Re: Problems with inside accessing dmz hosts

lmbaity · ‎06-10-2004

I have a pix 515e with three interfaces and I do realize that I have statements for icmp but it is only for debugging.

All inside users are fine browsing outside world.

I can ping dmz webserver from inside to dmz and from outside to dmz.

I can browse website in dmz from outside.

Webserver in dmz can ping and browse outside.

I cannot browse website from inside or ping the public address.

It seems to be a interface transversal problem, I think

I even tried adding these two lines and it did not work

access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.15.0 255.255.255.0

nat (inside) 0 access-list nonat

This is my current config:

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password encrypted

passwd encrypted

hostname pix1

domain-name your.com

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol domain 53

fixup protocol ftp 21

no fixup protocol h323 h225 1720

no fixup protocol h323 ras 1718-1719

fixup protocol http 80

no fixup protocol ils 389

no fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

names

access-list 101 permit icmp any any

access-list 101 permit tcp any host 206.x.x.175 eq www

access-list 201 permit icmp any any

access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq www

access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq domain

access-list 201 permit udp 10.0.15.0 255.255.255.0 any eq domain

access-list 201 permit tcp any host 10.0.15.175 eq www

access-list 201 permit icmp any 10.0.0.0 255.255.255.0

access-list 301 permit icmp any any

access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq www

access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq https

access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq ftp

access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq domain

access-list 301 permit udp 10.0.0.0 255.255.255.0 any eq domain

access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq 2061

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 206.x.x.130 255.255.x.x

ip address inside 10.0.0.6 255.255.255.0

ip address dmz 10.0.15.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface dmz

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 206.x.x.132-206.x.x.135 netmask 255.255.x.x

global (outside) 1 206.x.x.131

global (dmz) 1 10.0.15.2-10.0.15.8

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 10.0.15.0 255.255.255.0 0 0

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0

static (dmz,outside) 206.x.x.175 10.0.15.175 netmask 255.255.255.255 0 0

access-group 101 in interface outside

access-group 301 in interface inside

access-group 201 in interface dmz

rip outside default version 1

rip inside default version 2

route outside 0.0.0.0 0.0.0.0 206.x.x.129

route inside 10.0.1.0 255.255.255.0 10.0.0.224 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh 10.0.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

terminal width 80

end

[OK]

pcomeaux · ‎06-10-2004

I think the Pix may be confused with all the Xlates you have in the config b/w the inside and the DMZ.

1) static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0

2)global (dmz) 1 10.0.15.2-10.0.15.8

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

3) access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.15.0 255.255.255.0

nat (inside) 0 access-list nonat

It looks like you may have confused the Pix by implementing multiple translation strategies for this network.

If you remove statements in 1 and 3, then clear xlate (affects all connections through Pix), please test your connections from the inside to the dmz.

The benefit of 1 is if hosts on the DMZ need to initiate connections to hosts on the inside. Doesn't look like it from your ACL 201.

2 translates addresses of inside machines to an address on the DMZ.

3 does not translate the addresses at all.

So, whichever way you prefer, remove the other 2 and clear the xlates and try again and let us know.

Please post some show statements if you reply back with problems:

1) show access-group

2) show access-list

3) show xlate

4) show global

5) show nat

6) show static

This will let us see what is exactly happenining from the Pix's perspective. Remove whatever parts you need to.

thanks

peter

lmbaity · ‎06-15-2004

The entry for number 3 access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.15.0 255.255.255.0

nat (inside) 0 access-list nonat I had tried at one time but removed. I also remove entry 1 and then cleared xlate and still no go. I cannot ping the outside address from inside or bring up the browser with that address. I can put the natted address in the browser and bring up the site but not the public address. Here is the result from the show commands.

