I have only been using two out of the tree ports omn my pix 515 for the past three years. I have decided to set up a dmz and have enabled the third port with a security level of 50. The interface is assigned 192.168.50.1. My inside network is 192.168.100.0. I have applied basic access lists to the dmz to alow ip and icmp traffic. Heres my question: I am new to the dmz and was under the impression that servers residing on the dmz would not be able to initiate traffic without static mappings to servers on the inside. However, My server on the dmz is able to see my AD domain on the inside as well as join the domain. I can also launch a remote desktop session from my server in the dmz to a server on the inside with just the basic config I mentioned above. The DMZ is responding differently then what I expected and it seems to me that it is just acting like a router and I do not see any security benefit. Can someone please explain what is really happening. Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
DMZ Config Question?
- Thread starter bryan148
- Start date
I have applied basic access lists to the dmz to alow ip and icmp traffic. "
What does this look like? What is the configuration as it pertains to the DMZ?
Normally, hosts on the DMZ should be able to send all traffic to the outside, but not to the inside.
What does this look like? What is the configuration as it pertains to the DMZ?
Normally, hosts on the DMZ should be able to send all traffic to the outside, but not to the inside.
- Thread starter
- #3
That's what I was thinking also. Here is my config you can look at. Thanks for the help.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password d0s8U0/jDxRHo.15 encrypted
passwd hGOdtigP7L6a8/Wx encrypted
hostname pixfirewall
domain-name fccoa.org
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_access_in permit ip 192.168.100.0 255.255.255.0 any
access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in permit ip 192.168.2.0 255.255.255.0 any
access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_in permit tcp any host *.*.*.83 eq www
access-list outside_access_in permit tcp any host *.*.*.83 eq smtp
access-list outside_access_in permit tcp any host *.*.*.83 eq 1433
access-list outside_access_in permit tcp any host *.*.*.83 eq ftp
access-list outside_access_in permit tcp any host *.*.*.83 eq citrix-ica
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host *.*.*.83 eq 8081
access-list outside_cryptomap_dyn_30 permit ip any 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_20 permit ip any 192.168.2.0 255.255.255.0
access-list dmz permit icmp any any
access-list dmz permit ip 192.168.50.0 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging trap errors
logging facility 23
logging host inside 192.168.100.202
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside *.*.*.83 255.255.255.248
ip address inside 192.168.100.200 255.255.255.0
ip address dmz 192.168.50.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.1.1-192.168.1.254
pdm location 192.168.100.43 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface 1433 192.168.100.34 1433 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.100.27 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface citrix-ica 192.168.100.30 citrix-ica netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.100.26 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8081 192.168.100.203 8081 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 66.0.164.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.100.21 ****** timeout 5
url-server (inside) vendor websense host 192.168.100.33 timeout 5 protocol TCP version 4
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 192.168.100.43 255.255.255.255 inside
http 192.168.100.202 255.255.255.255 inside
http 192.168.100.32 255.255.255.255 inside
http 192.168.100.33 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set fifthset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 match address outside_cryptomap_dyn_30
crypto dynamic-map dynmap 30 set transform-set fifthset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address outside_cryptomap_20
crypto map mymap 20 set peer *.*.*.185
crypto map mymap 20 set transform-set fifthset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address *.*.*.185 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup fifthgroup address-pool ippool
vpngroup fifthgroup dns-server 192.168.100.21
vpngroup fifthgroup wins-server 192.168.100.21
vpngroup fifthgroup default-domain fccoa.org
vpngroup fifthgroup split-tunnel nonat
vpngroup fifthgroup idle-time 1800
vpngroup fifthgroup password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 192.168.100.202 255.255.255.255 inside
ssh timeout 60
console timeout 0
vpdn enable outside
url-block url-mempool 1500
url-block url-size 4
terminal width 80
Cryptochecksum:77653885be845b70d6bc50160e465b50
: end
[OK]
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password d0s8U0/jDxRHo.15 encrypted
passwd hGOdtigP7L6a8/Wx encrypted
hostname pixfirewall
domain-name fccoa.org
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_access_in permit ip 192.168.100.0 255.255.255.0 any
access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in permit ip 192.168.2.0 255.255.255.0 any
access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_in permit tcp any host *.*.*.83 eq www
access-list outside_access_in permit tcp any host *.*.*.83 eq smtp
access-list outside_access_in permit tcp any host *.*.*.83 eq 1433
access-list outside_access_in permit tcp any host *.*.*.83 eq ftp
access-list outside_access_in permit tcp any host *.*.*.83 eq citrix-ica
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host *.*.*.83 eq 8081
access-list outside_cryptomap_dyn_30 permit ip any 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_20 permit ip any 192.168.2.0 255.255.255.0
access-list dmz permit icmp any any
access-list dmz permit ip 192.168.50.0 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging trap errors
logging facility 23
logging host inside 192.168.100.202
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside *.*.*.83 255.255.255.248
ip address inside 192.168.100.200 255.255.255.0
ip address dmz 192.168.50.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.1.1-192.168.1.254
pdm location 192.168.100.43 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface 1433 192.168.100.34 1433 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.100.27 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface citrix-ica 192.168.100.30 citrix-ica netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.100.26 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8081 192.168.100.203 8081 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 66.0.164.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.100.21 ****** timeout 5
url-server (inside) vendor websense host 192.168.100.33 timeout 5 protocol TCP version 4
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 192.168.100.43 255.255.255.255 inside
http 192.168.100.202 255.255.255.255 inside
http 192.168.100.32 255.255.255.255 inside
http 192.168.100.33 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set fifthset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 match address outside_cryptomap_dyn_30
crypto dynamic-map dynmap 30 set transform-set fifthset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address outside_cryptomap_20
crypto map mymap 20 set peer *.*.*.185
crypto map mymap 20 set transform-set fifthset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address *.*.*.185 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup fifthgroup address-pool ippool
vpngroup fifthgroup dns-server 192.168.100.21
vpngroup fifthgroup wins-server 192.168.100.21
vpngroup fifthgroup default-domain fccoa.org
vpngroup fifthgroup split-tunnel nonat
vpngroup fifthgroup idle-time 1800
vpngroup fifthgroup password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 192.168.100.202 255.255.255.255 inside
ssh timeout 60
console timeout 0
vpdn enable outside
url-block url-mempool 1500
url-block url-size 4
terminal width 80
Cryptochecksum:77653885be845b70d6bc50160e465b50
: end
[OK]
- Thread starter
- #4
Correct. "any" means any, on any interface.
Such an ACL isn't required in your case since by default a) all traffic is allowed from DMZ->Outside, and all traffic is blocked for DMZ->Inside. But, if you really wanted to put it in, you could get what you want by preceding it with "access-list dmz deny ip any 192.168.100.0 255.255.255.0".
You could also simply remove the static NAT for (inside,dmz) and add "global (dmz) 1 interface". That would change how your DMZ hosts see your inside hosts, though- all traffic would appear to be coming from the interface address.
Such an ACL isn't required in your case since by default a) all traffic is allowed from DMZ->Outside, and all traffic is blocked for DMZ->Inside. But, if you really wanted to put it in, you could get what you want by preceding it with "access-list dmz deny ip any 192.168.100.0 255.255.255.0".
You could also simply remove the static NAT for (inside,dmz) and add "global (dmz) 1 interface". That would change how your DMZ hosts see your inside hosts, though- all traffic would appear to be coming from the interface address.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question