Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 501 access

Hello All,

I have a question around pix 501 (6.3) configuration which I was hoping someone can shed some light on. I am trying to allow traffic from a single Citrix CAG across a variety of ports (80,443,9001-9005,27000,7279,1494,2598) from external (dmz) interface through to multiple addresses (on the same ports) on the internal (secure) network and dont know how to best approach it or if its possible. The only way I have found to allow traffic through is via Static Nat entries which I cant see will work for this requirement as we need some ports to be allowed into multiple addresses.

I am happy to provide a config though tbh it can be assumed to be blank as the environment is being replaced so I am happy to rebuild to best practice.

Any help would be appreciated as PIX are really not my thing and let me know if you need more information.

Many thanks

Mark

1 ACCEPTED SOLUTION

Accepted Solutions
Red

PIX 501 access

Hi Mark,

As I mentioned earlier, since you have a lage pool of hosts on the internal lan, so you have to options, first one:

create a self static nat entry for all the internal hosts, like

static (lan,DMZ) 10.0.1.121 10.0.1.121

...

...

...

static (lan,DMZ) 10.0.1.125 10.0.1.125

and thats all you would need.

Or you can try nat exempt.

access-list no_nat permit ip host 10.13.7.5 10.0.1.120 255.255.255.240

nat (DMZ) 0 access-list no_nat

Hope that helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
6 REPLIES
Red

PIX 501 access

Hi Mark,

I am not really sure about your requirement, a small network setup would help, is your setup something like this;

Citrix---------------------------(dmz)ASA(Inside)-----------------------------------internal lan

You want to allow only specific port access to the hosts on the inside???

Well there can be a few ways to accomplish this, lets say your citriz wants to access a host on inside on ports 80,443,9001-9005,27000,7279,1494,2598.

Then as you said, you can create a static for your inside machine, something like:

static (inside,dmz) 10.1.1.1 10.1.1.1

and then restrict the port access on the interface ACL:

access-list dmz_to_inside permit  tcp host host 10.1.1.1 eq 80

access-list dmz_to_inside permit  tcp host host 10.1.1.1 eq 443

....

....

....

...

....

access-list dmz_to_inside permit  tcp host host 10.1.1.1 eq 2598

access-group dmz_to_inside in interface dmz

Pardon me if I got your requirement wrong.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

PIX 501 access

Hi Varun,

Thanks for the quick response,

The environment is (Internet)External Pix(DMZ)----------------Citrix Gateway-----------------(DMZ)Internal Pix(LAN)-----------LAN.

                                                                                   (Single-Homed)

A 4500 switch is used to link the different VLANs that make up the DMZ and LAN.

The problem we have is the Citrix Gateway will receive requests from the internet through the External Pix and then forward requests to the outside interface of the internal pix, destined for a Citrix farm on the LAN. These requests will be over various ports and to one of a number of internal ip addresses, (say 10.0.1.120/28) so for example port 80 traffic may need to go to any one of these hosts.

By default the pix is configured with Dynamic NAT to allow all access from the LAN to the DMZ but I am unsure how to allow access from the DMZ to the LAN to multiple hosts on the same port. My understanding is that static NAT will only allow one port per host per interface but I could well be wrong?

Apologies if this is not clear so feel free to query anything.

Kind regards,

Mark

Red

PIX 501 access

Hi Mark,

I guess you would be doing the nat on the external pix, so the packets that are forwarded to the internal pix would have the destination as their private ip's only, for that on the internal pix you can either do a nat exempt on them for the entire lan or policy nat for it. On the external pix, you would definitely need static nats, so that users from the outside are able to hit your servers on the internal lan. My suggestions is, restrict the traffic (ports and ip's) on the external pix, and then just pass the traffic through the internal pix, but it all depends on your requirement.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

PIX 501 access

Hi Varun,

Packets are restricted on the external pix and are translated to the address of the Citrix CAG. Once the CAG receives the the request it then processes it and will send various requests to one or more Citrix servers on the LAN. For example assuming the dmz has an address range of 10.13.7.0/27 and the lan has 10.0.0.0/16: -

Citrix CAG(10.13.7.5)--------------------------(10.13.7.11)PIX(10.0.0.21)----------------------Citrix Farm (10.0.1.120/28)

My understanding is that the CAG in this configuration sends requests to the internal farm from 10.13.7.5 using 10.13.7.11 as the default gateway (OSPF on the pix to allow routing to 10.0.0.0/16 network). I could add static entries but that breaks down because some ports (e.g particularly 80,443) may need to go to more than one internal host so I cant create a static nat for a single internal host (or at least I dont think I can).

Apologies if it seems like an odd configuration but its one I have inherited and im pretty much stuck with it until I can redesign in a few months

Thanks for your help

Mark

Red

PIX 501 access

Hi Mark,

As I mentioned earlier, since you have a lage pool of hosts on the internal lan, so you have to options, first one:

create a self static nat entry for all the internal hosts, like

static (lan,DMZ) 10.0.1.121 10.0.1.121

...

...

...

static (lan,DMZ) 10.0.1.125 10.0.1.125

and thats all you would need.

Or you can try nat exempt.

access-list no_nat permit ip host 10.13.7.5 10.0.1.120 255.255.255.240

nat (DMZ) 0 access-list no_nat

Hope that helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

PIX 501 access

Hi Varun,

Thanks for your help with this. Creating the nat exemption and a specific outside_in access list resolved the issue. It took longer than expected to test this sufficiently so sorry for the delay in responding.

Thanks

Mark

489
Views
0
Helpful
6
Replies
CreatePlease to create content