Firewall Wizards mailing list archives
RE: Extreme Problem with PIX Config
From: "Ben Nagy" <ben () iagu net>
Date: Fri, 13 May 2005 15:46:20 +0200
Hiya,
I've been fighting this problem for two weeks now. What follows is the current config (edited to protect the innocent). If format is maintained, the trouble lines will be bolded. These trouble lines are: access-list nonat permit ip any any; nat (inside) 0 access-list nonat; access-group nonat in interface dmz.
You've turned off NAT for all traffic leaving the internal network. nat (inside) 0 access-list nonat <-- don't NAT anything matching the nonat ACL access-list nonnat permit ip any any <-- This ACL matches everything You also have a totally wacky line - yikes :/ access-group nonat in interface dmz <-- allow anything into the DMZ ! The reason things break when they're in place is because your internal traffic is wandering out onto the internet with no NAT taking place - addressed as 10.100.something. The Internet can't route to those addresses, so you'll never get responses. So! Remove all that stuff. Also, find the guy that added them and kick them in the goolies for me. Now.... The reason it breaks when you remove them is because your inside traffic will always be natted according to global pool 1, because of this line: nat (inside) 1 0.0.0.0 0.0.0.0 0 0 <-- nat anything leaving the internal network That global pool is defined here: global (outside) 1 ip.pub.nt.117-ip.pub.nt.119 netmask 255.255.255.224 global (outside) 1 ip.pub.nt.116 netmask 255.255.255.224 So the outbound will be natted with an external address and then dumped into the DMZ. The return traffic from the DMZ will then be routed out of the external interface (which is where external addresses live), and communication will fail. That all makes sense, right? Finally, after enduring my tutoring, you want to know how to fix it, I guess. ;P Try this: static (inside,dmz) 10.100.0.0 10.100.0.0 netmask 255.255.248.0 Now it's about five years since I touched a PIX in anger, but that _should_ create a mapping for the traffic from the inside network to the DMZ. The return traffic will be taken care of by routing and stateful inspection. No traffic will be permitted from the DMZ to the Internal network because Internal is a higher security rating. If that's not what you want, you might need extra statics to allow DMZ->Internal for some traffic. Note that it ONLY allows traffic from 10.100.[0-7].x - those are the only WAN networks you have routed, so I hope those are the only ones you have... Hopefully this clears things up for you. Even if I've forgotten how to configure a PIX and the last step doesn't work, it should at least explain why it's broken. Cheers! ben
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Brian Loe
[...]
The problem is that with these lines in place I can get to the DMZ machines from machines/networks on the inside interface but those machines lose access to the Internet on the outside interface. With these lines removed the machines on the inside interface have Internet access but no access to the machines in the DMZ. I need both. I'm pretty sure that the access list is to broad as it is but I'm not sure how to open it up - if I specify networks on the inside interface I have no access anywhere.
[...]
: Saved : Written by enable_15 at 11:19:34.327 UTC Mon May 9 2005 PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security4 nameif ethernet3 intf3 security6 enable password <> encrypted passwd <> encrypted hostname pix domain-name domain.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol icmp error fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.100.1.82 FaxerM2 name 10.100.1.81 FaxerM1 name 10.100.1.86 FaxerM6 name 10.100.1.84 FaxerM4 name 10.100.1.83 FaxerM3 name 192.168.1.12 Faxer_Gateway name 192.168.1.39 mail name 192.168.1.101 ftp name 192.168.1.104 clkdmz1 name 192.168.1.108 PUBWEB name 192.168.1.115 KCIT07 object-group network Remote_Site description Selling Source range. network-object ip.pb.net.33 255.255.255.255 network-object ip.pb.net.34 255.255.255.255 network-object ip.pb.net.35 255.255.255.255 network-object ip.pb.net.36 255.255.255.255 network-object ip.pb.net.37 255.255.255.255 network-object ip.pb.net.38 255.255.255.255 network-object ip.pb.net.39 255.255.255.255 network-object ip.pb.net.40 255.255.255.255 network-object ip.pb.net.41 255.255.255.255 network-object ip.pb.net.42 255.255.255.255 network-object ip.pb.net.43 255.255.255.255 network-object ip.pb.net.44 255.255.255.255 network-object ip.pb.net.45 255.255.255.255 network-object ip.pb.net.46 255.255.255.255 network-object ip.pb.net.47 255.255.255.255 network-object ip.pb.net.48 255.255.255.255 network-object ip.pb.net.49 255.255.255.255 network-object ip.pb.net.50 255.255.255.255 network-object ip.pb.net.51 255.255.255.255 network-object ip.pb.net.52 255.255.255.255 network-object ip.pb.net.53 255.255.255.255 network-object ip.pb.net.54 255.255.255.255 network-object ip.pb.net.55 255.255.255.255 network-object ip.pb.net.56 255.255.255.255 network-object ip.pb.net.57 255.255.255.255 network-object ip.pb.net.58 255.255.255.255 network-object ip.pb.net.59 255.255.255.255 network-object ip.pb.net.60 255.255.255.255 network-object ip.pb.net.61 255.255.255.255 network-object ip.pb.net.62 255.255.255.255 network-object ip.pb.net.63 255.255.255.255 object-group network IBM description IBM range. network-object net.pub.ip.197 255.255.255.255 network-object net.pub.ip.198 255.255.255.255 network-object net.pub.ip.199 255.255.255.255 network-object net.pub.ip.200 255.255.255.255 network-object net.pub.ip.201 255.255.255.255 object-group network Internal_Net description All internal networks. network-object 10.100.0.0 255.255.254.0 network-object 191.168.2.0 255.255.254.0 network-object 10.100.4.0 255.255.254.0 network-object 10.100.6.0 255.255.254.0 network-object 10.101.0.0 255.255.254.0 network-object 10.101.2.0 255.255.254.0 object-group network Faxer_Group network-object FaxerM1 255.255.255.255 network-object FaxerM2 255.255.255.255 network-object FaxerM3 255.255.255.255 network-object FaxerM4 255.255.255.255 network-object FaxerM6 255.255.255.255 object-group service WEB_PORTS tcp port-object eq www port-object eq https port-object eq echo object-group service FTP_PORTS tcp port-object eq ftp port-object eq ftp-data port-object eq echo object-group service PubX tcp group-object FTP_PORTS group-object WEB_PORTS port-object eq 1935 object-group service Tranlink_TCP tcp group-object WEB_PORTS port-object range 3306 3307 port-object eq ssh object-group service KCIT07 tcp port-object range 1433 19628 object-group service DB2_TCP tcp port-object eq 523 port-object eq ssh port-object range 50000 50100 port-object eq 1415 object-group service Mail_Ports tcp group-object WEB_PORTS port-object range 1000 1028 port-object eq 2000 port-object eq 3000 port-object eq pop3 port-object eq smtp object-group service KCIT01 tcp port-object eq pptp object-group service EQA_TCP tcp port-object eq 3389 object-group service Tranlink_UDP udp port-object eq 22 object-group service DB2_UDP udp port-object range 50000 50100 object-group service EQA_UDP udp port-object eq 3389 access-list compiled access-list acl_inbound permit tcp any host ip.pub.nt.114 object-group PubX access-list acl_inbound permit tcp any host ip.pub.nt.108 object-group PubX access-list acl_inbound permit tcp any host ip.pub.nt.111 object-group WEB_PORTS access-list acl_inbound permit tcp any host ip.pub.nt.107 object-group Tranlink_TCP access-list acl_inbound permit udp any host ip.pub.nt.107 object-group Tranlink_UDP access-list acl_inbound permit tcp any host ip.pub.nt.115 object-group KCIT07 access-list acl_inbound permit tcp any host ip.pub.nt.106 object-group DB2_TCP access-list acl_inbound permit udp any host ip.pub.nt.106 object-group DB2_UDP access-list acl_inbound permit tcp any host ip.pub.nt.100 object-group KCIT01 access-list acl_inbound permit tcp any host ip.pub.nt.102 object-group FTP_PORTS access-list acl_inbound permit icmp any host ip.pub.nt.102 access-list acl_inbound permit tcp any host ip.pub.nt.104 eq domain access-list acl_inbound permit udp any host ip.pub.nt.104 eq domain access-list acl_inbound permit tcp any host ip.pub.nt.99 object-group Mail_Ports access-list acl_inbound permit tcp any host ip.pub.nt.101 object-group WEB_PORTS access-list nonat permit ip any any pager lines 24 icmp permit any outside icmp permit any inside icmp permit any DMZ mtu outside 1500 mtu inside 1500 mtu DMZ 1500 mtu intf3 1500 ip address outside ip.pub.nt.126 255.255.255.224 ip address inside 10.100.0.3 255.255.254.0 ip address DMZ 192.168.1.1 255.255.255.0 ip address intf3 10.255.255.253 255.255.255.252 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address DMZ no failover ip address intf3 pdm location 10.100.1.10 255.255.255.255 inside pdm location 10.100.1.20 255.255.255.255 inside pdm location 10.100.1.49 255.255.255.255 inside pdm location 10.100.1.57 255.255.255.255 inside pdm location 10.100.1.190 255.255.255.255 inside pdm location 10.100.2.0 255.255.254.0 inside pdm location 10.100.4.100 255.255.255.255 inside pdm location 10.100.4.0 255.255.254.0 inside pdm location 10.100.6.0 255.255.254.0 inside pdm location mail 255.255.255.255 DMZ pdm location 192.168.1.102 255.255.255.255 DMZ pdm location clkdmz1 255.255.255.255 DMZ pdm location PUBWEB 255.255.255.255 DMZ pdm location 192.168.1.114 255.255.255.255 DMZ pdm location KCIT07 255.255.255.255 DMZ pdm history enable arp timeout 14400 global (outside) 1 ip.pub.nt.117-ip.pub.nt.119 netmask 255.255.255.224 global (outside) 1 ip.pub.nt.116 netmask 255.255.255.224 nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) ip.pub.nt.111 10.100.1.57 netmask 255.255.255.255 0 0 static (DMZ,outside) ip.pub.nt.114 192.168.1.114 netmask 255.255.255.255 0 0 static (DMZ,outside) ip.pub.nt.108 PUBWEB netmask 255.255.255.255 0 0 static (inside,outside) ip.pub.nt.107 10.100.1.190 netmask 255.255.255.255 0 0 static (DMZ,outside) ip.pub.nt.115 KCIT07 netmask 255.255.255.255 0 0 static (inside,outside) ip.pub.nt.106 10.100.1.49 netmask 255.255.255.255 0 0 static (inside,outside) ip.pub.nt.100 10.100.4.100 netmask 255.255.255.255 0 0 static (DMZ,outside) ip.pub.nt.102 192.168.1.102 netmask 255.255.255.255 0 0 static (DMZ,outside) ip.pub.nt.104 clkdmz1 netmask 255.255.255.255 0 0 static (DMZ,outside) ip.pub.nt.99 mail netmask 255.255.255.255 0 0 static (inside,outside) ip.pub.nt.101 10.100.1.20 netmask 255.255.255.255 0 0 access-group acl_inbound in interface outside access-group nonat in interface DMZ route outside 0.0.0.0 0.0.0.0 ip.pub.nt.97 1 route inside 10.100.2.0 255.255.254.0 10.100.0.1 1 route inside 10.100.4.0 255.255.254.0 10.100.0.1 1 route inside 10.100.6.0 255.255.254.0 10.100.0.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 1:00:00 mgcp 1:00:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server radius-authport 1812 aaa-server radius-acctport 1813 aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server RADIUS (inside) host 10.100.1.10 sec.ret timeout 5 aaa-server LOCAL protocol local aaa authentication http console RADIUS aaa authentication serial console RADIUS aaa authentication ssh console RADIUS aaa authentication telnet console RADIUS http server enable http 0.0.0.0 0.0.0.0 inside snmp-server location Lowell snmp-server contact Brian Loe snmp-server community public no snmp-server enable traps tftp-server inside 10.100.0.169 PIX_DATE floodguard enable telnet timeout 5 ssh 10.100.0.0 255.255.254.0 inside ssh timeout 15 management-access inside console timeout 15 terminal width 80 banner motd ****************************************** banner motd * * banner motd * !!!WARNING !!! * banner motd * All attempts at unauthorized access * banner motd * will be aggressively pursued and * banner motd * prosecuted to the full extent * banner motd * of local and international law. * banner motd * * banner motd ****************************************** Cryptochecksum:907db442f83ad6e9daefb8f116d4c362 : end
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Extreme Problem with PIX Config Brian Loe (May 13)
- Re: Extreme Problem with PIX Config John Dorsey (May 15)
- RE: Extreme Problem with PIX Config Brian Loe (May 15)
- RE: Extreme Problem with PIX Config Ben Nagy (May 15)
- Re: Extreme Problem with PIX Config Devdas Bhagat (May 19)
- Re: Extreme Problem with PIX Config John Dorsey (May 15)