Firewall Wizards mailing list archives

Re: PIX 515E config - DMZ host to inside host

From: "kevin horvath" <kevin.horvath () gmail com>
Date: Thu, 1 Mar 2007 15:43:06 -0500

you need a translation and an acl entry permitting it.  You can either do a
nat0 (bypass nat) or a static.  Looking at your config your are doing mainly
PAT and statics.  I would recommend doing nat0 internally between you
private IP space.

Looking at your config they really need to be reworked.  First start by
redoing your translations.  You have port redirection, pat, static nats, etc
without any real IP schema (ie reserved blocks for static nating).  Secondly
your acl's need alot of work such as you have duplicate entries (such as in
the dmz) and no real egress filtering (among other things).  These are just
a few things but I digress.

But if you would like a quick fix using your current schema. then:

static (internal,dmz) 10.134.x.x 10.133.24.3 netmask 255.255.255.255 0 0
(replace x's to what you want it to xlate to)

access-list acl_dmz3 permit ip host 10.134.1.2 host
10.134.x.x<http://10.133.24.3/>
<http://10.133.24.3/>
Kevin


On 2/27/07, Chris Mitchell <sw () dorksville net> wrote:


Greetings folks,

PIX newbie here, not really a firewall guy but need to get some stuff done
with it, and am pretty good at basic configs. I have a 515E with 3
interfaces (inside, outside, DMZ)- I need to allow access from a host in
the DMZ to an internal host.

DMZ host - 10.134.1.2
Internal host - 10.133.24.3

I've done a few things, but after a few days of spinning my wheels I
thought I'd seek advice :)

Some info omitted for security reasons.

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 internal security50
nameif ethernet2 dmz security30
enable password xxx
passwd xxx
hostname xxx
domain-name xxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol domain 53
fixup protocol rtsp 8554
fixup protocol rtsp 7000
fixup protocol rtsp 7001
names
access-list acl_in6 permit ip host 10.133.100.208 any
access-list acl_in6 permit ip host 10.133.100.209 any
access-list acl_in6 permit ip host 10.133.100.207 any
access-list acl_in6 permit ip host 10.133.100.206 any
access-list acl_in6 permit ip host 10.133.100.129 any
access-list acl_in6 permit ip 10.133.100.0 255.255.255.0 host 10.134.1.1
access-list acl_in6 permit ip 10.133.25.0 255.255.255.0 host 10.134.1.1
access-list acl_in6 permit ip 10.133.24.0 255.255.255.0 host 10.134.1.1
access-list acl_in6 permit ip host 10.133.100.205 any
access-list acl_in6 permit ip 10.133.100.0 255.255.255.0 any
access-list acl_in6 permit ip 10.133.24.0 255.255.255.0 host 10.134.1.2
access-list acl_in6 permit ip host 10.134.1.2 host 10.133.24.3
access-list acl_out3 permit tcp any host 203.xx.xxx.xxx eq smtp
access-list acl_out3 permit tcp any host 203.xx.xxx.xxx eq www
access-list acl_out3 permit tcp any host 203.xx.xxx.xxx eq 1352
access-list acl_dmz3 permit tcp host 10.134.1.1 host 10.134.1.207 eq smtp
access-list acl_dmz3 permit ip host 10.134.1.2 host 10.133.24.3
access-list acl_dmz3 permit tcp host 10.134.1.2 host 10.133.24.3
access-list acl_dmz3 permit udp host 10.134.1.2 host 10.133.24.3
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap warnings
logging host internal 10.133.25.4
logging host internal 10.133.25.3
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 10full
icmp deny any echo outside
icmp permit 10.133.25.0 255.255.255.0 echo dmz
icmp permit 10.134.1.0 255.255.255.0 echo dmz
mtu outside 1500
mtu internal 1500
mtu dmz 1500
ip address outside 203.xx.xxx.xxx 255.255.255.248
ip address internal 10.133.100.210 255.255.255.0
ip address dmz 10.134.1.129 255.255.255.0
ip audit name infopolicy info action alarm
ip audit name attackpolicy info action alarm drop
ip audit interface outside infopolicy
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 10.134.1.130 netmask 255.255.255.0
nat (internal) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) tcp interface www 10.134.1.1 www netmask
255.255.255.255 10 10
static (internal,dmz) tcp 10.134.1.5 1352 10.133.25.5 1352 netmask
255.255.255.255 0 0
static (internal,dmz) tcp 10.134.1.6 1352 10.133.25.6 1352 netmask
255.255.255.255 0 0
static (dmz,outside) tcp interface 1352 10.134.1.1 1352 netmask
255.255.255.255 10 10
static (internal,dmz) tcp 10.134.1.10 1352 10.133.24.10 1352 netmask
255.255.255.255 0 0
static (internal,outside) tcp interface smtp 10.133.100.207 smtp netmask
255.255.255.255 0 0
static (internal,dmz) tcp 10.134.1.207 smtp 10.133.100.207 smtp netmask
255.255.255.255 0 0
static (internal,dmz) 10.133.24.0 10.134.1.0 netmask 255.255.255.0 0 0
access-group acl_out3 in interface outside
access-group acl_in6 in interface internal
access-group acl_dmz3 in interface dmz
route outside 0.0.0.0 0.0.0.0 203.xx.xxx.xxx 1
route internal 10.133.0.0 255.255.0.0 10.133.100.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.133.100.0 255.255.255.0 internal
http 10.133.25.0 255.255.255.0 internal
floodguard enable
no sysopt route dnat
telnet timeout 30
ssh 10.133.100.208 255.255.255.255 internal
ssh 10.134.1.1 255.255.255.255 internal
ssh 10.133.24.0 255.255.255.0 internal
ssh 10.133.0.0 255.255.0.0 internal
ssh 10.133.100.208 255.255.255.255 dmz
ssh 10.133.100.0 255.255.255.0 dmz
ssh 10.134.1.1 255.255.255.255 dmz
ssh timeout 30
terminal width 80
Cryptochecksum:9c355bdae4a42aa97de9f3d2c77559a3

Regards,

Chris Mitchell


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX 515E config - DMZ host to inside host Chris Mitchell (Mar 01)
- Re: PIX 515E config - DMZ host to inside host Julian M. Dragut (Mar 02)
- Re: PIX 515E config - DMZ host to inside host kevin horvath (Mar 02)
- Re: PIX 515E config - DMZ host to inside host Josh (Mar 02)
- Re: PIX 515E config - DMZ host to inside host Security Guy (Mar 02)
- Re: PIX 515E config - DMZ host to inside host Paul Melson (Mar 02)
- <Possible follow-ups>
- Re: PIX 515E config - DMZ host to inside host John.Crissup (Mar 02)
  - Re: PIX 515E config - DMZ host to inside host Chris Mitchell (Mar 02)