12-04-2006 01:41 AM - edited 03-11-2019 02:03 AM
Hi,
We have a 515e with the four port expansion card and a Citrix CAG which we want to use to give users web access to to citrix. I am presuming that the best way to do this is by setting up a DMZ.
The outside interace of the pix has a public ip 194.xxx.xxx.99/28. We have set up an A record for another address in that range, say 194.xxx.xxx.110/28. If i try and assign that to one of the fast ethernet interfaces, it's says that the subnet overlaps with the outside int, which of course it does. I just want to try and get this straight in my head.
Am i correct in saying Citrix CAG should be in a DMZ, but we should have the A record point to the outside interface of the PIX and then have DMZ traffic forwarded to the DMZ interface?
I also only want to allow SSL traffic to the CAG in the DMZ and was wondering what the access list should look like and where i should place it?
Kind Regards
J mack
12-04-2006 03:09 AM
Q: The outside interace of the pix has a public ip 194.xxx.xxx.99/28. We have set up an A record for another address in that range, say 194.xxx.xxx.110/28. If i try and assign that to one of the fast ethernet interfaces, it's says that the subnet overlaps with the outside int, which of course it does. I just want to try and get this straight in my head.
A: Since address translation/mapping for internal and external IP is done in PIX, you cannot assign the server directly with Public IP. Maintain the private/internal DMZ IP on the server. You can achieve that using static command, i.e:
static (inside,outside) 194.xx.xx.110 10.10.10.5 netmask 255.255.255.255 -> 10.10.10.5 is internal server
Q: Am i correct in saying Citrix CAG should be in a DMZ, but we should have the A record point to the outside interface of the PIX and then have DMZ traffic forwarded to the DMZ interface?
A: Not necessary, you can use use Firewall alias command. More details at:
*omit the conduit (old command) has been replaced with access-list.
Q: I also only want to allow SSL traffic to the CAG in the DMZ and was wondering what the access list should look like and where i should place it?
A: To allow SSL traffic to come into DMZ's CAG, create ACL and bind it to outside interface where all ssl traffic from outside/internet users coming to PIX and redirected to DMZ, example:
access-list outside permit tcp any host 194.xx.xx.110 eq 443 -> acl to allow ssl
access-group outside in interface outside -> bind acl 'outside' to outside interface
Your config should be more or less looks like, example (for selected portion only):
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
ip address outside 194.xx.xx.2 255.255.255.0
ip address inside 10.10.1.1 255.255.255.0
ip address dmz 10.10.10.1 255.255.255.0
access-list outside permit tcp any host 194.xx.xx.110 eq 443 -> acl to allow ssl
access-list outside deny ip any any
static (dmz,outside) 194.xx.xx.110 10.10.10.5 netmask 255.255.255.255 -> 10.10.10.5 is internal server
alias (dmz) 10.10.105 194.xx.xx.110 netmask 255.255.255.255
access-group outside in interface outside -> bind acl 'outside' to outside interface
route outside 0.0.0.0 0.0.0.0 194.xx.xx.100 -> default route to internet, .100 is internet router IP facing PIX
HTH
AK
12-04-2006 03:16 AM
Hi Thanks that's very helpful. Just one more question. Should I configure the 194.xx.xx.110/28 on the CAG interface?
Thanks
J Mack
12-04-2006 03:31 AM
No, let the CAG interface run on internal IP, i.e 10.10.10.5. That should do. Translation between public and private IP will be done by PIX.
HTH
AK
12-04-2006 03:10 AM
PIX will not let you configure two interfaces having an IP from the same subnet.
What is the device for which you have setup the A record. If it is the Citrix CAG, you can consider putting the Citrix CAG in a DMZ which is on a private subnet.
e.g
DMZ interface IP : 10.10.10.1
Citrix CAG IP: 10.10.10.100 ->DGateway will be 10.10.10.1
You can do a static NAT for Citrix CAG with a public ip for which you have setup the A record.
static (dmz,outside) 194.xxx.xxx.110 10.10.10.100 netmask 255.255.255.255
With this you should be good to go.
--Pls rate all helpful posts--
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide