Firewall Wizards mailing list archives
Re: Double firewall setup (long)
From: Victor Williams <vbwilliams () neb rr com>
Date: Tue, 25 Jan 2005 09:10:19 -0600
Can you give us an indication of why you want/need to do this?You can disable NAT altogether on the 2nd PIX and just have IP Addresses pass through as-is with no translation, and Cisco has documentation on how to do this. But, I don't ever recall reading any Cisco docs on having two firewalls *chained* in succession like this. In my opinion, there's nothing I can think of that would ever *require* this setup to be. Why don't you get a 4-port NIC card for each firewall (giving you 4 physical DMZ's instead of one), and put those firewalls into an Active/Failover setup?
Greymagick wrote:
Hi wizards, I have the following (admittedly newbie) situation. Current setup is as follows:One PIX 515E w/ 3 interfaces: inside, outside, DMZ. There is a mailgateway (mailsweeper) in the DMZ for incoming mail which talks to an Exchange server in the LAN. Abridged configuration is as follows (public network details are not real): -- begin -- nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security90 hostname pixper1 domain-name foobar.com names name 10.181.46.4 mailsweeper name 10.181.8.189 exchange name 10.181.8.5 dnsserveraccess-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq www access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq ftp access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq https access-list OUTB permit tcp host dnsserver any eq domainaccess-list OUTB permit udp host dnsserver any eq domain access-list OUTB permit tcp host exchange host mailsweeper eq smtp access-list INB permit tcp any host 33.33.33.163 eq smtp access-list DMZ permit tcp host mailsweeper any eq smtp interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto ip address outside 33.33.33.165 255.255.255.240 ip address inside 10.181.8.19 255.255.248.0 ip address DMZ 10.181.46.1 255.255.255.0 global (outside) 10 interface nat (inside) 10 10.181.0.0 255.255.0.0 0 0 nat (DMZ) 10 10.181.46.0 255.255.255.0 0 0 static (inside,DMZ) exchange exchange netmask 255.255.255.255 0 0 static (inside,DMZ) dnsserver dnsserver netmask 255.255.255.255 0 0 static (DMZ,outside) 33.33.33.163 mailsweeper netmask 255.255.255.255 0 0 access-group INB in interface outside access-group OUTB in interface inside access-group DMZ in interface DMZ route outside 0.0.0.0 0.0.0.0 33.33.33.161 1 route inside 10.181.0.0 255.255.0.0 10.181.8.1 1 -- end -- All incoming mail goes to 33.33.33.163, so it enters the mailsweeper and after checking is redirected to the internal Exchange. This is working fine. Now, the idea is to add another level of firewalling external to this, with its own DMZ. The new PIX (which I call "external") will have its inside interface directly connected to the outside interface of the current PIX (which I call "internal"). Since plugging this in will break down connectivity, I want to minimize loss of access as much as possible, but as my knowledge of PIX is (very) limited, I'm not quite sure of the best initial configuration for the new PIX. IP segments will be as follows: LAN segment (internal PIX, inside): 10.181.8.0 /29 internal DMZ (internal PIX, DMZ): 10.181.46.0 /24 PIX to PIX segment: 10.181.47.0 /24 external DMZ (external PIX, DMZ): 10.181.48.0 /24 public (external PIX, outside): 33.33.33.160 /28 In addition to this, there will be a new HTTPS-only web server in the external DMZ, which will have to be reached at public IP 33.33.33.166. A crude topology diagram and IP addressing table for the interfaces is this (interfaces are numbered, servers in DMZs are "m" and "w", please use monospaced font to view): LAN ---1| PIX internal |3------4| PIX external |6---- Internet 2 5 | | | | m w 1: 10.181.8.19 (same as current) 2: 10.181.46.1 (same as current) 3: 10.181.47.1 4: 10.181.47.2 5: 10.181.48.1 6: 33.33.33.165 (same as 3 as of now) m server: 10.181.46.4 (same as current) w server: 10.181.48.2 No intermediate switches or routers. Now, what configuration for the external PIX will allow for this to work with minimum hassle? What changes must be made to the internal PIX configuration? Both PIXes have software version 6.3. Obviously, the internal PIX must have as default gateway the external one, and the mailsweeper must be published so it is visible from the external PIX. So my idea is this (I have appended (*) to the lines that are changed wrt the former config): -- begin PIX internal -- nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security90 hostname pixper1 domain-name foobar.com names name 10.181.46.4 mailsweeper name 10.181.8.189 exchange name 10.181.8.5 dnsserveraccess-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq www access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq ftp access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq https access-list OUTB permit tcp host dnsserver any eq domainaccess-list OUTB permit udp host dnsserver any eq domain access-list OUTB permit tcp host exchange host mailsweeper eq smtp access-list INB permit tcp any host mailsweeper eq smtp (*) access-list DMZ permit tcp host mailsweeper any eq smtp interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto ip address outside 10.181.47.1 255.255.255.0 (*) ip address inside 10.181.8.19 255.255.248.0 ip address DMZ 10.181.46.1 255.255.255.0 global (outside) 10 interface nat (inside) 10 10.181.0.0 255.255.0.0 0 0 nat (DMZ) 10 10.181.46.0 255.255.255.0 0 0 static (inside,DMZ) exchange exchange netmask 255.255.255.255 0 0 static (inside,DMZ) dnsserver dnsserver netmask 255.255.255.255 0 0 static (DMZ,outside) mailsweeper mailsweeper netmask 255.255.255.255 0 0 (*) access-group INB in interface outside access-group OUTB in interface inside access-group DMZ in interface DMZ route outside 0.0.0.0 0.0.0.0 10.181.47.2 1 (*) route inside 10.181.0.0 255.255.0.0 10.181.8.1 1 -- end PIX internal -- As for the external PIX, my initial attempt is this: -- begin PIX external -- nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security90 hostname pixper2 domain-name foobar.com names name 10.181.48.2 webserver name 10.181.46.4 mailsweeper name 10.181.8.189 exchange name 10.181.8.5 dnsserver access-list OUTB permit ip 10.181.47.1 any access-list INB permit tcp any host 33.33.33.166 eq https access-list INB permit tcp any host 33.33.33.163 eq smtp access-list DMZ permit tcp host webserver any eq https access-list DMZ permit udp host webserver host dnsserver eq domain interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto ip address outside 33.33.33.165 255.255.255.240 ip address inside 10.181.47.2 255.255.255.0 ip address DMZ 10.181.48.1 255.255.255.0 global (outside) 10 interface nat (inside) 10 10.181.0.0 255.255.0.0 0 0 nat (DMZ) 10 10.181.48.0 255.255.255.0 0 0 static (inside,DMZ) dnsserver dnsserver netmask 255.255.255.255 0 0 static (DMZ,outside) 33.33.33.166 webserver netmask 255.255.255.255 0 0 static (inside,outside) 33.33.33.163 mailsweeper netmask 255.255.255.0 0 0 access-group INB in interface outside access-group OUTB in interface inside access-group DMZ in interface DMZ route outside 0.0.0.0 0.0.0.0 33.33.33.161 1 route inside 10.181.0.0 255.255.0.0 10.181.47.1 1 -- end PIX external -- So. Will this work? (I'm afraid not). I'm much more concerned about the incoming mail not being delivered than about security issues like traffic between both DMZs being allowed. These later issues can be addressed refining the ACLs, but it's the NAT interactions and the involved PIX grammar that make my head spin. How could I get the whole thing rolling? Thanks in advance. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Double firewall setup (long) Greymagick (Jan 25)
- Re: Double firewall setup (long) Victor Williams (Jan 26)
- RE: Double firewall setup (long) Greymagick (Jan 27)
- Re: Double firewall setup (long) Victor Williams (Jan 26)