Firewall Wizards mailing list archives

RE: PIX DMZ inter-access via outside IP address

From: "Andy Lyakhovetskiy" <andy () net4bay com>
Date: Sun, 7 Dec 2003 14:57:22 -0800

Hi Keith,

PIX can't "circle" packets, but using aliases you can solve you DNS
problem.
See
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note
09186a0080094aee.shtml

Andy

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Keith
Anderson
Sent: Thursday, December 04, 2003 2:58 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] PIX DMZ inter-access via outside IP address



This one is driving me crazy... if someone can help, I'd greatly
appreciate it.

I've got a client with a PIX 520, four interfaces, with the following
configuration:

  Interface 0, the "outside" with public IP address 1.1.1.x (not their
actual address range)
     connected to a Cisco 3640 router, T1 to the Internet, router
address 1.1.1.1

  Interface 1, the "inside", the executives (about 10 workstations)
     several Cisco Catalyst switches, all layer 2

  Interface 2, the DMZ with two servers (1.1.1.3 and 1.1.1.4)
     one Cisco Catalyst switch

  Interface 3, the "inside2", the rest of the company (about 60
workstations)
     several Cisco Catalyst switches, all layer 2

In order to support their applications, the two servers must be
accessible by everyone in the company AND the Internet by both IP
address AND domain name.

* Systems on the inside, inside2 and the Internet can reach the servers
using their public 1.1.x.x addresses just fine.

* Systems on the inside and inside2 can reach the servers using their
192.168 addresses also, just fine, although this is not required.

* All systems on the inside, inside2 and DMZ can access the Internet
without problems.

The PIX can ping everything on all interfaces.  No connectivity
problems.

THE KILLER PROBLEM: The two servers in the DMZ CAN NOT access each other
using their public Internet addresses.  They can use their 192.168
addresses just fine, but not their public addresses.

For the last week or so, I've been getting around this using HOST
entries (these are Windows servers), but we are about to add a lot of
servers, virtual hosts and other devices, and HOST entries will not
work.

Thanks in advance to anyone that can help with this.


Here are the relevant entries in the PIX configuration:

! the interfaces
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
nameif ethernet3 inside2 security40
ip address outside 1.1.1.9 255.255.248.0
ip address inside 10.48.0.1 255.255.0.0
ip address DMZ 192.168.1.1 255.255.0.0
ip address inside2 10.10.10.1 255.255.0.0

! address pools
global (outside) 1 1.1.1.10-1.1.1.249 netmask 255.255.240.0 global
(outside) 1 1.1.1.250 netmask 255.255.240.0 global (DMZ) 1
192.168.1.2-192.168.1.249 netmask 255.255.0.0 global (DMZ) 1
192.168.0.250 netmask 255.255.0.0 global (inside2) 1
10.10.0.2-10.10.0.249 netmask 255.255.0.0 global (inside2) 1 10.10.0.250
netmask 255.255.0.0

! NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
nat (inside2) 1 0.0.0.0 0.0.0.0 0 0

! Grant access to the DMZ from the other interfaces using the outside
addresses sysopt nodnsalias inbound alias (inside) 1.1.1.3 192.168.1.3
255.255.255.255 alias (inside2) 1.1.1.3 192.168.1.3 255.255.255.255
alias (inside) 1.1.1.4 192.168.1.4 255.255.255.255 alias (inside2)
1.1.1.4 192.168.1.4 255.255.255.255

! Static mappings to allow everyone to access the DMZ servers static
(inside,DMZ) 192.168.1.3 192.168.1.3 netmask 255.255.255.0 0 0 static
(inside2,DMZ) 192.168.1.3 192.168.1.3 netmask 255.255.255.255 0 0 static
(DMZ,outside) 1.1.1.3 192.168.1.3 netmask 255.255.255.255 0 0 static
(inside,DMZ) 192.168.1.4 192.168.1.4 netmask 255.255.255.0 0 0 static
(inside2,DMZ) 192.168.1.4 192.168.1.4 netmask 255.255.255.255 0 0 static
(DMZ,outside) 1.1.1.4 192.168.1.4 netmask 255.255.255.255 0 0

! This is in the lab only to make sure traffic flow isn't being stopped
! In the production PIX, access-lists are used to permit only needed
ports conduit permit icmp any any conduit permit ip any any

! default route to the 3640
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1




Here is the Cisco 3640 route information:

ip route 0.0.0.0 0.0.0.0 up.stream.pro.vider
ip route 1.1.1.0 255.255.255.0 1.1.1.9


_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX DMZ inter-access via outside IP address Keith Anderson (Dec 06)
- Re: PIX DMZ inter-access via outside IP address Jason Ostrom (Dec 10)
- RE: PIX DMZ inter-access via outside IP address Andy Lyakhovetskiy (Dec 11)
- <Possible follow-ups>
- RE: PIX DMZ inter-access via outside IP address Keith Anderson (Dec 10)
  - R: PIX DMZ inter-access via outside IP address edp (Dec 11)
- RE: PIX DMZ inter-access via outside IP address Keith Anderson (Dec 11)