- Posts: 39
- Thank you received: 0
Inside to DMZ communication
- skepticals
- Topic Author
- Offline
- Elite Member
-
17 years 6 months ago #21638
by semper
You can map your 10.10.10.0 network to some other network if you want, but it's not needed. All the static command above does is allow a one-to-one NAT to your DMZ from your internal network. All you're doing is natting 10.10.10.0/24 with 10.10.10.0/24.
James
www.securitygeek.net
Replied by semper on topic Re: Inside to DMZ communication
static(inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
Are both addresses supposed to be 10.10.10.0?
You can map your 10.10.10.0 network to some other network if you want, but it's not needed. All the static command above does is allow a one-to-one NAT to your DMZ from your internal network. All you're doing is natting 10.10.10.0/24 with 10.10.10.0/24.
James
www.securitygeek.net
- skepticals
- Topic Author
- Offline
- Elite Member
-
17 years 6 months ago #21649
by semper
Yes. Here is an example of my PIX configuration at home.
[code:1]
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
[/code:1]
Pretty basic stuff. Just specifying the security level of each interface.
[code:1]
fixup protocol sip 5060
fixup protocol sip udp 5060
[/code:1]
I'm having the PIX inspect SIP sessions because I have an asterisk server in my DMZ running asterisk in a VMWare session.
[code:1]
access-list outside-inbound permit icmp any any echo-reply
access-list outside-inbound permit icmp any any traceroute
access-list outside-inbound permit icmp any any time-exceeded
access-list outside-inbound permit tcp any any eq ssh
access-list outside-inbound permit udp any any eq 5060
[/code:1]
This is the ACL on my outside interface. The ICMP portion of the access-list allows the return path of pings and traceroutes through my network. The tcp/22 and udp/5060 are the only services I allow into my network (through the DMZ) from the internet.
[code:1]
access-list dmz-inbound permit icmp any any echo-reply
access-list dmz-inbound permit icmp any any traceroute
access-list dmz-inbound permit icmp any any time-exceeded
access-list dmz-inbound permit udp host 172.16.2.50 host 172.16.1.246 eq snmp
access-list dmz-inbound permit icmp host 172.16.2.50 host 172.16.1.246
access-list dmz-inbound permit tcp host 172.16.2.50 host 172.16.1.49 eq netbios-ssn
access-list dmz-inbound permit icmp host 172.16.2.50 host 172.16.1.49
access-list dmz-inbound deny ip host 172.16.2.50 172.16.1.0 255.255.255.0
access-list dmz-inbound permit udp host 172.16.2.50 any eq ntp
access-list dmz-inbound permit tcp host 172.16.2.50 any eq https
access-list dmz-inbound permit tcp host 172.16.2.50 any eq www
access-list dmz-inbound permit udp host 172.16.2.50 any eq domain
access-list dmz-inbound permit tcp host 172.16.2.48 host 172.16.1.49 eq netbios-ssn
access-list dmz-inbound permit icmp host 172.16.2.48 host 172.16.1.49
access-list dmz-inbound deny ip host 172.16.2.48 172.16.1.0 255.255.255.0
access-list dmz-inbound permit udp host 172.16.2.48 any eq ntp
access-list dmz-inbound permit tcp host 172.16.2.48 any eq https
access-list dmz-inbound permit tcp host 172.16.2.48 any eq www
access-list dmz-inbound permit tcp host 172.16.2.48 any eq domain
access-list dmz-inbound permit udp host 172.16.2.48 any eq 5060
[/code:1]
This is the access-list on my DMZ. For 172.16.2.48 and 50 I allow them to execute dns queries, http, https, and ntp access to the internet. For 172.16.2.48 I also allow it to access udp/5060 (SIP) on the internet.
Beyond that I restrict what the two computers can access on my LAN.
172.16.1.50 can access 172.16.1.246 for snmp querries as well as icmp to that address for monitoring purposes.
172.16.1.48 and 172.16.1.50 both can access 172.16.1.49 via tcp/139 and icmp so that they can mount a drive on the internal network to perform backups on a regular basis.
[code:1]
ip address outside dhcp setroute
ip address inside 172.16.1.254 255.255.255.0
ip address dmz 172.16.2.254 255.255.255.0
[/code:1]
my interfaces on my PIX.
[code:1]
global (outside) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
nat (dmz) 1 172.16.2.0 255.255.255.0 0 0
[/code:1]
Basically I PAT all traffic from my internal and dmz network out my outside interface IP Address since my ISP assigns me an address via DHCP.
[code:1]
static (dmz,outside) udp interface 5060 172.16.2.48 5060 netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface ssh 172.16.2.50 ssh netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0
[/code:1]
Since I'm using PAT for all my traffic outside my network I have to use static commands to allow ssh and SIP into my DMZ network to the appropriate hosts.
I also allow my inside network to access the DMZ via the static command using a one-to-one nat.
[code:1]
access-group outside-inbound in interface outside
access-group dmz-inbound in interface dmz
[/code:1]
I have my access-lists applied to my outside and dmz interfaces.
