Need help with Network

mkyc87 · Joined: Aug 21, 2008 Posts: 2

Hi all,

I was tasked to setup a network with a PIX 515e Firewall, and the network should be divided into inside/outside/dmz.

On the inside, I'm hosting a DNS server and a Syslog server, both run on the same physical machine but seperate VMs. The DNS server hosts both the inside and DMZ clients.

On the DMZ, I've setup a web server and a file server.

The inside users should be able to access all services on the DMZ as well as the outside. While the outside will only be allowed access to the DMZ web server and file server.

Here's my current PIX config:

IP Inside: 10.0.0.1 255.255.255.0
DNS/Syslog: 10.0.0.5 / 10.0.0.4

IP Outside: 192.168.168.18 255.255.255.0

IP DMZ: 10.33.1.1 255.255.255.0
DMZ Web/File: 10.33.1.10 / 10.33.1.20

access-list all permit tcp any any
access-list all permit icmp any any
access-list all permit udp any any

nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 10.33.1.0 255.255.255.0

global (outside) 1 39.0.18.2-39.0.18.5 //Global IP address pool
global (outside) 1 interface

static (dmz, outside) 39.0.18.2 10.33.1.10 netmask 255.255.255.255
static (dmz, outside) 39.0.18.3 10.33.1.20 netmask 255.255.255.255
static (inside,outside) 39.0.18.1 10.0.0.5 netmask 255.255.255.255
static (inside, dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
static (dmz, inside) 10.33.1.10 10.33.1.10 netmask 255.255.255.255
static (dmz, inside) 10.33.1.20 10.33.1.20 netmask 255.255.255.255

access-group all in interface outside
access-group all in interface inside
access-group all in interface dmz

route outside 0.0.0.0 0.0.0.0 192.168.168.1

The problem I'm facing right now is that the external network users aren't able to access my web server, and "nslookup" resolves my web server as 10.33.1.10 instead of 39.0.18.2 that should be seen by external users. Likewise for my file server.

So what I want to ask is, do I have to include 39.0.18.0/24 into my DNS server? If so, where do I include it?

I'm using Win2k3 Server DNS.

Any advice right now would be really helpful.
Thanks

Baby_Tux · Joined: Mar 06, 2007 Posts: 1242

255.255.255.255

Is this a TYPO? - 'cause (I believe) it can't exist. The highest the last octet can be with the rest at 255 is 252 & that would give you 2 HOST. - Seems to apply to SUPERNETTING, too.

At least that is what the following calc says:
http://www.subnet-calculator.com/subnet.php?net_class=A

But it's been a while since I've done any of the calculations in binary, so I can't really confirm this, as at present, I don't remember exactly how. - upcoming classes may solve that problem though.

But I DO know if that if the subnets aren't the same on both ends, you WON'T see it.(without allowing some two domain wizardry) So that would also seem to answer your problem.

mkyc87 · Joined: Aug 21, 2008 Posts: 2

Hmm, I'm quite sure that the subnet mask should be 255.255.255.255 for those particular instances. Mainly because other subnet masks would work for that static translation. I already tried 255.255.255.252, but the PIX churns out an error saying that the subnet mask is invalid for the IP address range.

Baby_Tux · Joined: Mar 06, 2007 Posts: 1242

Well, like I said, it has to be correct to put on the same domain as what you are intending it to belong to or it WILL error.

Suggest you check what it should actually be. - if you are supernetting, it COULD be correct, but at this point, I'm still doubting it. Without doing the math, to figure it, I can't be 100% sure. - but either way, the IP address is where I'd start looking.

Then start "PINGING" - one side then the other...