PIX Set up to Use the alias Command for a Server Sitting on the DMZ

This case study shows a way of using the alias command. This command is set up so that it can deliver the results discussed in the section "NAT on the Destination IP Addresses." Example 8-3 provides a complete configuration for setting up the PIX Firewall to use the alias feature to achieve this result.

Consider a web server. If the web server and the client trying to access it are on the same PIX interface, the normal way of configuring the alias command (alias <Name of interface on which the server and client are located> <RFC 1918 address of the server> <Statically translated address of the server>) works fine. The alias command doctors the DNS server response for the name of the web server such that the client trying to connect to the server uses its private IP address to connect to it.

However, problems arise when the web server is sitting on a subnet connected to a different interface of the PIX than the client. In that case, the normal way of configuring the alias command does not work. The reason for this is that when the client sends a packet to the web server's private IP address provided to it by the doctoring PIX, the PIX translates it back into the web server's public or globally routable address and routes it out the public or outside interface. Of course, this is incorrect because the web server is not located on the public network but rather on a DMZ segment.

The way to fix this problem is to reverse the IP addresses configured in the alias command, as demonstrated in Example 8-3. Due to the reversal, the PIX no longer doctors the DNS response to another address, because it does not match the alias command setup. However, when the client sends a packet to the web server's globally routable address, the PIX dutifully changes the destination address to the web server's private address and then sends it to the interface on which the web server is located.

Figure 8-14 shows the network topology for this case study.

Figure 8-14 Network Topology for This Case Study

Client

Inside Interface (192.168.5.1) J ^

192.168.5.0/24

Outside Interface (172.17.241.155) Int2 (192.168.10.1)

192.168.10.5

Web Server

Example 8-3 Configuring the PIX Firewall to Use the Alias Feature pixfirewall#wr t PIX Version 5.2(5) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security10

Example 8-3 Configuring the PIX Firewall to Use the Alias Feature (Continued)

nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 nameif ethernet5 intf5 security25 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall names

!The access list that follows is used to allow access to the web server access-list 101 permit tcp any host 172.17.241.250 eq www access-list 101 permit icmp any any no pager logging on no logging timestamp no logging standby logging console emergencies no logging monitor no logging buffered no logging trap no logging history logging facility 20

logging queue 512

interface ethernet0 10full interface ethernet1 10full interface ethernet2 10full interface ethernet3 10full interface ethernet4 auto shutdown interface ethernet5 auto shutdown mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 172.17.241.155 255.255.255.0 ip address inside 192.168.5.1 255.255.255.0 ip address intf2 192.168.10.1 255.255.255.0 ip address intf3 10.51.8.1 255.0.0.0 ip address intf4 127.0.0.1 255.255.255.255 ip address intf5 127.0.0.1 255.255.255.255

arp timeout 14400

!The command below sets up a global pool of one address for doing port address !translation. The IP address used is the IP address of the outside interface !itself. This is another way of defining a global pool of addresses. global (outside) 1 interface global (intf2) 1 192.168.5.101-192.168.5.200 nat (inside) 1 192.168.5.0 255.255.255.0 0 0 nat (intf3) 1 10.51.8.1 255.255.255.0 0 0

Example 8-3 Configuring the PIX Firewall to Use the Alias Feature (Continued)

!This static command is used to allow users on the public network to access the

!web server using its globally routable

address

static (intf2,outside) 172.17.241.250 192.168.10.5 netmask 255.255.255.25 5 0 0

!Please note how the alias command is configured. The normal way of configuring

!the alias command is as follows:

! alias (inside) 192.168.10.5 172.17.241

.250 255.255.255.255

!Generic syntax:

! alias (interface) dnat_ip foreign_ip mask

!As you can see, the addresses have been

swapped due to reasons explained above

alias (inside) 172.17.241.250 192.168.10

.5 255.255.255.255

access-group 101 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00

udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

route outside 0.0.0.0 0.0.0.0 172.17.241

.200 1

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity hostname

telnet timeout 5

ssh timeout 5

terminal width 80

: end

Here is an explanation of the flow of events in Example 8-3:

Step 1 The client on the inside sends a DNS query to a DNS server.

Step 2 The DNS server responds with the IP address 172.17.241.250 to the PIX.

Step 3 The inside client tries to access 172.17.241.250 and sends a packet with this IP address as the destination to the PIX Firewall. However, because of the presence of the alias command, PIX does destination address translation and sends the packet to 192.168.10.5, which is the web server.

If the alias command were configured in the normal fashion: alias (inside) 192.168.10.5 172.17.241.250 255.255.255.255

the following would have been the sequence of events:

Step 1 The client on the inside sends a DNS query to a DNS server.

Step 2 The DNS server responds with the IP address 172.17.241.250 to the PIX, which alters this response to 192.168.10.5 because of the presence of the alias command.

Step 3 The inside client tries to access 192.168.10.5 and sends a packet with this IP address as the destination to the PIX Firewall. However, because of the presence of the alias command, PIX does not simply forward the packet to intf2. It performs destination address translation on the packet and sends it to 172.17.241.250 via the outside interface.

Step 4 The connection fails, because this IP address is in the same segment as the PIX outside interface and is left for a host that is supposedly directly connected.

0 0

Post a comment