Re: [fw-wiz] PIX 515E config - DMZ host to inside host

["Security Guy" <security@sligoinc.com>]

This appears to be backwards:

static (internal,dmz) 10.133.24.0 10.134.1.0 netmask 255.255.255.0 0 0

should be

static (internal,dmz) 10.134.1.0 10.133.24.0 netmask 255.255.255.0 0 0
(though you probably want to narrow this down)

if I'm reading Cisco's docs correctly
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00800ec9eb.html#1026694

IIRC the static command doesn't convey directionality other than
allowing low access into high (remember that high to low is implicitly
allowed) It's been a while since I've dealt with <7.0 PIXOS though.

On 2/27/07, Chris Mitchell <sw@dorksville.net> wrote:
> Greetings folks,
>
> PIX newbie here, not really a firewall guy but need to get some stuff done
> with it, and am pretty good at basic configs. I have a 515E with 3
> interfaces (inside, outside, DMZ)- I need to allow access from a host in
> the DMZ to an internal host.
>
> DMZ host - 10.134.1.2
> Internal host - 10.133.24.3
>
> I've done a few things, but after a few days of spinning my wheels I
> thought I'd seek advice :)
>
> Some info omitted for security reasons.
>
> PIX Version 6.1(4)
> nameif ethernet0 outside security0
> nameif ethernet1 internal security50
> nameif ethernet2 dmz security30
> enable password xxx
> passwd xxx
> hostname xxx
> domain-name xxx
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> no fixup protocol domain 53
> fixup protocol rtsp 8554
> fixup protocol rtsp 7000
> fixup protocol rtsp 7001
> names
> access-list acl_in6 permit ip host 10.133.100.208 any
> access-list acl_in6 permit ip host 10.133.100.209 any
> access-list acl_in6 permit ip host 10.133.100.207 any
> access-list acl_in6 permit ip host 10.133.100.206 any
> access-list acl_in6 permit ip host 10.133.100.129 any
> access-list acl_in6 permit ip 10.133.100.0 255.255.255.0 host 10.134.1.1
> access-list acl_in6 permit ip 10.133.25.0 255.255.255.0 host 10.134.1.1
> access-list acl_in6 permit ip 10.133.24.0 255.255.255.0 host 10.134.1.1
> access-list acl_in6 permit ip host 10.133.100.205 any
> access-list acl_in6 permit ip 10.133.100.0 255.255.255.0 any
> access-list acl_in6 permit ip 10.133.24.0 255.255.255.0 host 10.134.1.2
> access-list acl_in6 permit ip host 10.134.1.2 host 10.133.24.3
> access-list acl_out3 permit tcp any host 203.xx.xxx.xxx eq smtp
> access-list acl_out3 permit tcp any host 203.xx.xxx.xxx eq www
> access-list acl_out3 permit tcp any host 203.xx.xxx.xxx eq 1352
> access-list acl_dmz3 permit tcp host 10.134.1.1 host 10.134.1.207 eq smtp
> access-list acl_dmz3 permit ip host 10.134.1.2 host 10.133.24.3
> access-list acl_dmz3 permit tcp host 10.134.1.2 host 10.133.24.3
> access-list acl_dmz3 permit udp host 10.134.1.2 host 10.133.24.3
> pager lines 24
> logging on
> logging timestamp
> logging buffered debugging
> logging trap warnings
> logging host internal 10.133.25.4
> logging host internal 10.133.25.3
> interface ethernet0 100full
> interface ethernet1 100full
> interface ethernet2 10full
> icmp deny any echo outside
> icmp permit 10.133.25.0 255.255.255.0 echo dmz
> icmp permit 10.134.1.0 255.255.255.0 echo dmz
> mtu outside 1500
> mtu internal 1500
> mtu dmz 1500
> ip address outside 203.xx.xxx.xxx 255.255.255.248
> ip address internal 10.133.100.210 255.255.255.0
> ip address dmz 10.134.1.129 255.255.255.0
> ip audit name infopolicy info action alarm
> ip audit name attackpolicy info action alarm drop
> ip audit interface outside infopolicy
> ip audit info action alarm
> ip audit attack action alarm
> arp timeout 14400
> global (outside) 1 interface
> global (dmz) 1 10.134.1.130 netmask 255.255.255.0
> nat (internal) 1 0.0.0.0 0.0.0.0 0 0
> nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
> static (dmz,outside) tcp interface www 10.134.1.1 www netmask
> 255.255.255.255 10 10
> static (internal,dmz) tcp 10.134.1.5 1352 10.133.25.5 1352 netmask
> 255.255.255.255 0 0
> static (internal,dmz) tcp 10.134.1.6 1352 10.133.25.6 1352 netmask
> 255.255.255.255 0 0
> static (dmz,outside) tcp interface 1352 10.134.1.1 1352 netmask
> 255.255.255.255 10 10
> static (internal,dmz) tcp 10.134.1.10 1352 10.133.24.10 1352 netmask
> 255.255.255.255 0 0
> static (internal,outside) tcp interface smtp 10.133.100.207 smtp netmask
> 255.255.255.255 0 0
> static (internal,dmz) tcp 10.134.1.207 smtp 10.133.100.207 smtp netmask
> 255.255.255.255 0 0
> static (internal,dmz) 10.133.24.0 10.134.1.0 netmask 255.255.255.0 0 0
> access-group acl_out3 in interface outside
> access-group acl_in6 in interface internal
> access-group acl_dmz3 in interface dmz
> route outside 0.0.0.0 0.0.0.0 203.xx.xxx.xxx 1
> route internal 10.133.0.0 255.255.0.0 10.133.100.129 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> http server enable
> http 10.133.100.0 255.255.255.0 internal
> http 10.133.25.0 255.255.255.0 internal
> floodguard enable
> no sysopt route dnat
> telnet timeout 30
> ssh 10.133.100.208 255.255.255.255 internal
> ssh 10.134.1.1 255.255.255.255 internal
> ssh 10.133.24.0 255.255.255.0 internal
> ssh 10.133.0.0 255.255.0.0 internal
> ssh 10.133.100.208 255.255.255.255 dmz
> ssh 10.133.100.0 255.255.255.0 dmz
> ssh 10.134.1.1 255.255.255.255 dmz
> ssh timeout 30
> terminal width 80
> Cryptochecksum:9c355bdae4a42aa97de9f3d2c77559a3
>
> Regards,
>
> Chris Mitchell
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards