Help Require - Security Context issues

jszinzuwadia · ‎04-26-2008

Hi Techies,

I have been assigned project for setting up the security contexts on PIX firewall.

Please see the below tech details:

I have created two contexts i.e. Admin & CustA. I have decided to share the Outside interface between two contexts. I have enabled 'mac-address auto' on PIX firewall to avoid conflicting between ARP requests.Also both the physical ports on L2 switches are configured into Trunk mode.

Sh run for Admin Context:

interface inside

nameif inside

security-level 100

ip address 10.126.1.17 255.255.255.0

!

interface outside

nameif outside

security-level 0

ip address 10.10.10.200 255.255.255.0

access-list outside_access_in extended permit icmp any any

global (outside) 1 interface

nat (inside) 1 10.126.1.0 255.255.255.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.10.10.2 1

Sh run for CustA Context:

nterface E_inside

nameif inside

security-level 100

ip address 10.126.6.250 255.255.255.0

!

interface E_outside

nameif outside

security-level 0

ip address 10.10.10.201 255.255.255.0

access-list outside_access_in extended permit icmp any any

global (outside) 1 interface

nat (inside) 1 10.126.6.0 255.255.255.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.10.10.2 1

Problems:

I am able to ping 10.126.1.X network from CustA context. However, not able to ping 10.126.6.X network from Admin Context.

I am able to surf the Internet from Admin Context i.e. from 10.126.1.X network. However, the DNS server resides on 10.126.1.X network and hence not able to resolve DNS requests from CustA context.

Could someone please help me to resolve the above mentioned problem? Let me know if anybody requires any additional information.

Thanks,

JBP

JORGE RODRIGUEZ · ‎04-26-2008

I think your problem relies on how you are implementing or allowing icmp in each context, can you go over these two links, I beieve once you read it will help in solving some of your icmp issues.

asa icmp functionality

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#req

inspect icmp

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1665749

on the dns part there could be couple of things that may be in the way, first of all can you from CustA context ping by ip a public IP address to deternmined if you have outbound connectivity, try pinging www.yahoo.com by ip 69.147.114.210,if you get replies we know there is connectivity.

if you have the DNS server on admin context inside LAN I would assumed that you will need to NAT the DNS server and permit DNS port because you are comming from CustA context to Admin context for DNS queries but while the forum here tries to help here in your dns issue you could use in the meantime public DNS servers for CustA context.

Rgds

Jorge

Jorge Rodriguez

jszinzuwadia · ‎04-27-2008

Thanks for the information Jorge.

When i removed global commands and do static NAT on both the contexts for internal subnets, the ICMP between both the contexts started.and i have to extended my NAT translation on ISP routers. i.e,

Admin Context:static (inside,outside) 10.126.1.0 10.126.1.0 netmask 255.255.255.0 0 0

My Admin context are having all our servers like Active directory, File server, Internal DNS, Mail, etc... so it is a requirement to access of admin context from the CustA context.

The objective behind implementing contexts is to segregate one Inside VLAN traffic from other network VLANs. However we want to access admin contexts from other contexts so that we can have the access of all the servers.