Announcement

Collapse
No announcement yet.

PIX 515e DMZ

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PIX 515e DMZ

    Hi, all. I just took a class on PIX and we never really got them to work. I'd like some help finding out where we went wrong. Here's the scenario.

    Alright you all know a 515e has an interface for the inside, outside, and dmz right? Well, the outside interface is connected the campus network and is issued an address via DHCP. We connected a web server to the DMZ interface and configured the address as you'll see in my config file. We also connected a client to the inside interface. Ideally what we wanted to do was ensure connectivity between all nodes on each interface by pinging each other. To be specific, any device on the campus network should be able to ping the web server on the DMZ and the client connected to the inside interface; the web server on the DMZ interface should be able to ping a node connected to the campus network on the outside interface, as well as the client on the inside interface; and the client on the inside interface should be able ping the web server on the DMZ and any device connected to the campus network on the outside interface.

    Once we were certain connectivity existed, then we would apply our access lists to restrict types of traffic to the DMZ but no where else, and certain traffic only to the inside interface. However, we never achieved connectivity between all nodes, so we couldn't even get that far. Please check my config and my remarks and tell me if you see what I did wrong:

    nameif eth0 outside security0 //names interface eth0 "outside" and assigns a security level of 0

    nameif eth1 inside security100 //names interface eth1 "inside" and assigns a security level of 100

    nameif eth2 dmz security50 //names interface eth2 "dmz" and assigns a security level of 50



    ip address outside 64.0.0.1 255.0.0.0 //assigns IP address and subnet mask of interface

    ip address inside 172.16.0.1 255.255.0.0 //assigns IP address and subnet mask of interface

    ip address dmz 192.168.10.1 255.255.255.0 //assigns IP address and subnet mask of interface



    interface ethernet0 auto //sets Ethernet speed automatically

    interface ethernet1 auto //sets Ethernet speed automatically

    interface ethernet2 auto //sets Ethernet speed automatically



    nat (inside) 1 172.16.0.0 255.255.0.0 //dynamically translate set 1 of global IP addresses to internal set of IP addresses on the 172.16.0.0 network

    nat (dmz) 2 192.168.10.0 255.255.255.0 //dynamically translate set 2 of global IP addresses to internal set of IP addresses on the 192.168.10.0 network



    global (outside) 1 64.0.0.20-64.0.0.50 //define global address pool 1 to be used with nat translation

    global (dmz) 2 192.168.10.20-192.168.10.50 //define global address pool 2 to be used with nat translation



    static (dmz,outside) 64.0.0.5 192.168.10.5 netmask 255.255.255.255 //defines a static route translating all traffic //coming to 64.0.0.5 to be translated to 192.168.10.5



    access-list outside permit tcp any host 64.0.0.5 eq www //access list ID "outside" permitting all tcp traffic to a host with the address 64.0.0.5 that is www traffic

    access-list inside permit tcp any any eq www //same as before but for "inside" ID and all www traffic to any node

    access-list dmz permit tcp any any eq www //same as before but for "dmz" ID and all www traffic to any node

    access-list dmz permit 22 172.16.0.0 255.255.0.0 host 192.168.10.5 //permitting ports 22, 21, and 20 to access the dmz

    access-list dmz permit 21 172.16.0.0 255.255.0.0 host 192.168.10.5

    access-list dmz permit 20 172.16.0.0 255.255.0.0 host 192.168.10.5



    access-group outside in interface outside //assigns the interface to the group that is using the "outside" access list

    access-group inside in interface inside //assigns the interface to the group that is using the "inside" access list

    access-group dmz in interface dmz //assigns the interface to the group that is using the "outside" access list



    route outside 0.0.0.0 0.0.0.0 64.0.0.1 1 //tells the outside interface to forward all traffic from any internal interface to address 64.0.0.1 with a metric of 1

    route inside 172.16.0.0 255.255.0.0 172.16.0.1 1 //tells the inside interface to forward all traffic from 172.16.0.0 to 172.16.0.1 with a metric of 1

  • #2
    Re: PIX 515e DMZ

    Since there are NAT relations between subnets there is no way to dirctly ping all internal and dmz hosts from the outside and all internal hosts from the dmz.
    There are need one-to-one address translation rules by mapping a local IP address to a global IP address.
    You also need an access list thats permit the ICMP traffic
    access-list Outside permit icmp any any
    access-list dmz permit icmp any any
    What do you mean with

    access-list dmz permit 22 172.16.0.0 255.255.0.0 host 192.168.10.5 //permitting ports 22, 21, and 20 to access the dmz

    access-list dmz permit 21 172.16.0.0 255.255.0.0 host 192.168.10.5

    access-list dmz permit 20 172.16.0.0 255.255.0.0 host 192.168.10.5

    Do you intend to allow incoming ftp (20,21) and ssh (22) traffics into 192.168.10.5 DMZ host?
    In this cause the corect access lists are
    access-list dmz permit tcp 172.16.0.0 255.255.0.0 host 192.168.10.5 eq 20
    access-list dmz permit tcp 172.16.0.0 255.255.0.0 host 192.168.10.5 eq 21
    access-list dmz permit tcp 172.16.0.0 255.255.0.0 host 192.168.10.5 eq 22
    Regards,
    Csaba Papp
    MCSA+messaging, MCSE, CCNA
    ...............................
    Remember to give credit where credit is due and leave reputation points where appropriate
    .................................

    Comment

    Working...
    X