Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
720
Views
8
Helpful
4
Replies

DMZ on Pix 515e

johnnymac
Level 1
Level 1

‎12-04-2006 01:41 AM - edited ‎03-11-2019 02:03 AM

Hi,

We have a 515e with the four port expansion card and a Citrix CAG which we want to use to give users web access to to citrix. I am presuming that the best way to do this is by setting up a DMZ.

The outside interace of the pix has a public ip 194.xxx.xxx.99/28. We have set up an A record for another address in that range, say 194.xxx.xxx.110/28. If i try and assign that to one of the fast ethernet interfaces, it's says that the subnet overlaps with the outside int, which of course it does. I just want to try and get this straight in my head.

Am i correct in saying Citrix CAG should be in a DMZ, but we should have the A record point to the outside interface of the PIX and then have DMZ traffic forwarded to the DMZ interface?

I also only want to allow SSL traffic to the CAG in the DMZ and was wondering what the access list should look like and where i should place it?

Kind Regards

J mack

Labels:
0 Helpful
4 Replies 4

a.kiprawih
Level 7
Level 7

‎12-04-2006 03:09 AM

Q: The outside interace of the pix has a public ip 194.xxx.xxx.99/28. We have set up an A record for another address in that range, say 194.xxx.xxx.110/28. If i try and assign that to one of the fast ethernet interfaces, it's says that the subnet overlaps with the outside int, which of course it does. I just want to try and get this straight in my head.

A: Since address translation/mapping for internal and external IP is done in PIX, you cannot assign the server directly with Public IP. Maintain the private/internal DMZ IP on the server. You can achieve that using static command, i.e:

static (inside,outside) 194.xx.xx.110 10.10.10.5 netmask 255.255.255.255 -> 10.10.10.5 is internal server

Q: Am i correct in saying Citrix CAG should be in a DMZ, but we should have the A record point to the outside interface of the PIX and then have DMZ traffic forwarded to the DMZ interface?

A: Not necessary, you can use use Firewall alias command. More details at:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

*omit the conduit (old command) has been replaced with access-list.

Q: I also only want to allow SSL traffic to the CAG in the DMZ and was wondering what the access list should look like and where i should place it?

A: To allow SSL traffic to come into DMZ's CAG, create ACL and bind it to outside interface where all ssl traffic from outside/internet users coming to PIX and redirected to DMZ, example:

access-list outside permit tcp any host 194.xx.xx.110 eq 443 -> acl to allow ssl

access-group outside in interface outside -> bind acl 'outside' to outside interface

Your config should be more or less looks like, example (for selected portion only):

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 194.xx.xx.2 255.255.255.0

ip address inside 10.10.1.1 255.255.255.0

ip address dmz 10.10.10.1 255.255.255.0

access-list outside permit tcp any host 194.xx.xx.110 eq 443 -> acl to allow ssl

access-list outside deny ip any any

static (dmz,outside) 194.xx.xx.110 10.10.10.5 netmask 255.255.255.255 -> 10.10.10.5 is internal server

alias (dmz) 10.10.105 194.xx.xx.110 netmask 255.255.255.255

access-group outside in interface outside -> bind acl 'outside' to outside interface

route outside 0.0.0.0 0.0.0.0 194.xx.xx.100 -> default route to internet, .100 is internet router IP facing PIX

HTH

AK

johnnymac
Level 1
Level 1
In response to a.kiprawih

‎12-04-2006 03:16 AM

Hi Thanks that's very helpful. Just one more question. Should I configure the 194.xx.xx.110/28 on the CAG interface?

Thanks

J Mack

0 Helpful

a.kiprawih
Level 7
Level 7
In response to johnnymac

‎12-04-2006 03:31 AM

No, let the CAG interface run on internal IP, i.e 10.10.10.5. That should do. Translation between public and private IP will be done by PIX.

HTH

AK

0 Helpful

zubairjalal
Level 1
Level 1

‎12-04-2006 03:10 AM

PIX will not let you configure two interfaces having an IP from the same subnet.

What is the device for which you have setup the A record. If it is the Citrix CAG, you can consider putting the Citrix CAG in a DMZ which is on a private subnet.

e.g

DMZ interface IP : 10.10.10.1

Citrix CAG IP: 10.10.10.100 ->DGateway will be 10.10.10.1

You can do a static NAT for Citrix CAG with a public ip for which you have setup the A record.

static (dmz,outside) 194.xxx.xxx.110 10.10.10.100 netmask 255.255.255.255

With this you should be good to go.

--Pls rate all helpful posts--

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card