1. show access-group

access-group 101 in interface outside

access-group 301 in interface inside

access-group 201 in interface dmz

2. show access-list

access-list 101 permit tcp any host 206.x.x.175 eq www (hitcnt=12)

access-list 201 permit icmp any any (hitcnt=232625)

access-list 201 permit icmp any 10.0.0.0 255.255.255.0 (hitcnt=0)

access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq www (hitcnt=0)

access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq domain (hitcnt=0)

access-list 201 permit udp 10.0.15.0 255.255.255.0 any eq domain (hitcnt=1)

access-list 201 permit tcp any host 10.0.15.175 eq www (hitcnt=0)

access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq www

3.show xlate

Global 206.x.x.175 Local 10.0.15.175

4. show global

global (outside) 1 206.x.x.132-206.x.x.135 netmask 255.255.x.x

global (outside) 1 206.x.x.131

global (dmz) 1 10.0.15.2-10.0.15.8

5. show nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 10.0.15.0 255.255.255.0 0 0

6. show static

static (dmz,outside) 206.x.x.175 10.0.15.175 netmask 255.255.255.255 0 0

pcomeaux · ‎06-15-2004

Hey lmbaity -

I am sorry - I thought I had replied to your last post. Seems like something is mixed up with the system for your post. Thanks for the show commands - they are really helpful.

So here's the order I will check things and my thoughts:

1 - Interface config check

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

good

2 - Interface enabled check

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

good

3 - Interface ip config check

ip address outside 206.x.x.130 255.255.x.x

ip address inside 10.0.0.6 255.255.255.0

ip address dmz 10.0.15.1 255.255.255.0

good

4 - Translations for Inside to Outside

global (outside) 1 206.x.x.132-206.x.x.135 netmask 255.255.x.x

global (outside) 1 206.x.x.131

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

NAT with PAT - good

First 4 connections to outside will be translated to 132,133,134 and then 135. The 5th+ connetions will be translated to 131.

5 - Translations from Inside to DMZ check

global (dmz) 1 10.0.15.2-10.0.15.8

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

and

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0

This may be the problem

You have both dynamic NAT and static NAT configured for translations of addresses for traffic from the inside to the dmz. You may want to use on or the other.

Even though I think this could be tweaked, I don't think it is the issue, so let's keep looking.

6 - Translations from the Dmz to the Outside check

global (outside) 1 206.x.x.132-206.x.x.135 netmask 255.255.x.x

global (outside) 1 206.x.x.131

nat (dmz) 1 10.0.15.0 255.255.255.0 0 0

good - same comments as in 4

7 - Translations for traffic from Outside to DMZ

static (dmz,outside) 206.x.x.175 10.0.15.175 netmask 255.255.255.255 0 0

good

8 - Access Lists applied to any interface check

access-group 101 in interface outside

access-group 301 in interface inside

access-group 201 in interface dmz

ok

9 - Let's check the ACLs for any issues

access-list 101 permit icmp any any

access-list 101 permit tcp any host 206.x.x.175 eq www

good - allows WWW traffic inbound

access-list 101 permit tcp any host 206.x.x.175 eq www (hitcnt=12)

getting hits on it, too

access-list 201 permit icmp any any

access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq www

access-list 201 permit tcp 10.0.15.0 255.255.255.0 any eq domain

access-list 201 permit udp 10.0.15.0 255.255.255.0 any eq domain

the above statements permit your DMZ servers to get to any website and resolve DNS

access-list 201 permit tcp any host 10.0.15.175 eq www

access-list 201 permit icmp any 10.0.0.0 255.255.255.0

I don't think these 2 statements are needed - but should not be impacting things right now

access-list 301 permit icmp any any

access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq www

access-list 301 permit tcp 10.0.0.0 255.255.255.0 any eq https

this looks good, if you are using internal DNS. Notice you have no hits probably because no DNS resolution can occur because the ACL blocks it. Tell us more about how you are doing DNS for internal hosts.

10 - Let's wrap this up by checking routing

route outside 0.0.0.0 0.0.0.0 206.x.x.129

route inside 10.0.1.0 255.255.255.0 10.0.0.224 2

looks good

Take a look at #9 and tell us more about your DNS.

thanks

peter

lmbaity · ‎06-16-2004

I did remove the line static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 and clear xlate. For our public dns registrations we use our isp, it makes it alot easier. I do allow from access-list 301 udp 53 out. We have no problem accessing any type of sites from the inside. For this problem I am not even using a fqdn just an IP address that I would type in the browser or try to ping to eliminate dns problems. So from the inside I can ping the translated public ip but not the untranslated. From another isp I can ping the public IP and browse the IP address for my test website in our dmz. I have set up pixes in the past but only with conduits, the acl change has made it interesting. Is thier anything I am missing?