[code:1]
dhcprelay server 172.16.2.50 dmz
dhcprelay enable inside
[/code:1]
My dhcp server resides on my 172.16.2.50 server so I use the dhcprelay command to route dhcp requests from my internal network to the server on my dmz. [/code]
James
www.securitygeek.net
Replied by semper on topic Re: Inside to DMZ communication
James,
Thats very interesting thanks for sharing, the way i would have done it was with policy NAT0. Just a question, does this mean that the DMZ can route traffic to the inside if the necessary access-list are in place on the DMZ interface ?
Yes.
Here is an example of my PIX configuration at home.[code:1]
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
[/code:1]
Pretty basic stuff. Just specifying the security level of each interface.
[code:1]
fixup protocol sip 5060
fixup protocol sip udp 5060
[/code:1]
I'm having the PIX inspect SIP sessions because I have an asterisk server in my DMZ running asterisk in a VMWare session.
[code:1]
access-list outside-inbound permit icmp any any echo-reply
access-list outside-inbound permit icmp any any traceroute
access-list outside-inbound permit icmp any any time-exceeded
access-list outside-inbound permit tcp any any eq ssh
access-list outside-inbound permit udp any any eq 5060
[/code:1]
This is the ACL on my outside interface. The ICMP portion of the access-list allows the return path of pings and traceroutes through my network. The tcp/22 and udp/5060 are the only services I allow into my network (through the DMZ) from the internet.
[code:1]
access-list dmz-inbound permit icmp any any echo-reply
access-list dmz-inbound permit icmp any any traceroute
access-list dmz-inbound permit icmp any any time-exceeded
access-list dmz-inbound permit udp host 172.16.2.50 host 172.16.1.246 eq snmp
access-list dmz-inbound permit icmp host 172.16.2.50 host 172.16.1.246
access-list dmz-inbound permit tcp host 172.16.2.50 host 172.16.1.49 eq netbios-ssn
access-list dmz-inbound permit icmp host 172.16.2.50 host 172.16.1.49
access-list dmz-inbound deny ip host 172.16.2.50 172.16.1.0 255.255.255.0
access-list dmz-inbound permit udp host 172.16.2.50 any eq ntp
access-list dmz-inbound permit tcp host 172.16.2.50 any eq https
access-list dmz-inbound permit tcp host 172.16.2.50 any eq www
access-list dmz-inbound permit udp host 172.16.2.50 any eq domain
access-list dmz-inbound permit tcp host 172.16.2.48 host 172.16.1.49 eq netbios-ssn
access-list dmz-inbound permit icmp host 172.16.2.48 host 172.16.1.49
access-list dmz-inbound deny ip host 172.16.2.48 172.16.1.0 255.255.255.0
access-list dmz-inbound permit udp host 172.16.2.48 any eq ntp
access-list dmz-inbound permit tcp host 172.16.2.48 any eq https
access-list dmz-inbound permit tcp host 172.16.2.48 any eq www
access-list dmz-inbound permit tcp host 172.16.2.48 any eq domain
access-list dmz-inbound permit udp host 172.16.2.48 any eq 5060
[/code:1]
This is the access-list on my DMZ. For 172.16.2.48 and 50 I allow them to execute dns queries, http, https, and ntp access to the internet. For 172.16.2.48 I also allow it to access udp/5060 (SIP) on the internet.
Beyond that I restrict what the two computers can access on my LAN.
172.16.1.50 can access 172.16.1.246 for snmp querries as well as icmp to that address for monitoring purposes.
172.16.1.48 and 172.16.1.50 both can access 172.16.1.49 via tcp/139 and icmp so that they can mount a drive on the internal network to perform backups on a regular basis.
[code:1]
ip address outside dhcp setroute
ip address inside 172.16.1.254 255.255.255.0
ip address dmz 172.16.2.254 255.255.255.0
[/code:1]
my interfaces on my PIX.
[code:1]
global (outside) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
nat (dmz) 1 172.16.2.0 255.255.255.0 0 0
[/code:1]
Basically I PAT all traffic from my internal and dmz network out my outside interface IP Address since my ISP assigns me an address via DHCP.
[code:1]
static (dmz,outside) udp interface 5060 172.16.2.48 5060 netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface ssh 172.16.2.50 ssh netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0
[/code:1]
Since I'm using PAT for all my traffic outside my network I have to use static commands to allow ssh and SIP into my DMZ network to the appropriate hosts.
I also allow my inside network to access the DMZ via the static command using a one-to-one nat.
[code:1]
access-group outside-inbound in interface outside
access-group dmz-inbound in interface dmz
[/code:1]
I have my access-lists applied to my outside and dmz interfaces.
[code:1]
dhcprelay server 172.16.2.50 dmz
dhcprelay enable inside
[/code:1]
My dhcp server resides on my 172.16.2.50 server so I use the dhcprelay command to route dhcp requests from my internal network to the server on my dmz. [/code]
James
www.securitygeek.net
Time to create page: 0.155 seconds