 100 permit tcp any host 200.200.200.38 eq 1547

access-list 100 permit tcp any host 200.200.200.39 eq 3389

access-list 100 permit tcp any host 200.200.200.39 eq ftp

access-list 100 permit tcp any host 200.200.200.39 eq 1433

ip address outside 200.200.200.34 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip address dmz 192.168.2.1 255.255.255.0

global (outside) 1 200.200.200.45-200.200.200.61 netmask 255.255.255.224

global (outside) 1 200.200.200.62 netmask 255.255.255.224

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

alias (inside) 192.168.1.2 200.200.200.38 255.255.255.255

alias (inside) 200.200.200.36 192.168.2.11 255.255.255.255

alias (inside) 200.200.200.35 192.168.2.10 255.255.255.255

alias (inside) 200.200.200.37 192.168.2.12 255.255.255.255

static (dmz,outside) 200.200.200.36 192.168.2.11 netmask 255.255.255.255 0 0

static (dmz,outside) 200.200.200.35 192.168.2.10 netmask 255.255.255.255 0 0

static (inside,outside) 200.200.200.38 192.168.1.2 netmask 255.255.255.255 0 0

static (inside,outside) 200.200.200.39 192.168.1.186 netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

static (dmz,outside) 200.200.200.37 192.168.2.12 netmask 255.255.255.255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 200.200.200.33 1

0rsnaric · ‎02-18-2003

Did you apply an access-list allowing the traffic from the dmz to the inside interface?

Also, you may try being specific with the server you are trying to give access to -

static (inside,dmz) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 (where both groups of xx.xx.xx.xx represent your sql server address)

Then add the following access-list

access-list 101 permit tcp any host xx.xx.xx.xx eq sql (again, xx.xx.xx.xx is the sql server)

access-group 101 in interface dmz

(for testing you may want to initially make the access-list allow all traffic instead of just sql, then tighten it up when you are sure the static command is working)

Hope that helps. Allowing traffic from a lower security interface to a higher security interface is accomplished with static commands and acls (or conduits), so you seem to be on the right track.

~rls

View solution in original post

0rsnaric · ‎02-18-2003

Your configuration above shows -

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0

The IP address should begin with the lower security which should be 192.168.2.0.

And you said "I tried a

>static (dmz, inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0"

In this example you put dmz (lower security interface) first, the correct statement has the higher security interface named first, so it would be -

static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Ty this -

static (inside,dmz) 192.168.2.0 192.168.1.0 netmask 255.255.255.0

And then apply the necessary access-list for SQL ports.

~rls

Report Inappropriate Content · ‎02-18-2003

Thank you for answering soon.... I tried the change but nothing happened... the problem I guess must be on the dmz side... I have servers on the dmz.. and the inside... and from the inside I can see all of them.... but from the dmz that does not happen... I cannot the se servers on the inside (neither with the 192.168.1.x or 200.200.200.0 for those with external IP mappings).

Thank you.

Luis

b-pelphrey · ‎02-18-2003

where is your acl-group assigned to your dmz interface? understanding that innate to the pix is that you cannot go from a less secure to a higher secure without a static and a acl (conduit), you need some acls for the dmz interface. you have acl 100 assigned to the outside interface, but you don't have anything going inbound on the dmz interface.

try creating another acl (call it acl 101 or something like that if you like), permitting whatever services you want. (for testing purposes maybe do a any acl) then assign that acl inbound on the dmz interface.

you already have the static needed to accomplish what you are looking for.

hope this helps. just remember, from a lower security to higher you need both static and acl. you are trying to make a exception in the ASA.

good luck.

0rsnaric · ‎02-18-2003

Did you apply an access-list allowing the traffic from the dmz to the inside interface?

Also, you may try being specific with the server you are trying to give access to -

static (inside,dmz) xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.255 (where both groups of xx.xx.xx.xx represent your sql server address)

Then add the following access-list

access-list 101 permit tcp any host xx.xx.xx.xx eq sql (again, xx.xx.xx.xx is the sql server)

access-group 101 in interface dmz

(for testing you may want to initially make the access-list allow all traffic instead of just sql, then tighten it up when you are sure the static command is working)

Hope that helps. Allowing traffic from a lower security interface to a higher security interface is accomplished with static commands and acls (or conduits), so you seem to be on the right track.

~rls

b-pelphrey · ‎02-18-2003

exactly!! 0rsnaric and myself must have been writing our post at the same time. 0rsnaric gives exact examples of what i was talking about. follow those examples and you should be golden!

0rsnaric · ‎02-18-2003

Heh, yeah I saw your post after I put mine up. You're right about his static command (static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0 being correct though. My original post suggested it may be in error. That one should work as long as the acl is in place. Or you can use the specific host address.

~rsf

b-pelphrey · ‎02-18-2003

your good to go...you should have this up and running in no time!!

Report Inappropriate Content · ‎02-19-2003

Guys:

yeap!!! that solved my problem!! looooooooooots of thanks!! I added the access-list in the DMZ interface and it worked fine!

Luis.