1. Home
  2. Cisco Systems
  3. DNS inside the DMZ on an 877

DNS inside the DMZ on an 877

Here is my setup and objective.

I have an 877 with Adv. feature set. I have 2 vlans, 1 is for my "inside" network, the other for the DMZ. I need to setup DNS inside the dmz to refer to external DNS servers for hosts outside the DMZ zone (I have a DNS server in the DMZ for the DMZ DNS zone) The goal is to have my Exchange Edge Transport server in the DMZ be able to lookup SMTP servers without a problem. My config is attached...created with SDM v2.4.1 What am i missing here?? With this config I cannot ping any host outside the DMZ. I get a "dest. host unreachable" from the eth interface for the DMZ vlan.

Thanks

Brad _________________________

!This is the running config of the router: 10.0.0.1 !---------------------------------------------------------------------------- !version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname cisco ! boot-start-marker boot-end-marker ! logging buffered 52000 ! no aaa new-model ! crypto pki trustpoint TP-self-signed-1703587600 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1703587600 revocation-check none rsakeypair TP-self-signed-1703587600 ! ! crypto pki certificate chain TP-self-signed-1703587600 certificate self-signed 01 3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101

04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31373033 35383736 3030301E 170D3038 30313031 30353339 33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37303335 38373630 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B92A B6644C56 F1B031B6 5369545A 0DE2E8AD 28AA8ED8 DF55E984 1874C91F 02280788 9598ADB6 90E6DA80 A473DF71 839C66B8 455154F6 7442E623 CCD977CA 059D3372 654F7615 373923BA 9A60061D 5EB13734 31D77CAD 231E47DD A546ABA6 E5DD5EEC 2D08034B 6F0F4102 3DF00D54 BC720318 9E0D8BA2 0ADE3008 A877FC8C 5D510203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 301F0603 551D2304 18301680 14B2B647 7AC97F5E 2B0F4A29 2C42222C 2C434224 60301D06 03551D0E 04160414 B2B6477A C97F5E2B 0F4A292C 42222C2C 43422460 300D0609 2A864886 F70D0101 04050003 81810079 3F3926A2 81598A92 80C9AB91 8878C64A 64987B25 29045A81 1866F137 CAE0DF4E 71733658 44996CA5 DB77E824 BB9BD67E 74DCA177 99BDFED7 9D2F7D2A A9D9302B F0DAB556 CBD8EB48 ED19EC10 30342370 677926A2 0C418604 CD2665D5 4E3517F0 5E6BE0CA DFD12E9A 871A2FB7 77F018C7 959157D4 C63DD860 826472A1 EE7E02 quit ! ! ip cef ! ! ! ! ip domain name corp."domain".com ip name-server 198.60.22.2 ip name-server 198.60.22.22 ip port-map user-secure-ldap port tcp 50636 description ADAM-50636 ! multilink bundle-name authenticated ! ! username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXX archive log config hidekeys ! ! ! class-map type inspect match-any SDM_HTTPS match access-group name SDM_HTTPS class-map type inspect match-any SDM_SSH match access-group name SDM_SSH class-map type inspect match-any SDM_SHELL match access-group name SDM_SHELL class-map type inspect match-any sdm-cls-access match class-map SDM_HTTPS match class-map SDM_SSH match class-map SDM_SHELL class-map type inspect match-all sdm-nat-smtp-1 match access-group 102 match protocol smtp class-map type inspect match-any adam match protocol user-secure-ldap class-map type inspect match-any sdm-cls-insp-traffic match protocol dns match protocol ftp match protocol https match protocol icmp class-map type inspect match-all sdm-insp-traffic match class-map sdm-cls-insp-traffic class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any adam1 match protocol user-secure-ldap class-map type inspect match-all sdm-access match class-map sdm-cls-access match access-group 101 class-map type inspect match-any sdm-cls-insp-traffic-1 match protocol dns match protocol ftp match protocol https match protocol http match protocol icmp class-map type inspect match-any sdm-dmz-protocols match protocol smtp class-map type inspect match-all sdm-dmz-traffic match access-group name dmz-traffic match class-map sdm-dmz-protocols class-map type inspect match-all sdm-icmp-access match class-map sdm-cls-icmp-access class-map type inspect match-all sdm-invalid-src match access-group 100 class-map type inspect match-all sdm-protocol-http match protocol http class-map type inspect match-all sdm-nat-https-1 match access-group 103 match protocol https class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-1 match class-map adam match access-group name adam