Search This Blog

Saturday, October 13, 2007

firewall-wizards Digest, Vol 18, Issue 7

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: DMZ to INSIDE Communication (Darden, Patrick S.)
2. Re: DMZ to INSIDE Communication (Victor Williams)
3. Re: DMZ to INSUTE communication (chris mr) (Bernie)
4. Re: Survey of IPv6 Support Among Commercial Firewalls
(dlang@diginsite.com)


----------------------------------------------------------------------

Message: 1
Date: Fri, 12 Oct 2007 08:32:49 -0400
From: "Darden, Patrick S." <darden@armc.org>
Subject: Re: [fw-wiz] DMZ to INSIDE Communication
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <CBE22E5FF427B149A272DD1DDE1075240184E33A@EX2K3.armc.org>
Content-Type: text/plain; charset="iso-8859-1"


Your setup description confused me a bit. Forgive me if I simplify it.

Seems to me you have 4 situations here:

1. outside-->DmzSmtpIP:25
2. DmzSmtpIP-->outside:25
3. inside-->DmzSmtpIP:25
4. DmzSmtpIP-->inside:25

I. Check your ACL's first. Make sure packets are allowed according to the template above.
II. Check your NAT/PAT second. Make sure that if you are MASQuerading in any way, the interfaceIP you MASQuerade on is included in the ACLs in part I. E.g. if you masq your internal SMTP server's IP address using the external interface of your firewall, then make sure you include both the internal SMTP server's IP and the external interface of the firewall's IP as well in your ACLs.

I like to turn on ping as well as whatever other protocol I am working on, so I can test via ping at each step. In this case, you can use telnet to port 25 at each step i.e.:

1. from outside your network, telnet to DmzSmtpIP:25
2. from your DmzSmtpIP server telnet to any outside smtp server on port 25
3. from your exchange server on your lan telnet to the DmzSmtpIP:25
4. from your DmzSmtpIP server telnet to the exchange server on your lan on port 25

--p

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com]On Behalf Of
chris mr
Sent: Thursday, October 11, 2007 5:06 PM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] DMZ to INSIDE Communication


Hello,

I have an ASA5505 and I'm stumped.

I have a IIS SMTP server on the DMZ and it is able to communicate with OUTSIDE smtp servers on port 25. I want it to be able to communicate with INSIDE smtp servers, however the packets get dropped.
WEBSERVER:gt1023---------->DMZ>>>INSIDE---xx--->EXCHANGE:25

Here is the setup:

Interfaces/Vlans:
-Outside
security=0
IP 75.xx.yy.233
-Outside1
security=0 ( backup ISP )
IP 12.xx.yy.154
-Inside
security=100
IP 200.xx.yy.158
-DMZ
security=50
IP 192.168.2.1

Here is my relevant setup:
name 192.168.2.2 WEBSERVER_nat >> on DMZ interface
name 192.168.2.3 WEBSERVER_nat1 >> on DMZ interfce
name 75.xx.yy.234 WEBSERVER_real >> public IP of web server
name 12.xx.yy.155 WEBSERVER_real1 >> public IP of web server (round-robin DNS setup)
name 200.xx.yy.10 GATEWAY >> MS ISA server on Inside interface
name 200.xx.yy.11 EXCHANGE >> MS Exchange on Inside interface

global (outside1) 2 interface
global (DMZ) 2 interface
global (outside) 2 interface

nat (inside) 2 GATEWAY 255.255.255.255
nat (inside) 2 EXCHANGE 255.255.255.255

static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (inside,outside1) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (DMZ,outside1) WEBSERVER_real1 WEBSERVER_nat netmask 255.255.255.255 tcp 0 25
static (DMZ,inside) WEBSERVER_real1 WEBSERVER_nat1 netmask 255.255.255.255
static (DMZ,outside) WEBSERVER_real WEBSERVER_nat netmask 255.255.255.255 tcp 0 25
static (DMZ,inside) WEBSERVER_real WEBSERVER_nat netmask 255.255.255.255

access-group ACLIN in interface outside1
access-group ACLIN in interface outside

access-list ACLIN extended deny ip 172.16.0.0 255.255.0.0 interface outside log
access-list ACLIN extended deny ip 192.168.0.0 255.255.0.0 interface outside log
access-list ACLIN extended deny ip 10.0.0.0 255.0.0.0 interface outside log
access-list ACLIN extended deny ip 10.0.0.0 255.0.0.0 interface outside1 log
access-list ACLIN extended deny ip 192.168.0.0 255.255.0.0 interface outside1 log
access-list ACLIN extended deny ip 172.16.0.0 255.255.0.0 interface outside1 log
access-list ACLIN extended permit tcp any host 75.xx.yy.233 object-group INSIDE_services (smtp)
access-list ACLIN extended permit tcp any host 12.xx.yy.154 object-group INSIDE_services (smtp)
access-list ACLIN extended permit icmp any object-group DMZ (WEBSERVER_real and _real1) object-group DMZ_icmp log
access-list ACLIN extended permit icmp any interface outside object-group OUTSIDE_icmp (echo/reply)
access-list ACLIN extended permit icmp any interface outside1 object-group OUTSIDE_icmp
access-list ACLIN extended permit tcp any object-group DMZ object-group DMZ_services (http/https/ftp)
access-list ACLIN extended permit tcp any eq domain object-group DMZ log
access-list ACLIN extended permit udp any eq domain object-group DMZ log
access-list ACLIN extended deny ip any any log



