Pix Internal to DMZ Access

[hamed23]

با سلام و عرض خسته نباشید
با توجه به سناریو زیر برای دسترسی Internal to DMZ و DMZ to DMZ باید چه دستوراتی در PIX نوشته بشه؟

Internal ===> PIX <===> External
|
|
DMZ
|

Web Server FTP Server

External Address:1.1.1.0/27
DMZ:192.168.2.0/24
Web Server:192.168.2.2 Maped 1.1.1.1
FTP Server:192.168.2.3 Maped 1.1.1.2
Internal:192.168.1.0/24 DNAT 1.1.1.5

با توجه به سناریو بالا و تنظیماتی که بروی فایروال اعمال شده از شبکه External به راحتی به Web Server و FTP Server دسترسی دارم و از شبکه Internal نیز به اینترنت دسترسی دارم ولی متاسفانه از شبکه Internal نمی تونم به Web و FTP که در ناحیه DMZ قرار دارند دسترسی داشته باشم البته من میخوام با آدرس Publicشون (1.1.1.1 & 1.1.1.2)به این دو سرور دسترسی داشته باشم همین مشکل رو برای ناحیه DMZ هم دارم مثلا سرور FTP میخوام به آدرس PUBLIC وب سرور دسترسی داشته باشه.

ممنون میشم برای حل این مشکل بنده رو یاری بفرمائید.

---

موضوعات مشابه:

• ایجاد محدودیت بین دو شبکهInternal
• internal messenger
• Internal web site& csh
• internal nterface در RRAS
• تنظیم ip های internal network در isa2004

---

[hamed23]

لطفا برای حل مشکل ، بنده رو یاری بفرمائید.

[EVERAL]

لطفا برای حل مشکل ، بنده رو یاری بفرمائید.

سلام
Cisco PIX 500 Series Security Appliances Configuration Examples and TechNotes - Cisco Systems
Cisco PIX Firewall Basics

[hamed23]

سلام
ممنون از لینک هایی که ارسال کردید،من قبلا این لینک ها رو مطالعه کردم بودم ولی متاسفانه به نتیجه ای نرسیدم.

این کل کانفیگی هستش که روی فایروال انجام دادم
مثلا کاربران Internal با استفاده از 1.1.1.2 به میل سرور دسترسی داشته باشند.

PIX Version 8.0(4)
!
hostname ************
domain-name ****************
enable password ********************** encrypted
names
name 1.1.1.2 Mail-Srv-Public description External-Public Address
name 1.1.1.3 Antivirus-Srv-Public description External-Public Address
name 172.16.200.5 Antivirus-Srv-Local description DMZ-Local Address
name 172.16.200.3 DNS-Srv-Local description DMZ-Local Address
name 172.16.200.4 Mail-Srv-Local description DMZ-Local Address
name 172.16.200.6 WSUS-Srv-Local description DMZ-Local Address
name 172.16.200.0 DMZ-Network
name 1.1.1.0 External-Network
name 172.16.201.0 Internal-Network
name 1.1.1.4 DNS-Srv-Public description External-Public Address
name 1.1.1.5 WSUS-Srv-Public description External-Public Address

dns-guard
!
interface Ethernet0
nameif External
security-level 0
ip address 1.1.1.1 255.255.255.0
!

!
interface Ethernet1
nameif Internal
security-level 100
ip address 172.16.201.1 255.255.255.240
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 172.16.200.1 255.255.255.224
!
interface Ethernet3
shutdown
nameif intf3
security-level 8
no ip address
!
interface Ethernet4
shutdown
nameif intf4
security-level 8
no ip address
!
interface Ethernet5
shutdown
nameif intf5
security-level 10
no ip address
!
boot system flash:/pix804.bin
ftp mode passive
clock timezone WST -11
dns domain-lookup Internal
dns server-group DefaultDNS
name-server ************
name-server ********************
domain-name ****************
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rdp tcp
port-object eq ****
object-group service RDC-d
service-object tcp eq ****
object-group network DM_INLINE_NETWORK_1
network-object host Mail-Srv-Public
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq pop3
port-object eq smtp
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
port-object eq pop3
port-object eq smtp
access-list Internal_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list Internal_access_in_1 extended permit ip any any log errors
access-list VEZ_access_in extended permit ip any any
access-list External-Internet_access_in extended permit object-group TCPUDP any host DNS-Srv-Public eq domain
access-list External-Internet_access_in extended permit tcp any host DNS-Srv-Public object-group rdp
access-list External-Internet_access_in extended permit ip any host Antivirus-Srv-Public
access-list External-Internet_access_in extended permit ip any host WSUS-Srv-Public
access-list External-Internet_access_in extended permit icmp any object-group DM_INLINE_NETWORK_1 echo-reply
access-list External-Internet_access_in extended permit tcp any host Mail-Srv-Public object-group DM_INLINE_TCP_2
access-list External-Internet_access_in extended permit tcp any host Mail-Srv-Public object-group rdp
pager lines 24
logging enable
logging standby
logging emblem
logging asdm informational
logging facility 18
logging host DMZ 172.16.200.7 format emblem
logging debug-trace
logging permit-hostdown
mtu Ethernet 1500
mtu External 1500
mtu Internal 1500
mtu DMZ 1500
mtu VEZ 1500
mtu intf4 1500
mtu intf5 1500
ip verify reverse-path interface DMZ
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
asdm history enable
arp timeout 14400
global (External) 2 1.1.1.10-1.1.1.20 netmask 255.255.255.***
global (External) 1 interface
global (Internal) 1 interface
global (DMZ) 200 172.16.200.20-172.16.200.29 netmask 255.255.255.224
global (DMZ) 100 interface
nat (Internal) 2 0.0.0.0 0.0.0.0
static (DMZ,External) Mail-Srv-Public Mail-Srv-Local netmask 255.255.255.255
static (DMZ,External) DNS-Srv-Public DNS-Srv-Local netmask 255.255.255.255
static (DMZ,External) WSUS-Srv-Public WSUS-Srv-Local netmask 255.255.255.255
static (DMZ,External) Antivirus-Srv-Public Antivirus-Srv-Local netmask 255.255.255.255
access-group External-Internet_access_in in interface External
access-group Internal_access_in_1 in interface Internal
access-group DMZ_access_in in interface DMZ
access-group VEZ_access_in in interface VEZ
route External 0.0.0.0 0.0.0.0 ****** 1
route Internal 172.16.1.96 255.255.255.240 172.16.201.2 2
route Internal 172.16.201.3 255.255.255.255 172.16.201.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http ****** 255.255.255.*** *****
http ****** 255.255.255.*** *****
snmp-server host DMZ 172.16.200.7 community NetworkDevice version 2c
no snmp-server location
no snmp-server contact
snmp-server community NetworkDevice
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
no sysopt connection permit-vpn
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet ******* 255.255.255.255 DMZ
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username ****** password ******** encrypted privilege 15
!
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect tftp
class class_sip_tcp
inspect sip
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
prompt hostname context

: end