Help with Pix 515: Internet/Web/DB traffice

[Jonathan Laventhol <jonathan.laventhol () imagination com>]

Dear Firewallers --

I've got a Pix 515 connecting a number of networks together
and am getting stuck on a particular issue relating to
how the networks pass traffic.

Portions of (slightly simplified) config:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 proddemo security10
nameif ethernet3 client security70
nameif ethernet4 pubserv security80
nameif ethernet5 privserv security90

ip address outside 1.2.3.7 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip address proddemo 10.2.1.1 255.255.255.0
ip address client 10.1.1.1 255.255.255.0
ip address pubserv 10.0.1.1 255.255.255.0
ip address privserv 10.0.2.1 255.255.255.0

I'm expecting mostly to use 'natural' IP
addresses -- that is, most hosts refer to
the others by their real addresses in 10.X.X.X
The exception is incoming web accesses from
outside (and proddemo)

My goal is this:

* Outside is normal public internet

* Inside is management LAN: any access anywhere

* pubserv has web servers which are static-NAT
available to outside and proddemo LANs.  It
opens connections to MS-SQL server on privserv.
It offers file server access to clients
on client.

* privserv has MS-SQL servers feeding SQL
clients on pubserv and client LANs.

* client has MS-SQL (of servers on privserv)
and fileserver (on pubserv).

* proddemo is a 'web cafe': can web/ftp/etc
out to 'outside' (with PAT) and can open
web connections into 'pubserv' with static
NAT.  That is, a PC on proddemo sees
web servers just like everybody else on the
internet.

What I've got so far is successful web service
but the NAT/PAT/Static/Global is confusing
me deeply!

My main question is:

How do I publish my web server 10.0.1.64
to outside and proddemo as 1.2.3.5, and
to client as 10.0.1.64?

Everything I've tried gives me errors like:
        %PIX-2-106001: Inbound TCP connection denied
        from 10.0.1.64/1035 to 10.0.2.64/80 flags SYN
        on interface pubserv

This is my (admittedly very confused) attempt
at it:

global (outside) 10 interface
global (pubserv) 10 interface
global (privserv) 10 interface

nat (inside) 10 10.0.0.0 255.255.255.0 0 0
nat (proddemo) 10 10.2.1.0 255.255.255.0 0 0
nat (privserv) 0 access-list acl-nonat
access-list acl-nonat permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list acl-nonat permit tcp 10.1.0.0 255.255.0.0 10.0.0.0 255.255.0.0

static (pubserv,outside) 1.2.3.5 10.0.1.64 netmask 255.255.255.255 0 0
static (pubserv,outside) 1.2.3.6 10.0.1.65 netmask 255.255.255.255 0 0
static (pubserv,proddemo) 12.0.30.175 10.0.1.64 netmask 255.255.255.255 0 0
static (pubserv,proddemo) 12.0.30.176 10.0.1.65 netmask 255.255.255.255 0 0
static (privserv,client) 10.0.2.64 10.0.2.64 netmask 255.255.255.255 0 0
static (privserv,pubserv) 10.0.2.64 10.0.2.64 netmask 255.255.255.255 0 0
static (privserv,inside) 10.0.2.64 10.0.2.64 netmask 255.255.255.255 0 0

I've got some access lists as well, but they are definitely not
my issue -- we've got very good logging on a syslog server.


All help gratefully received.  (Anybody in NYC?)

Jonathan.
--
______________________________________________________________________
 Imagination
 155 Franklin Street New York NY 1001

 This email contains privileged and confidential information, and is
 intended only for the addressee. If you are not the named addressee
 you should not disseminate, distribute or copy this email.  Please
 notify the sender immediately by email if you have received this
 email by mistake and please delete it from your system.
______________________________________________________________________

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards