Re: DMZ inbound is driving me NATs

poperob123 · ‎08-21-2005

Hi Guys,

Would really appreciate some help. My problem is similar to a few others on here but their solutions don’t seem to work.

This is my first attempt on a PIX but all went well to this point . I have 3 interfaces, inside, outside, dmz. The internal network is now connecting out the internet. The mail server on the DMZ is available on certain ports to the public internet.

The part that is causing me the issue is getting the DMZ to talk to my internal network on a few select services. I gave up with the PDM fairly early on as it was driving me nuts and going round in circles. It’s insisting I setup NAT/PAT between everything. Is this really necessary?

I have set it up along the lines:

mail being my mail server on the DMZ. 192.168.0.2 being an internal server.

access-list dmz_01 permit tcp host mail host 192.168.0.2 eq domain

access-list dmz_01 permit udp host mail host 192.168.0.2 eq domain

access-list dmz_01 permit tcp host mail host 192.168.0.2 eq 445

access-group dmz_01 in interface dmz.

Your help would be massively appreciated

Rob.

mehrdad · ‎08-21-2005

Hi,

Add the below command to your configuration :

static(inside,dmz) 192.168.0.2 192.168.0.2 netmask 255.255.255.255

That static command permits traffic from inside to DMZ and vice versa if there is a access list on the lower

security interface also there isn't any change IP address.

Mehrdad

lyes.ouarti · ‎08-21-2005

hello ROb,

it's right that having flow of traffic going between tow interfaces is quite difficult.

your solution is:

static (inside,dmz) bla bla bla

and then access-list bla bla bla

access-group name in int dmz.

try to do it with command line, it's better than PDM.

jmia · ‎08-21-2005

Rob,

Take read of the following document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

Hope this helps,and please rate posts if it helps you.

Jay

colin · ‎08-21-2005

Rob,

Even though you have your access lists and the rest in order, the thing that you do not have are translations from the inside to the DMZ. In your log, you will probably see "No translation group for x to y.

You can use a translation exemption rule to allow your inside to communicate with your DMZ interface (a nat 0 group) or you could even statically translate your inside to the same address on the DMZ (a network static).

Either way, you have to have a translation between any high to low security interface if you want to have packets traverse the PIX (even if it is only nat 0).

Cheers,

-colin.

poperob123 · ‎08-22-2005

Thanks very much for your help guys, that worked well. I'm nearly there now. All i need now is to allow the mail server to talk outbound from the DMZ. Inbound I have statically mapped a public IP to mail server on the DMZ.

Inbound access is fine. I thought outbound would be similar to setting up access from the

internal network outbound then tie it down with an access list to just the ports I need.

This doesnt seem to work for some reason.

What would be the best way for allowing SMTP outbound from the DMZ to any host while resticting all other access from the DMZ?

Thanks.

colin · ‎08-22-2005

Hi Rob,

If you have a static translation in place, and given that from the DMZ to the outside is a higher to lower security path, you should not require any rules outbound.

If you really wanted to tie it down, the rule would be to allow src mailserver.ip tcp/any to destination any tcp/25.

Check your log files - it will show if there is any traffic being denied, and for what reason.

Cheers,

-colin.

poperob123 · ‎08-22-2005

Hi Guys,

I'm really having problems with this; I can’t get the DMZ to talk outbound no matter what I try. This should be simple, the log files don’t show any traffic being denied. They show the connection being set-up but not coming back in. I have used the example in the document linked above but still no luck.

I won’t use my actual IP's on a usenet site but below is similar to what I have.

Mail server on DMZ 192.168.1.2 gw 192.168.1.254

Public IP range 123.123.123.123-130

ip address outside 123.123.123.123 255.255.255.224

ip address inside 10.0.0.254 255.255.255.0

ip address dmz 192.168.1.254 255.255.255.0

global (outside) 1 123.123.123.124-123.123.123.130

global (dmz) 1 192.168.1.253

nat (inside) 1 10.0.0.0 255.255.255.0 0 0

nat (dmz) 1 192.168.1.0 255.255.255.0 0 0

static (dmz,outside) 123.123.123.220 mail netmask 255.255.255.255 0 0

It’s probably something simple but I have tried everything I can think of.

Thanks again

colin · ‎08-23-2005

Hi Rob,

You almost answered your own question there!

If traffic is exiting the PIX (ie: you can see the translation being built), but you don't see any return traffic, it generally points to one thing.

The static that you have created for your mail server is outside the range configured on the outside interface of the firewall.

Do you have a route back to that address/range of addresses (123.123.123.220)? If you don't have that on your external router/gawteway, etc, no return traffic will work.

Cheers,

-colin.