cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
452
Views
9
Helpful
4
Replies

Network connected to DMZ are not reachable

ponnaiyan
Level 1
Level 1

My setup follows:

Pix--dmz servers with gateway as pix--- DMZ router ----- remote router ---- remote LAN

When I try to reach remote LAN from dmz servers I am not able to reach.

My servers have pix as gateway.

Pix has route for remote LAN. (From pix I don’t have any problem in reaching remote LAN)

When I add specific route to remote LAN pointing to local router then I don’t have problem in reaching the remote LAN.

My problem is why from server with pix as gateway not able to reach remote LAN.

1 Accepted Solution

Accepted Solutions

the issue is related to the pix v6.x golden rule.

the golden rule basically doesn't allow pix to redirect packet in and out the same interface. e.g. dmz server try to send a packet to the remote lan. at the moment, dmz server has a default gateway to the pix dmz interface, dmz server will forward the packet to the pix dmz interface to start with. pix receives the packet originated from the dmz server and destined for the remote lan. now, pix determines the next hop for this particular packet is the dmz router, which is via the dmz interface again. as mentioned, the golden rule doesn't allow such operation as the packet is received on the pix dmz interface.

the workaround, as martin mentioned earlier, is to modify the default gateway on the dmz server. the default gateway should be the dmz router, then configure static routes on the router.

now, there are two choices in terms of configuring routes on the router.

one: configure the pix dmz interface as the dmz router default gateway, and configure static route for the remote lan; or

two: configure the remote router as the dmz router default gateway, and configure static route for pix inside net.

personally, i prefer the first options as dmz server may need internet access via the pix as well.

let again look at the traffic flow with dmz server having dmz router as the default gateway; dmz router having pix dmz interface as the default gateway, and static routes for the remote lan.

packet originated from dmz server that destined for the remote lan will be forwarded to the dmz router. dmz router will then forward to packet to the remote router based on the static routes; alternatively, packet originated from dmz server that destined for the internet or the pix inside subnet will be forwarded to the dmz router. the dmz router will then forward the packet to the pix dmz interface based on the default gateway settings.

View solution in original post

4 Replies 4

mheusinger
Level 10
Level 10

Hello,

from your drawing I would suggest it makes more sense to have your DMZ router as default gateway on your DMZ servers. Otherwise the PIX has to redirect the traffic to the DMZ router and this might or might not work depending on your configuration.

Hope this helps

Martin

P.S.: please post your configs (DMZ router and PIX) in order to get a more specific answer.

Please rate all helpful posts

Hello,

Thank you! For reply

Find the PIX configuration below.

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet1 vlan2 physical

interface ethernet1 vlan3 logical

interface ethernet1 vlan4 logical

interface ethernet1 vlan5 logical

interface ethernet1 vlan6 logical

interface ethernet1 vlan7 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan3 server security8

access-list sertoin remark temporary access to all

access-list sertoin permit ip any any

ip address outside x.x.156.130 255.255.255.192

ip address inside 172.20.177.1 255.255.255.0

ip address server 192.168.255.193 255.255.255.192

access-group sertoin in interface server

route outside 0.0.0.0 0.0.0.0 x.x.156.129 1

route server 172.20.183.0 255.255.255.0 192.168.255.195 1

route outside x.x.208.192 255.255.255.224 x.x.156.129 1

My remote LAN network is 172.20.183.0 and dmz router ip is 192.168.255.195.

DMZ router can't be default gateway for servers. Only to reach 172.20.183.0 network I need route via dmz router.

One more thing I haven't mentioned earlier is I do all this with logical interface (vlans). I suspect that could be the problem (may be bug).

I am able to reach 172.20.183.0 from pix with out any problem. So there shouldn't be any problem with DMZ router configuration.

the issue is related to the pix v6.x golden rule.

the golden rule basically doesn't allow pix to redirect packet in and out the same interface. e.g. dmz server try to send a packet to the remote lan. at the moment, dmz server has a default gateway to the pix dmz interface, dmz server will forward the packet to the pix dmz interface to start with. pix receives the packet originated from the dmz server and destined for the remote lan. now, pix determines the next hop for this particular packet is the dmz router, which is via the dmz interface again. as mentioned, the golden rule doesn't allow such operation as the packet is received on the pix dmz interface.

the workaround, as martin mentioned earlier, is to modify the default gateway on the dmz server. the default gateway should be the dmz router, then configure static routes on the router.

now, there are two choices in terms of configuring routes on the router.

one: configure the pix dmz interface as the dmz router default gateway, and configure static route for the remote lan; or

two: configure the remote router as the dmz router default gateway, and configure static route for pix inside net.

personally, i prefer the first options as dmz server may need internet access via the pix as well.

let again look at the traffic flow with dmz server having dmz router as the default gateway; dmz router having pix dmz interface as the default gateway, and static routes for the remote lan.

packet originated from dmz server that destined for the remote lan will be forwarded to the dmz router. dmz router will then forward to packet to the remote router based on the static routes; alternatively, packet originated from dmz server that destined for the internet or the pix inside subnet will be forwarded to the dmz router. the dmz router will then forward the packet to the pix dmz interface based on the default gateway settings.

Hello,

in your last post you write the DMZ router could not be default gateway for the servers. But according to the config you gave this is technically possible. And I think JackKo made it clear why it would be the best solution in your case.

There is afaik no additional security threat arising from setting the DMZ router as default gateway for your servers instead of the PIX, if this was your concern.

So reconfigure your servers and everything should be fine.

Hope this helps

Martin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: