Re: Fwd: Re: Firewall configuration with DMZ

[rgolodner () infratection com]

 Anthony could you provide some more insight regarding what you want to have happen with this config.What is not 
working? What do you think the problem might be.
 Richard Golodner
-----Original Message-----
From: Anthony Mile [mailto:mileanthony () yahoo com]
Sent: Monday, March 12, 2007 04:32 AM
To: firewall-wizards () listserv cybertrust com
Subject: [fw-wiz] Fwd: Re: Firewall configuration with DMZ

Hi guys!! Help me in this....
I have used this configuration below in my implementation but in vain. Can you tell me where am wrong or which way to 
go!!!!! 


i have a scenario like this:
i have an internet link going to a router, 
the router connects to a Pix 515E pix, 
the pix has a DMZ interface which connects mail server and file and application server running sql.
 the ethernet interface 1 connects to a LAN. the LAN has ISA server as the proxy where all authentication is made.
1. ethernet0 = outside, connects to WAN router. ip=a.b.c.146 255.255.255.248
2. ethernet1 = inside, LAN.ip 4.16.10.2 255.255.255.0
3. DMZ = connects Mail server and also application/file server.ip 4.16.11.254 255.255.255.0
mail server=public ip =a.b.c.148; private ip=4.16.10.43
appl./file server = a.b.c.149; private ip=4.16.11.42
proxy server = a.b.c.147; private ip=4.16.10.254

Router:
inside ip=a.b.c.145; 
Help me with this configuration for this Pix. 

Kind regards,
Anthony
here are the configs i have already done 
PIX# show run
: Saved
:
PIX Version 7.2(1)
! names
!
interface Ethernet0
 description Connection to WAN Router
 nameif Outside
 security-level 0
 ip address a.b.c.146 255.255.255.248
!
interface Ethernet1
 description Connection to Server
 nameif inside
 security-level 100
 ip address 4.16.10.254 255.255.255.0
!
interface Ethernet2
 description connection to mail, application and file server
 nameif DMZ
 security-level 50
 ip address 4.16.11.254 255.255.255.0
! access-list Outside_mpc extended permit ip any interface inside
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq www
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq ftp
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq ftp-data
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq https
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq imap4
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq lotusnotes
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq pop3
access-list Outside_access_in extended permit tcp any host a.b.c.148 eq smtp
access-list Outside_access_in extended permit tcp any host a.b.c.149 eq www
access-list Outside_access_in extended permit tcp any host a.b.c.149 eq ftp
access-list Outside_access_in extended permit tcp any host a.b.c.149 eq ftp-data
access-list Outside_access_in extended permit tcp any host a.b.c.149 eq https
access-list Outside_access_in extended permit tcp any host a.b.c.149 eq imap4
access-list Outside_access_in extended permit tcp any host a.b.c.149 eq sqlnet
access-list Outside_access_in extended permit tcp any host a.b.c.149 eq ssh
access-list Outside_access_in extended permit tcp 4.16.10.0 255.255.255.0 any eq smtp
access-list Outside_access_in extended permit udp any host a.b.c.148 eq domain
access-list Outside_access_in extended permit udp any host a.b.c.148 eq isakmp
access-list Outside_access_in extended permit tcp any host a.b.c.148
access-list Outside_access_in extended permit udp any host a.b.c.149 eq domain
access-list Outside_access_in extended permit tcp 4.16.10.0 255.255.255.0 any 
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu DMZ 1500
icmp permit any unreachable inside
icmp permit any time-exceeded inside
icmp permit any inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (Outside) 2 4.16.10.0-4.16.10.255 netmask 255.255.255.0
global (Outside) 1 interface
global (DMZ) 1 4.16.11.0-4.16.11.254 netmask 255.255.255.248
nat (inside) 1 4.16.10.0 255.255.255.0
static (DMZ,Outside) a.b.c.148 4.16.11.252 netmask 255.255.255.255
static (DMZ,Outside) a.b.c.149 4.16.11.251 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 a.b.c.145 1
route DMZ a.b.c.148 255.255.255.255 4.16.11.253 2
route DMZ 4.16.10.151 255.255.255.255 4.16.11.253 2
route DMZ 4.16.10.252 255.255.255.255 4.16.11.253 2
route DMZ a.b.c.149 255.255.255.255 4.16.11.253 2 !
class-map Outside-class
 match access-list Outside_mpc
class-map class_http
 match port tcp eq ftp
class-map inspection_default
 match default-inspection-traffic
!bhbbb 
!
policy-map global_policy
 class inspection_default
 inspect ftp
 inspect http
 inspect esmtp
 class class_http
 inspect http
policy-map Accessserver
 class Outside-class
 inspect http
!
service-policy global_policy global
service-policy Accessserver interface Outside : end
PIX# 








------------------------------------------------------------
Be a PS3 game guru.
Get your game face on with the latest PS3 news and previews at Yahoo! Games.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards