Solved: Re: Need Help to setup new firewall

Mhon Baul · ‎12-05-2009

Hi,

I would like to ask some help because I will replace our RouterFirewall to PIX515 firewall. I know that this an old one but we need to do this for security reason as we are waiting for the new equipments to arrive. Below are my inquiries.

1. Where is the best practice to deploy Proxy, in DMZ or Inside network?

2. How will the access be configured from inside to dmz and dmz to inside?

3.Also what are the ports need to open when i put the OWA to DMZ as this is the current setup.

4.If many host from dmz need to access in inside network, how will the nat and acl be configured?

5. I already configure the the pix firewall to use websense but still not blocking websites like porn. Btw i use proxy for this one.Below is my config, am i missing something.

url-server (inside) vendor websense host 10.71.3.6 timeout 30 protocol TCP version 4 connections 5

filter url http 10.71.8.0 255.255.255.0 0.0.0.0 0.0.0.0

sho url-server statistics

Global Statistics:
--------------------
URLs total/allowed/denied         2949/2850/99
URLs allowed by cache/server      0/2850
URLs denied by cache/server       0/99
HTTPSs total/allowed/denied       0/0/0
HTTPSs allowed by cache/server    0/0
HTTPSs denied by cache/server     0/0
FTPs total/allowed/denied         0/0/0
FTPs allowed by cache/server      0/0
FTPs denied by cache/server       0/0
Requests dropped                  0
Server timeouts/retries           0/0
Processed rate average 60s/300s   0/0 requests/second
Denied rate average 60s/300s      0/0 requests/second
Dropped rate average 60s/300s     0/0 requests/second

Server Statistics:
--------------------
10.71.3.6                         UP
Vendor                          websense
Port                            15868
Requests total/allowed/denied   2949/2850/99
Server timeouts/retries         0/0
Responses received              2949
Response time average 60s/300s 0/0

URL Packets Sent and Received Stats:
------------------------------------
Message                 Sent    Received
STATUS_REQUEST          4443    4443
LOOKUP_REQUEST          2871    2871
LOG_REQUEST             0       NA

Errors:
-------
RFC noncompliant GET method 0
URL buffer update failure 0

All anwers are greatly appreciated! Thanks in advance!

cheers,

reymon

Kureli Sankar · ‎12-05-2009

1. Where is the best practice to deploy Proxy, in DMZ or Inside network?

2. How will the access be configured from inside to dmz and dmz to inside?

3.Also what are the ports need to open when i put the OWA to DMZ as this is the current setup.

4.If many host from dmz need to access in inside network, how will the nat and acl be configured?

5. I already configure the the pix firewall to use websense but still not blocking websites like ****. Btw i use proxy for this one.Below is my config, am i missing something.

1. Here http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

2. We only need translation from high security to low security and it is bi-rectional. So, you just need to provide translation for the inside network to access the dmz. s

static (inside,dmz) 10.71.8.0 10.71.8.0 net 255.255.255.0

where 10.71.8.0/24 is the inside network.

3. So, OWA box is in the DMZ and you need to access that from the outside. I believe that OWA uses tcp 443 so, for the translated address of the OWA server on the dmz you need to open/allow 443 from the internet to the public IP of OWA. This ACL needs to be applied "IN" on the outside interface facing the internet.

4. Answer to question 2 answers this one as well. From low to high no translation needed. It just uses the static (inside,dmz)

5. Is Websense configued correctly? Seems like the requests are being sent to the Websense according to the outpu that you have attached. You are redirecting 10.71.8.0/24 traffic going anywhere.

-KS

View solution in original post

Kureli Sankar · ‎12-05-2009

1. Where is the best practice to deploy Proxy, in DMZ or Inside network?

2. How will the access be configured from inside to dmz and dmz to inside?

3.Also what are the ports need to open when i put the OWA to DMZ as this is the current setup.

4.If many host from dmz need to access in inside network, how will the nat and acl be configured?

5. I already configure the the pix firewall to use websense but still not blocking websites like ****. Btw i use proxy for this one.Below is my config, am i missing something.

