Inside network communicate with DMZ

M

Mabrito

Supreme [H]ardness
Joined
Dec 24, 2004
Messages
7,004
I am working on a Cisco PIX 515E and trying to get the inside network communicate with the DMZ network and vice versa. I am not having any success in getting this to work ha. I basically put an allow all ACL on each interface as of right now. This is my running config:

Code: 
PIX Version 8.0(4)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 10.24.4.2 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
 nameif dmz
 security-level 20
 ip address 172.18.4.1 255.255.255.0
!
ftp mode passive
access-list allowIN extended permit icmp any any
access-list allowIN extended permit tcp any any
access-list allowIN extended permit udp any any
access-list allowIN extended permit ip any any
access-list allowDMZ extended permit icmp any any
access-list allowDMZ extended permit tcp any any
access-list allowDMZ extended permit udp any any
access-list allowDMZ extended permit ip any any
access-list allowINSIDE extended permit icmp any any
access-list allowINSIDE extended permit tcp any any
access-list allowINSIDE extended permit udp any any
access-list allowINSIDE extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
global (outside) 1 10.24.4.20-10.24.4.30
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 172.18.4.0 255.255.255.0
static (dmz,outside) 10.24.4.20 172.18.4.2 netmask 255.255.255.255
static (dmz,outside) 10.24.4.21 172.18.4.3 netmask 255.255.255.255
access-group allowIN in interface outside
access-group allowINSIDE in interface inside
access-group allowDMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 10.24.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7dc82ac1667c889ef4a1b054b9a60eb6
: end

From what I understand I need to do some static NAT from the DMZ and INSIDE or something? Very confused on making the two interfaces talking with each other.
 
Well this is on an ASA5505 but it may help you. This allows you internal network to talk to the DMZ, however not vice eversa

static (inside,dmz) Inside DMZ netmask 255.255.255.0
 
you need a nat exemption, its the traditional way. You can also do it the way k1pp3r said.

nat(inside) 0 acl_inside_to_dmz 0 0

nat(dmz) 0 acl_dmz_to_inside 0 0
 
xphil3 said:
you need a nat exemption, its the traditional way. You can also do it the way k1pp3r said.

nat(inside) 0 acl_inside_to_dmz 0 0

nat(dmz) 0 acl_dmz_to_inside 0 0
Click to expand...

What do you mean by acl_inside_to_dmz and acl_dmz_to_inside?
 
I am just trying to understand this, why would I apply the ACL's to NAT statements? Kind of confused on that as my ACL's just allow everything for ICMP, TCP, UDP, and IP.
 
ACL's aren't only for allowing or denying traffic, they specify interesting traffic as well. If you have an access list that was

Code: 
access-list captest extended permit ip any any

and told an ASA to 'capture traffic_capture access-list captest' it would capture all traffic you specify in that ACL and log it for review.

Also on an ASA when you set a NAT exemption rule, you need to specifically tell that rule what you don't want to NAT, and you do so with an ACL.

So if I had an ACl called nat_exempt' that looked like

Code: 
access-list nat_exempt extended permit ip 172.18.4.0 255.255.255.0 192.168.1.0

and told the nat exempt rule to:

Code: 
nat (dmz) 0 access-list nat_exempt

This would exempt all traffic from NAT on your 172.18.4.0 network going towards your 192.168.1.0 network, so all devices on the 192.168.1.0 network would see ip connections actually coming from the 172.18.4.0 network ip addresses.

Furthermore, if you have multiple inside interfaces that you want to exempt from NAT (like you do), you can do so with an object-group. Example would be for object-group 'inside networks':

Code: 
object-group network inside_networks
network-object 172.18.4.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0

So if you set an ACL that is:

Code: 
access-list nat_exempt extended permit ip object-group inside_networks object_groups inside_networks

And apply it to a NAT rule:

Code: 
nat (interfacename) 0 access-list nat_exempt

that will exempt all inside network traffic destinations to each other.
 