____________________________________________________________________________________
Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.
http://answers.yahoo.com/dir/?link=list&sid=396545469
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 2
Date: Thu, 11 Oct 2007 18:30:22 -0500
From: Victor Williams <vbwilliams@neb.rr.com>
Subject: Re: [fw-wiz] DMZ to INSIDE Communication
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <470EB20E.1060205@neb.rr.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

You need to apply an access list on your DMZ that allows it to talk to
servers on the inside...in this case specifically an SMTP server. That
means another access-group line as well as an accompanying access-list.

chris mr wrote:
> Hello,
>
> I have an ASA5505 and I'm stumped.
>
> I have a IIS SMTP server on the DMZ and it is able to communicate with OUTSIDE smtp servers on port 25. I want it to be able to communicate with INSIDE smtp servers, however the packets get dropped.
> WEBSERVER:gt1023---------->DMZ>>>INSIDE---xx--->EXCHANGE:25
>
> Here is the setup:
>
> Interfaces/Vlans:
> -Outside
> security=0
> IP 75.xx.yy.233
> -Outside1
> security=0 ( backup ISP )
> IP 12.xx.yy.154
> -Inside
> security=100
> IP 200.xx.yy.158
> -DMZ
> security=50
> IP 192.168.2.1
>
>
>
> Here is my relevant setup:
> name 192.168.2.2 WEBSERVER_nat >> on DMZ interface
> name 192.168.2.3 WEBSERVER_nat1 >> on DMZ interfce
> name 75.xx.yy.234 WEBSERVER_real >> public IP of web server
> name 12.xx.yy.155 WEBSERVER_real1 >> public IP of web server (round-robin DNS setup)
> name 200.xx.yy.10 GATEWAY >> MS ISA server on Inside interface
> name 200.xx.yy.11 EXCHANGE >> MS Exchange on Inside interface
>
> global (outside1) 2 interface
> global (DMZ) 2 interface
> global (outside) 2 interface
>
> nat (inside) 2 GATEWAY 255.255.255.255
> nat (inside) 2 EXCHANGE 255.255.255.255
>
> static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
> static (inside,outside1) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
> static (DMZ,outside1) WEBSERVER_real1 WEBSERVER_nat netmask 255.255.255.255 tcp 0 25
> static (DMZ,inside) WEBSERVER_real1 WEBSERVER_nat1 netmask 255.255.255.255
> static (DMZ,outside) WEBSERVER_real WEBSERVER_nat netmask 255.255.255.255 tcp 0 25
> static (DMZ,inside) WEBSERVER_real WEBSERVER_nat netmask 255.255.255.255
>
> access-group ACLIN in interface outside1
> access-group ACLIN in interface outside
>
> access-list ACLIN extended deny ip 172.16.0.0 255.255.0.0 interface outside log
> access-list ACLIN extended deny ip 192.168.0.0 255.255.0.0 interface outside log
> access-list ACLIN extended deny ip 10.0.0.0 255.0.0.0 interface outside log
> access-list ACLIN extended deny ip 10.0.0.0 255.0.0.0 interface outside1 log
> access-list ACLIN extended deny ip 192.168.0.0 255.255.0.0 interface outside1 log
> access-list ACLIN extended deny ip 172.16.0.0 255.255.0.0 interface outside1 log
> access-list ACLIN extended permit tcp any host 75.xx.yy.233 object-group INSIDE_services (smtp)
> access-list ACLIN extended permit tcp any host 12.xx.yy.154 object-group INSIDE_services (smtp)
> access-list ACLIN extended permit icmp any object-group DMZ (WEBSERVER_real and _real1) object-group DMZ_icmp log
> access-list ACLIN extended permit icmp any interface outside object-group OUTSIDE_icmp (echo/reply)
> access-list ACLIN extended permit icmp any interface outside1 object-group OUTSIDE_icmp
> access-list ACLIN extended permit tcp any object-group DMZ object-group DMZ_services (http/https/ftp)
> access-list ACLIN extended permit tcp any eq domain object-group DMZ log
> access-list ACLIN extended permit udp any eq domain object-group DMZ log
> access-list ACLIN extended deny ip any any log
>
>
>
> ____________________________________________________________________________________
> Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.
> http://answers.yahoo.com/dir/?link=list&sid=396545469
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>

------------------------------

Message: 3
Date: Fri, 12 Oct 2007 19:56:05 +0300
From: Bernie <zenbernie@gmail.com>
Subject: Re: [fw-wiz] DMZ to INSUTE communication (chris mr)
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<b784a7ef0710120956pd167c70xd13ade96aa74ca0b@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Chris,

You are missing the ACL to allow DMZ traffic to the inside interface, which
is why it's being dropped. Here's a reference on Cisco's site that details
the solution you are after

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml#DMZ2inside

-Bernie W.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071012/f8d35a70/attachment-0001.html


------------------------------

Message: 4
Date: Tue, 9 Oct 2007 13:51:47 -0700 (PDT)
From: dlang@diginsite.com
Subject: Re: [fw-wiz] Survey of IPv6 Support Among Commercial
Firewalls
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.63.0710091351200.17048@qynat.qvtvafvgr.pbz>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Fri, 5 Oct 2007, Dave Piscitello wrote:

> Some of you may recall I began a survey over the summer.
>
> The report is now available at:
>
> http://www.icann.org/committees/security/sac021.pdf

Are the responses themselves available anywhere?

David Lang

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 18, Issue 7
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)