How to get web servers behind PIX515E

brian975 · ‎06-23-2004

I have a new PIX515E (ver 6.3.(1)) with two interfaces and, so far, all I have been able to do is get it to do PAT for all our workstations. Any attempts to do NAT for my three servers has been unsuccessful.

I have three servers: web, e-commerce and mail, each with their own registered external address. They worked fine before I put the PIX in.

I have tried to set up address translation and access to only the ports needed by following the PIX configuration guide but, as I said before, it doesn't work - the servers are effectively off the Net.

There is quite a bit of urgency to getting this fixed because our e-commerce site has been down for two days.

Do I need an additional interface for a DMZ? I didn't think I did. Any help would be greatly appreciated.

For reference, I am including the current config of the PIX. Right now it is only set up for PAT and NAT for one server.

----------------

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname PIX515

domain-name opalco.com

clock timezone PST -8

clock summer-time PDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl_out permit tcp any host 12.45.xxx.xxx eq https

access-list acl_out permit tcp any host 12.45.xxx.xxx eq www

access-list acl_out permit icmp any host 12.45.xxx.xxx

pager lines 24

logging on

logging timestamp

logging trap warnings

logging host inside 192.55.9.81

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 12.45.xxx.xxx 255.255.255.0

ip address inside 192.55.9.10 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

pdm location 192.55.9.81 255.255.255.255 inside

pdm location 192.55.11.0 255.255.255.0 inside

pdm location 0.0.0.0 255.255.255.0 inside

pdm location 192.55.9.1 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 12.45.xxx.xxx 192.55.9.1 netmask 255.255.255.255 0 0

rip inside passive version 2

route outside 0.0.0.0 0.0.0.0 12.45.xxx.xxx 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

ntp server 192.5.41.41 source outside

ntp server 131.107.1.10 source outside prefer

http server enable

http 192.55.9.0 255.255.255.0 inside

http 192.55.11.0 255.255.255.0 inside

snmp-server location (my location)

snmp-server contact (my name)

snmp-server community public

no snmp-server enable traps

tftp-server inside 192.55.9.81 /pix_config

floodguard enable

telnet 192.55.9.0 255.255.255.0 inside

telnet 192.55.11.0 255.255.255.0 inside

telnet timeout 10

ssh timeout 5

console timeout 10

dhcprelay server 192.55.9.2 inside

username admin password xxx encrypted privilege 15

username user password xxx encrypted privilege 5

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

gfullage · ‎06-23-2004

Let's assume the following:

Web server: outside IP 12.45.1.1 inside IP 192.55.9.10

Ecommerce server: outside IP 12.45.1.2 inside IP 192.55.9.11

email server: outside IP 12.45.1.3 inside IP 192.55.9.12

So these 3 servers are currently sitting outside the PIX with the above 12.45.x.x IP addresses. To move them inside the PIX change the cabling over, and configure the PIX with the following:

static (inside,outside) 12.45.1.1 192.55.9.10 netmask 255.255.255.255

static (inside,outside) 12.45.1.2 192.55.9.11 netmask 255.255.255.255

static (inside,outside) 12.45.1.3 192.55.9.12 netmask 255.255.255.255

The above creates the NAT translations through the PIX from inside to outside. Then you need to allow the traffic in with an access-list (basically you have this already):

access-list acl_out permit tcp any host 12.45.1.1 eq https

access-list acl_out permit tcp any host 12.45.1.1 eq www

access-list acl_out permit tcp any host 12.45.1.2 eq nnn (whatever port(s) ecommerce uses)

access-list acl_out permit tcp any host 12.45.1.3 eq smtp

access-list acl_out permit icmp any any

access-group acl_out in interface outside

That should be it. Now, THE MOST IMPORTANT THING, is to clear the ARP table on your outside router.

People always run into this problem when they move a server from outside the PIX to inside. The outside router will have an entry for 12.45.1.1 pointing to the MAC address of the NIC in your web server. After you move the server inside the PIX, the outside router will continue to send traffic for 12.45.1.1 to this MAC address, which is no longer there and you lose all access to it. At this point people assume the PIX config is screwed up, but it is the outside router. It will only do an ARP query after its ARP entry clears out, which could be up to 3 hours later. Clearing out the ARP table forces the outside router to do an ARP query, which the PIX will now respond to (because it has a static configured for that address), and from that point on the router will forward packets for 12.45.1.1 to the PIX, and everything will work.

If you don't have access to this router to clear the ARP table, then rebooting it will also work, but you have to do something to clear the ARP table on it before you'll be able to get access to these servers from the outside.

brian975 · ‎06-24-2004

Thank you very much for your help. Your directions worked perfectly.

Brian