Alright this is my current config:

Code: 
PIX Version 8.0(4)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 10.24.4.2 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
 nameif dmz
 security-level 20
 ip address 172.18.4.1 255.255.255.0
!
ftp mode passive
access-list allowIN extended permit icmp any any
access-list allowIN extended permit tcp any any
access-list allowIN extended permit udp any any
access-list allowIN extended permit ip any any
access-list allowDMZ extended permit icmp any any
access-list allowDMZ extended permit tcp any any
access-list allowDMZ extended permit udp any any
access-list allowDMZ extended permit ip any any
access-list allowINSIDE extended permit icmp any any
access-list allowINSIDE extended permit tcp any any
access-list allowINSIDE extended permit udp any any
access-list allowINSIDE extended permit ip any any
access-list nat_exempt extended permit ip 172.18.4.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
global (outside) 1 10.24.4.20-10.24.4.30
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 0 access-list nat_exempt
nat (dmz) 1 172.18.4.0 255.255.255.0
static (dmz,outside) 10.24.4.20 172.18.4.2 netmask 255.255.255.255
static (dmz,outside) 10.24.4.21 172.18.4.3 netmask 255.255.255.255
access-group allowIN in interface outside
access-group allowINSIDE in interface inside
access-group allowDMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 10.24.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c5b3488a0673a11250e4078b2e514594
: end

I try pinging a computer in the inside network from the DMZ network with no success? Am I still missing a line. I am understanding it more now with exempting the NAT statements...but still missing something.
 
calvinj said:
Have you tried a static (inside,DMZ) Inside Subnet DMZ Subnet
Click to expand...

I tried adding "static (inside,DMZ) 192.168.1.0 172.18.4.0 netmask 255.255.255.0" with no success on top of my last running config I posted in this thread.
 
you're still missing the nat exemption for your inside interface. Look at my post again, You're natting both interfaces so you will need 2 exemptions.
 
xphil3 said:
you're still missing the nat exemption for your inside interface. Look at my post again, You're natting both interfaces so you will need 2 exemptions.
Click to expand...

So your saying I also need "static (inside,DMZ) 172.18.4.0 192.168.1.0 netmask 255.255.255.0"

Also do I need the "nat (dmz) 0 access-list nat_exempt" and "access-list nat_exempt extended permit ip 172.18.4.0 255.255.255.0 192.168.1.0 255.255.255.0" statements then?
 
Lazy_Moron said:
So your saying I also need "static (inside,DMZ) 172.18.4.0 192.168.1.0 netmask 255.255.255.0"
Click to expand...
no, this is NOT a nat exemption. This is a static embryonic NAT(self translated). You can use this, but I dont like doing it this way.

Lazy_Moron said:
Also do I need the "nat (dmz) 0 access-list nat_exempt" and "access-list nat_exempt extended permit ip 172.18.4.0 255.255.255.0 192.168.1.0 255.255.255.0" statements then?
Click to expand...
Keep the nat 0 statements, this is the way you should be doing it.

This is what you want:
access-list nat_exempt_dmz extended permit ip 172.18.4.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nat_exempt_inside extended permit ip192.168.1.0 255.255.255.0 172.18.4.0 255.255.255.0

nat (dmz) 0 access-list nat_exempt_dmz
nat (inside) 0 access-list nat_exempt_inside
 
xphil3 said:
no, this is NOT a nat exemption. This is a static embryonic NAT(self translated). You can use this, but I dont like doing it this way.


Keep the nat 0 statements, this is the way you should be doing it.

This is what you want:
access-list nat_exempt_dmz extended permit ip 172.18.4.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nat_exempt_inside extended permit ip192.168.1.0 255.255.255.0 172.18.4.0 255.255.255.0

nat (dmz) 0 access-list nat_exempt_dmz
nat (inside) 0 access-list nat_exempt_inside
Click to expand...

Thank you so much that worked. So basically in the nat_exempt_dmz, you are saying allowing any address from the 192.168.1.0 network into the 172.18.4.0 network and dont translate it and vice versa for the other statement?
 
Lazy_Moron said:
Thank you so much that worked. So basically in the nat_exempt_dmz, you are saying allowing any address from the 192.168.1.0 network into the 172.18.4.0 network and dont translate it and vice versa for the other statement?
Click to expand...
You got it bud, read McDeths post for a better explanation if you need one ... its pretty good.
 
You must log in or register to reply here.
Back
Top