1. Here http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

2. We only need translation from high security to low security and it is bi-rectional. So, you just need to provide translation for the inside network to access the dmz. s

static (inside,dmz) 10.71.8.0 10.71.8.0 net 255.255.255.0

where 10.71.8.0/24 is the inside network.

3. So, OWA box is in the DMZ and you need to access that from the outside. I believe that OWA uses tcp 443 so, for the translated address of the OWA server on the dmz you need to open/allow 443 from the internet to the public IP of OWA. This ACL needs to be applied "IN" on the outside interface facing the internet.

4. Answer to question 2 answers this one as well. From low to high no translation needed. It just uses the static (inside,dmz)

5. Is Websense configued correctly? Seems like the requests are being sent to the Websense according to the outpu that you have attached. You are redirecting 10.71.8.0/24 traffic going anywhere.

-KS

Mhon Baul · ‎12-06-2009

Hi KS,

Many thanks for your reply. But I have something to clarify.

1. Here http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

2. We only need translation from high security to low security and it is bi-rectional. So, you just need to provide translation for the inside network to access the dmz. s

static (inside,dmz) 10.71.8.0 10.71.8.0 net 255.255.255.0

where 10.71.8.0/24 is the inside network.

3. So, OWA box is in the DMZ and you need to access that from the outside. I believe that OWA uses tcp 443 so, for the translated address of the OWA server on the dmz you need to open/allow 443 from the internet to the public IP of OWA. This ACL needs to be applied "IN" on the outside interface facing the internet.

4. Answer to question 2 answers this one as well. From low to high no translation needed. It just uses the static (inside,dmz)

5. Is Websense configued correctly? Seems like the requests are being sent to the Websense according to the outpu that you have attached. You are redirecting 10.71.8.0/24 traffic going anywhere.

1. The link you provide, is this applicable also to proxy server?

2. static (inside,dmz) 10.71.8.0 10.71.8.0 net 255.255.255.0

where 10.71.8.0/24 is the inside network.

- when i will apply this command, will the ACL will take effect when server in dmz need to access to inside server? im just curious on the security part because if my server in dmz was comprimised the inside network will not be affected.

below is my config for ACE DMZ to INSIDE

object-group service UDP_DMZ-INSIDE udp
description *UDP_CITRIX_SERVICES_DMZ-INSIDE*
port-object eq 1812
port-object eq 1813
port-object eq domain
object-group service TCP_DMZ-INSIDE tcp
description *TCP_CITRIX_SERVICES_DMZ-INSIDE*
port-object eq ldap
port-object eq domain
port-object eq citrix-ica
port-object eq 2598
port-object eq www
port-object eq 81
object-group network INSIDE_SERVERS
network-object host 10.71.3.70
network-object host 10.71.3.35
network-object host 10.71.3.36
network-object host 10.71.3.160
network-object host 10.71.3.161
network-object host 10.71.3.162
network-object host 10.71.3.163
network-object host 10.71.3.164
network-object host 10.71.3.165
network-object host 10.71.3.153
network-object host 10.71.3.154
object-group network CTXNS01_SERVER
description *NETSCALER_SERVERS*
network-object host 10.71.8.15
network-object host 10.71.8.16
network-object host 10.71.8.17
network-object host 10.71.8.18

!

access-list dmz_in extended permit tcp object-group CTXNS01_SERVER object-group TCP_DMZ-INSIDE object-group INSIDE_SERVERS object-group TCP_DMZ-INSIDE
access-list dmz_in extended permit udp object-group CTXNS01_SERVER object-group UDP_DMZ-INSIDE object-group INSIDE_SERVERS object-group UDP_DMZ-INSIDE

!

access-group dmz_in in interface dmz

!

static (inside,dmz) 10.71.3.0 10.71.3.0 net 255.255.255.0

will this setup work from dmz to inside and inside to dmz? Please enlighten me on this one..

5. Yes, the system guy told me that websense is already configured. Do I need to configure span to the port going to firewall to be able websense detect all the http traffic?.