Firewall Wizards mailing list archives
Re: PIX 515E config - DMZ host to inside host
From: Josh <lostman () liquidcode org>
Date: Fri, 02 Mar 2007 10:01:41 -0600
I'm pretty new to pix myself so forgive me if I'm wrong. I believe pix version 6.X uses nat-control by default. This means you need some kind of address translation for inter-interface traffic. I do not see a NAT command for 10.134.1.2 try this: static (internal,dmz) tcp 10.134.1.2 1352 10.133.24.2 1352 netmask 255.255.255.255 0 0 you may need to change the 10.133.24.2 address to one that isn't in use on the 10.133.24.0 network. This will create a static NAT between DMZ ip address 10.134.1.2 and internal ip address 10.133.24.2 Or you can do: access-list permit_dmz_inside permit ip 10.134.1.2 255.255.255.255 10.133.24.3 255.255.255.255 nat (inside) 0 access-list permit_dmz_inside you already have the access-list to allow this: access-list acl_in6 permit ip host 10.134.1.2 host 10.133.24.3 This is an identity nat, basicly it performs no nat at all. Yeah pix are kinda weird :) Chris Mitchell wrote:
Greetings folks, PIX newbie here, not really a firewall guy but need to get some stuff done with it, and am pretty good at basic configs. I have a 515E with 3 interfaces (inside, outside, DMZ)- I need to allow access from a host in the DMZ to an internal host. DMZ host - 10.134.1.2 Internal host - 10.133.24.3 I've done a few things, but after a few days of spinning my wheels I thought I'd seek advice :) Some info omitted for security reasons. PIX Version 6.1(4) nameif ethernet0 outside security0 nameif ethernet1 internal security50 nameif ethernet2 dmz security30 enable password xxx passwd xxx hostname xxx domain-name xxx fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no fixup protocol domain 53 fixup protocol rtsp 8554 fixup protocol rtsp 7000 fixup protocol rtsp 7001 names access-list acl_in6 permit ip host 10.133.100.208 any access-list acl_in6 permit ip host 10.133.100.209 any access-list acl_in6 permit ip host 10.133.100.207 any access-list acl_in6 permit ip host 10.133.100.206 any access-list acl_in6 permit ip host 10.133.100.129 any access-list acl_in6 permit ip 10.133.100.0 255.255.255.0 host 10.134.1.1 access-list acl_in6 permit ip 10.133.25.0 255.255.255.0 host 10.134.1.1 access-list acl_in6 permit ip 10.133.24.0 255.255.255.0 host 10.134.1.1 access-list acl_in6 permit ip host 10.133.100.205 any access-list acl_in6 permit ip 10.133.100.0 255.255.255.0 any access-list acl_in6 permit ip 10.133.24.0 255.255.255.0 host 10.134.1.2 access-list acl_in6 permit ip host 10.134.1.2 host 10.133.24.3 access-list acl_out3 permit tcp any host 203.xx.xxx.xxx eq smtp access-list acl_out3 permit tcp any host 203.xx.xxx.xxx eq www access-list acl_out3 permit tcp any host 203.xx.xxx.xxx eq 1352 access-list acl_dmz3 permit tcp host 10.134.1.1 host 10.134.1.207 eq smtp access-list acl_dmz3 permit ip host 10.134.1.2 host 10.133.24.3 access-list acl_dmz3 permit tcp host 10.134.1.2 host 10.133.24.3 access-list acl_dmz3 permit udp host 10.134.1.2 host 10.133.24.3 pager lines 24 logging on logging timestamp logging buffered debugging logging trap warnings logging host internal 10.133.25.4 logging host internal 10.133.25.3 interface ethernet0 100full interface ethernet1 100full interface ethernet2 10full icmp deny any echo outside icmp permit 10.133.25.0 255.255.255.0 echo dmz icmp permit 10.134.1.0 255.255.255.0 echo dmz mtu outside 1500 mtu internal 1500 mtu dmz 1500 ip address outside 203.xx.xxx.xxx 255.255.255.248 ip address internal 10.133.100.210 255.255.255.0 ip address dmz 10.134.1.129 255.255.255.0 ip audit name infopolicy info action alarm ip audit name attackpolicy info action alarm drop ip audit interface outside infopolicy ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface global (dmz) 1 10.134.1.130 netmask 255.255.255.0 nat (internal) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 static (dmz,outside) tcp interface www 10.134.1.1 www netmask 255.255.255.255 10 10 static (internal,dmz) tcp 10.134.1.5 1352 10.133.25.5 1352 netmask 255.255.255.255 0 0 static (internal,dmz) tcp 10.134.1.6 1352 10.133.25.6 1352 netmask 255.255.255.255 0 0 static (dmz,outside) tcp interface 1352 10.134.1.1 1352 netmask 255.255.255.255 10 10 static (internal,dmz) tcp 10.134.1.10 1352 10.133.24.10 1352 netmask 255.255.255.255 0 0 static (internal,outside) tcp interface smtp 10.133.100.207 smtp netmask 255.255.255.255 0 0 static (internal,dmz) tcp 10.134.1.207 smtp 10.133.100.207 smtp netmask 255.255.255.255 0 0 static (internal,dmz) 10.133.24.0 10.134.1.0 netmask 255.255.255.0 0 0 access-group acl_out3 in interface outside access-group acl_in6 in interface internal access-group acl_dmz3 in interface dmz route outside 0.0.0.0 0.0.0.0 203.xx.xxx.xxx 1 route internal 10.133.0.0 255.255.0.0 10.133.100.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 10.133.100.0 255.255.255.0 internal http 10.133.25.0 255.255.255.0 internal floodguard enable no sysopt route dnat telnet timeout 30 ssh 10.133.100.208 255.255.255.255 internal ssh 10.134.1.1 255.255.255.255 internal ssh 10.133.24.0 255.255.255.0 internal ssh 10.133.0.0 255.255.0.0 internal ssh 10.133.100.208 255.255.255.255 dmz ssh 10.133.100.0 255.255.255.0 dmz ssh 10.134.1.1 255.255.255.255 dmz ssh timeout 30 terminal width 80 Cryptochecksum:9c355bdae4a42aa97de9f3d2c77559a3 Regards, Chris Mitchell _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX 515E config - DMZ host to inside host Chris Mitchell (Mar 01)
- Re: PIX 515E config - DMZ host to inside host Julian M. Dragut (Mar 02)
- Re: PIX 515E config - DMZ host to inside host kevin horvath (Mar 02)
- Re: PIX 515E config - DMZ host to inside host Josh (Mar 02)
- Re: PIX 515E config - DMZ host to inside host Security Guy (Mar 02)
- Re: PIX 515E config - DMZ host to inside host Paul Melson (Mar 02)
- <Possible follow-ups>
- Re: PIX 515E config - DMZ host to inside host John.Crissup (Mar 02)
- Re: PIX 515E config - DMZ host to inside host Chris Mitchell (Mar 02)