class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-2 match class-map adam1 match access-group name adam1 ! ! policy-map type inspect sdm-permit-icmpreply class type inspect sdm-icmp-access inspect class class-default pass policy-map type inspect sdm-pol-NATOutsideToInside-1 class type inspect sdm-nat-smtp-1 inspect class type inspect sdm-nat-https-1 inspect class class-default policy-map type inspect sdm-inspect class type inspect sdm-invalid-src drop log class type inspect sdm-insp-traffic inspect class type inspect sdm-protocol-http inspect class class-default policy-map type inspect sdm-permit class type inspect sdm-access inspect class class-default policy-map type inspect sdm-permit-dmzservice class type inspect sdm-cls-sdm-permit-dmzservice-2 inspect class type inspect sdm-cls-sdm-permit-dmzservice-1 inspect class type inspect sdm-dmz-traffic inspect class type inspect sdm-nat-smtp-1 inspect class type inspect sdm-nat-https-1 inspect class class-default ! zone security dmz-zone zone security out-zone zone security in-zone zone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone service-policy type inspect sdm-pol-NATOutsideToInside-1 zone-pair security sdm-zp-out-dmz source out-zone destination dmz-zone service-policy type inspect sdm-permit-dmzservice zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit zone-pair security sdm-zp-in-dmz source in-zone destination dmz-zone service-policy type inspect sdm-permit-dmzservice zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect zone-pair security sdm-zp-dmz-in source dmz-zone destination in-zone service-policy type inspect sdm-permit-dmzservice zone-pair security sdm-zp-dmz-out source dmz-zone destination out-zone service-policy type inspect sdm-permit-dmzservice ! ! ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point no snmp trap link-status pvc 0/32 encapsulation aal5snap protocol ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 ! interface FastEthernet1 switchport access vlan 2 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Dot11Radio0 no ip address shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ ip address 10.0.0.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ip tcp adjust-mss 1452 ! interface Vlan2 description $FW_DMZ$ ip address 192.168.168.1 255.255.255.240 ip nat inside ip virtual-reassembly zone-member security dmz-zone ! interface Dialer0 description $FW_OUTSIDE$ ip address 166.70.177.81 255.255.255.240 ip nat outside ip virtual-reassembly zone-member security out-zone encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname XXXX ppp chap password 0 XXXX ppp pap sent-username XXXX password 0 XXXX ! ip route 0.0.0.0 0.0.0.0 x.x.x.x ip route 10.0.0.0 255.255.255.0 Vlan1 ip route 192.168.168.0 255.255.255.240 Vlan2 ! ! ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat pool DMZ-NAT x.x.x.x x.x.x.x netmask 255.255.255.255 ip nat inside source list 2 interface Dialer0 overload ip nat inside source list 3 pool DMZ-NAT ip nat inside source static tcp 192.168.168.2 25 166.70.177.82 25 extendable ip nat inside source static tcp 10.0.0.10 443 166.70.177.82 443 extendable ! ip access-list extended SDM_HTTPS remark SDM_ACL Category=1 permit tcp any any eq 443 ip access-list extended SDM_SHELL remark SDM_ACL Category=1 permit tcp any any eq cmd ip access-list extended SDM_SSH remark SDM_ACL Category=1 permit tcp any any eq 22 ip access-list extended adam remark SDM_ACL Category=128 permit ip host 10.0.0.10 host 192.168.168.2 ip access-list extended adam1 remark SDM_ACL Category=128 permit ip host 192.168.168.2 host 10.0.0.10 ip access-list extended dmz-traffic remark SDM_ACL Category=1 permit ip any host 192.168.168.2 ! access-list 2 remark Prod NAT access-list 2 remark SDM_ACL Category=2 access-list 2 permit 10.0.0.0 0.0.0.255 access-list 3 remark DMZ-NAT access-list 3 remark SDM_ACL Category=2 access-list 3 remark DMZ NAT access-list 3 permit 192.168.168.0 0.0.0.15 access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip 166.70.177.80 0.0.0.15 any access-list 100 permit ip 192.168.168.0 0.0.0.15 any access-list 101 remark SDM_ACL Category=128 access-list 101 permit ip any any access-list 102 remark SDM_ACL Category=0 access-list 102 permit ip any host 192.168.168.2 access-list 103 remark SDM_ACL Category=0 access-list 103 permit ip any host 10.0.0.10 dialer-list 1 protocol ip permit no cdp run ! ! ! ! control-plane ! banner login ^C

----------------------------------------------------------------------- Cisco Router and Security Device Manager (SDM) is installed on this device. This feature requires the one-time use of the username "cisco" with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI. Here are the Cisco IOS commands.

username privilege 15 secret 0 no username cisco

Replace and with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START GUIDE for your router or go to

formatting link
^C ! line con 0 login local no modem enable line aux 0 line vty 0 4 privilege level 15 login local transport input telnet ssh ! scheduler max-task-time 5000

! webvpn cef end

Reply to
Park City
Loading thread data ...

I've gotta say that I'm not diggin' the new zpf firewall feature. It is remarkably difficult to decipher. You have to be very careful with the inbound traffic that you block, especially with respect to icmp types 3 and 11.

Let's trace through the config.

The following zone-pairs apply to traffic traversing the dmz interface.

All zone-pairs reference the following policy-map, which is the primary firewall logic. I have nested the pertinent router config statements below. Nesting levels are indicated by the numbers. Each subsection is followed by what a traditional acl might look like.

1 policy-map type inspect sdm-permit-dmzservice 1 class type inspect sdm-cls-sdm-permit-dmzservice-2 2 class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-2 2 match class-map adam1

3 class-map type inspect match-any adam1

3 match protocol user-secure-ldap

2 match access-group name adam1

3 ip access-list extended adam1 3 permit ip host 192.168.168.2 host 10.0.0.10

permit tcp host 192.168.168.2 host 10.0.0.10 eq 636

1 inspect 1 class type inspect sdm-cls-sdm-permit-dmzservice-1

2 class-map type inspect match-all sdm-cls-sdm-permit-dmzservice-1

2 match class-map adam

3 class-map type inspect match-any adam

3 match protocol user-secure-ldap

2 match access-group name adam

3 ip access-list extended adam 3 permit ip host 10.0.0.10 host 192.168.168.2

permit tcp host 10.0.0.10 host 192.168.168.2 eq 636

1 inspect 1 class type inspect sdm-dmz-traffic

2 class-map type inspect match-all sdm-dmz-traffic

2 match access-group name dmz-traffic

3 ip access-list extended dmz-traffic

3 permit ip any host 192.168.168.2

2 match class-map sdm-dmz-protocols

3 class-map type inspect match-any sdm-dmz-protocols 3 match protocol smtp

permit tcp any host 192.168.168.2 eq 25

1 inspect 1 class type inspect sdm-nat-smtp-1

2 class-map type inspect match-all sdm-nat-smtp-1

2 match access-group 102

3 access-list 102 permit ip any host 192.168.168.2

2 match protocol smtp

permit tcp any host 192.168.168.2 eq 25

1 inspect 1 class type inspect sdm-nat-https-1

2 class-map type inspect match-all sdm-nat-https-1

2 match access-group 103

3 access-list 103 permit ip any host 10.0.0.10

2 match protocol https

permit tcp any host 10.0.0.10 eq 443

1 inspect 1 class class-default

deny ip any any

To boil it down, the resultant behavior should be similar to the following.

permit tcp host 192.168.168.2 host 10.0.0.10 eq 636 permit tcp host 10.0.0.10 host 192.168.168.2 eq 636 permit tcp any host 192.168.168.2 eq 25 permit tcp any host 192.168.168.2 eq 25 permit tcp any host 10.0.0.10 eq 443 deny ip any any

Obviously, none of these rules will apply to dns or icmp. This ruleset will also deny traffic which is vital to proper network function. The lack of proper network function will likely be most evident in smtp. Also, I believe the configuration may permit internet hosts to create dynamic rules, a very bad idea in my opinion.

Reply to
Network Blackjack

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.