Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
5
Helpful
8
Replies

dmz

Go to solution
kjanakiraman
Level 1
Level 1

‎12-29-2002 02:57 PM - edited ‎03-09-2019 01:31 AM

I have a Cisco Pix 515 and the ios is 6.0. The pix firewall is having three interface cards. One is connected to the inside network with ip 192.168.1.0 which has my LAN and all my public access servers. Another interface is outside card. I wanted to move my public access servers( mail,web,dns) to the other interface which i named it as dmz. The web servers gets information from the data base server which i wanted to keep in the 192.168.1.0 network.I have config like this

nat (global) 1 x.x.x.x

nat(inside) 1 192.168.3.1

The dmz network is 192.168.12.x. I had created some access list for blocking some chat sites to my network and created a accessgroup in inside(192.168.1.0) I applied the access group

access-group acl_out in interface inside

From the dmz zone i am able to browse the internet but not my inside network so i created access-list like

access-list 112 permit ip 192.168.12.0/24 192.168.1.0/24

access-list 108 permit ip 192.168.1.0/24 192.168.12.0/24

access-group 112 in interface dmz

in this way both the networks were able to communicate but the dmz cannot go to the internet. so i added one more statement

access-list 112 permit ip any any

by means of which dmz could communicate to the inside network and the internet.

I do not want to my dmz system to communicate with all the ports. I need my dmz systems to communicate with only some systems in my inside network using some ports. If i configure like the one below

access-list 112 permit tcp host 192.168.12.2 host 192.168.1.12 eq smtp

I Permited relay in my exchange server for the 192.168.12.2 ip.

I removed access-list 112 permit any any

There is no smtp traffic between the two systems.

If i give a any any command then from the dmz i can connect to any ports in my inside network. I am getting confused. Can some one adivce me how to set up the dmz zone in such a way that from my inside network i should be able to access my dmz zone fully but from the dmz zone only certain ports like smtp to my mail server sql for my data base server. and my web servers and mail servers and dns servers should be publicly accessable and only my webserver in the dmz should be able to querry my database server and not from any other system.

Thanks in Advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tvanginneken
Level 4
Level 4
In response to kjanakiraman

‎01-04-2003 04:44 AM

Hi

it is indeed not possible to use the same addresses in the different static statements. But in this case you are using different network address in the static commands.

Kind Regards,

Tom

View solution in original post

0 Helpful
8 Replies 8

Go to solution
tvanginneken
Level 4
Level 4

‎12-30-2002 03:39 AM

Hi,

is it possible to post you entire config?

(!!please replace public addresses and password!!)

That way it would be a lot easier to do some troubleshooting.

If that's not possible, could you tell me what kind of address translation there is between the inside and the dmz, and between the dmz and the internet.

In some situations, the pix 'smpt fixup' protocol is causing problems in combination with Microsoft Exchange. Maybe you can disable the fixup protocol for smtp during the tests.

Kind Regards,

Tom

0 Helpful

Go to solution
kjanakiraman
Level 1
Level 1
In response to tvanginneken

‎12-30-2002 06:43 AM

Hi,

Thanks for your reply. I could not post you the entire config since the configuration is very huge and runs trhough more than 10 pages. I did not do any static translation between inside and dmz. I created a access-list one for the dmz and the other for my inside. From inside to dmz is the no nat like nat(inside) 0 access-list 108. I worked i was able to connect from the inside to dmz but when i try the same for dmz like

global (outside) 1 x.x.x.x1

nat (inside) 1 192.168.1.0

nat (inside) 0 access-list 108

global (outside) 2 x.x.x.x2

nat (dmz) 2 192.168.12.0

nat (dmz) 0 access-list 112 ( 112 is the access-list for connecting from dmz to inside) like

access-list 112 permit ip 192.168.12.0 255.255.255.0 192.168.1.0 255.255.255.0

it is no happening for exchange but for other web services too.

As i had told in my previous posting i have some access-list like

access-list acl_out deny ip any host x.x.x.x and so on to block some chat sites and access-group acl_out in interface any. Could this may cause some problem. Can you advice me how to proceed in this.

Thanks a lot on your help once again

0 Helpful

Go to solution
tvanginneken
Level 4
Level 4
In response to kjanakiraman

‎12-30-2002 03:55 PM

Hi,

it is not good pratice to use the nat 0 command. It should be used only for VPN configs, because nat 0 can have some side-effects.

Replace the 'nat 0' command with the static command, this is called 'net static'. The command is the 'static' command but you provide two times the same network. Let me give you and example:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

When packets pass from the inside to the dmz, the 192.168.1.0 addresses are replaced by the same 192.168.1.0 addresses. This way the source address is translated to itself, but the packets do go through the nat translation engine. With nat 0 the nat translation engine is bypassed and the pix doesn't really 'like' this :-)

You don't need the nat 0 command, especially not the one from the dmz to the inside. By default the address from the dmz to inside are not translated.

So, these lines:

nat (inside) 0 access-list 108

nat (dmz) 0 access-list 112

should be replaced by:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

access-group 112 in interface dmz

Make sure that access-list 112 only allows the really necessary traffic.

Is all this a little bit understandable? I hope it is :-)

Kind Regards,

Tom

Go to solution
kjanakiraman
Level 1
Level 1
In response to tvanginneken

‎01-03-2003 08:30 AM

Thanks a lot . It works fine. One more quick question. Since i have multiple subnets in my inside network apart from 192.168.1.0/24 like 10.x.x.x and 172 network and all connected using routers behind the firewall how can i make those systems to communicate with the dmz 192.168.12.0/24 network. I believe i could not give one more static statement since already 192.168.1.0 is statically translated.

Thanks in Advance

0 Helpful

Go to solution
tvanginneken
Level 4
Level 4
In response to kjanakiraman

‎01-03-2003 03:31 PM

Hi,

I haven't testen it yet, but I isn't it possible to add more static commands for the other internal network?

Kind Regards,

Tom

0 Helpful

Go to solution
kjanakiraman
Level 1
Level 1
In response to tvanginneken

‎01-03-2003 03:40 PM

Hi,

Long back when i try to add two static statements with the same ip with out any port number added it was giving me overlapping of statically translated ip address error. Any how i will try to test it this week end or on monday and send you a reply in this regard.

Thanks and Regards

J.Karthik

0 Helpful

Go to solution
tvanginneken
Level 4
Level 4
In response to kjanakiraman

‎01-04-2003 04:44 AM

Hi

it is indeed not possible to use the same addresses in the different static statements. But in this case you are using different network address in the static commands.

Kind Regards,

Tom

0 Helpful

Go to solution
kjanakiraman
Level 1
Level 1
In response to tvanginneken

‎01-04-2003 11:46 AM

Thanks a lot. It worked when i gave another static statements with that network.

Regards

J.Karthik

0 Helpful
Customers Also Viewed These Support Documents