Traffic out of DMZ

hi everyone,

I have a pix 515 version 6.3 (3) with three interfaces ...inside, outside, and DMZ. I have a webserver in the DMZ and up until now I only needed www and https traffic to get to it. But now I need some of the webpages to have links to go out to https pages on other external servers. Currently I cannot do that so as a test, I set up a workstation in the DMZ and it cannot get out to the internet either. The workstation can only see and ping the webserver and the DMZ interface but cannot go to any websites. From everything I have learned lately, traffic should be allowed from a higher security zone (DMZ) to a lower security zone (outside) so maybe I just need a Static command to allow DMZ traffic to go out. The webserver is at 10.0.0.3 and here is my config minus external IP's and other non important entries like PDM, HTTP, FIXUP and ISAKMP, etc. Thanks

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ1 security50 enable password xxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxx encrypted hostname name.pix domain-name name.com names name 1.141.1.11 IPO name 1.141.1.29 email name exchange name 1.0.0.0 vpn_mobile access-list acl_out permit tcp any host eq www access-list acl_out permit tcp any host eq https access-list acl_out permit tcp any host eq smtp access-list acl_out permit icmp any any access-list acl_out permit tcp any interface outside access-list acl_out permit tcp any eq pop3 host eq pop3 access-list acl_out permit tcp any eq smtp host eq smtp access-list acl_out permit tcp any eq ftp host eq ftp access-list dmz_out permit icmp any any access-list dmz_out permit tcp host 10.0.0.3 host 1.1.1.1 range 12100

12109 access-list inside_outbound_nat0_acl permit ip any vpn_mobile 255.0.0.0

access-list outside_cryptomap_dyn_20 permit ip any vpn_mobile 255.0.0.0

mtu outside 1500 mtu inside 1500 mtu DMZ1 1500 ip address outside 255.255.255.224 ip address inside 1.141.1.99 255.0.0.0 ip address DMZ1 10.0.0.1 255.255.255.0 arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 vpn_mobile 255.0.0.0 0 0 static (DMZ1,outside) tcp www 10.0.0.3 www netmask

255.255.255.255 0 0 static (DMZ1,outside) tcp https 10.0.0.3 https netmask 255.255.255.255 0 0 static (inside,outside) tcp smtp 1.1.1.1 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3389 IPO 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 444 email 444 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 4125 email 4125 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface https email https netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pptp email pptp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface nntp email nntp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pop3 email pop3 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp email smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ftp email ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www email www netmask 255.255.255.255 0 0 static (inside,DMZ1) vpn_mobile vpn_mobile netmask 255.0.0.0 0 0 access-group acl_out in interface outside access-group dmz_out in interface DMZ1 route outside 0.0.0.0 0.0.0.0 1 timeout xlate 3:00:00 http server enable no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 1.141.2.223 /tftp-root/ floodguard enable sysopt connection permit-ipsec telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:xxxxxxxxxxxxxxxxxxx
Reply to
dexteroc
Loading thread data ...

Hi, You should just need a more inclusive static command on your firewall. Right now your static command is limiting everything to http/https to your webserver. When I use statics I usually either do a one-to-one translation, or I include the entire subnet within the static command. Remove the two DMZ statics that you have and try using this instead.

static (DMZ1,outside) 10.0.0.3 netmask 255.255.255.255 0 0

If you want to try this on your workstation first as a test you could put in a static that looks something like the following. (assuming

10.0.0.4 is your workstation address)

static (DMZ1,outside) 10.0.0.4 netmask 255.255.255.255

0 0

Hope this helps,

-Dan

dexteroc wrote:

Reply to
dtpike

I will try your suggestion but although I have not made any changes yet, I was doing more research and I kind of thought I might need a NAT and GLOBAL command for the DMZ. Just curious as to what you think about that? I will try the static command though.

Thanks,

Paul

snipped-for-privacy@gmail.com wrote:

Reply to
dexteroc

I read your original email and for some reason started thinking of inbound connections, but you're more interested in allowing traffic from a higher security interface (DMZ1) to a lower security interface. (outside) So yes, the NAT command should be what you need.

The following should allow all your hosts on the DMZ1 interface to make outbound connections:

nat (DMZ1) 1 0 0

Or, you can narrow it down to just allow your single host to make outbound connections:

nat (DMZ1) 1 10.0.0.3 255.255.255.255

Hopefully that will get you what you're after.

Regards,

-Dan

dexteroc wrote:

Reply to
dtpike

It's not working yet but I think I got part of it. Before I make any changes, if I ping from the DMZ out, I get an error message in the firewall log that says "No translation group found". When I look up exactly what it means, it says that you need a NAT and GLOBAL entry. When I make the NAT 1 0 0 entry, the error message does not show up anymore. Now I think I need a GLOBAL entry because traffic still does not get out of the DMZ. I tried making the GLOBAL entry "global (DMZ1)

1 10.0.0.101 - 10.0.0.110 netmask 255.255.255.255 0 0" but that killed all incoming traffic to my DMZ so I had to reboot the firewall. Any suggestions on a GLOBAL entry?

Thanks

Paul

snipped-for-privacy@gmail.com wrote:

Reply to
dexteroc

I've never used the nat or global commands in any of my firewalls configs. A static translation should be all that you need in your config since you have a 1-to-1 mapping. I believe (but I'm not 100% sure) that a static translation for a host does away with the need for a dynamic translation using the nat and global commands. My recommendation is to try opening up your static translation and use your ACLs for restricing traffic. If it was me, I would try using the static that I sent you originally and then your ACLs are permitting the inbound traffic that you want to let in.

static (DMZ1,outside) 10.0.0.3 netmask 255.255.255.255 0 0

access-list acl_out permit tcp any host eq www access-list acl_out permit tcp any host eq https access-list acl_out permit tcp any host eq smtp access-list acl_out permit icmp any any [etc.]

-Dan

dexteroc wrote:

Reply to
dtpike

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.