Firewall/NAT

I am in the process of replacing  our PIX 515 and am quickly running into unexpected roadblocks.  I need help!  I have attached a network diagram (in pdf format) to help explain my circumstance.

First question, I have two webservers on the DMZ and our Exchange server is on the inside (LAN).  How do I setup HTTPS for three servers on two interfaces?  I am getting an error when I try to setup NAT for more than one server "The external port range overlaps with an existing entry."  I have 1:1 NAT configured (see attached), and I have included the relevant lines from the PIX config for the Exchange server.

Any advise or direction; (not step by step instructions), you can share will be greatly appreciated.  I have read through the manual and been searching the support forum, but I either haven't found the answer I need, or I didn't recognize the answer when I read it.   

I'm sure there will be more questions to come, and thank you for your help in advance.

David G.

David,

If you are using 1:1 NAT, you only need WAN rules to allow access to your servers.  Are you trying to 1:1 NAT and NAT at the same time for the same IP?

Roy...

Ummmm, yes, I guess that is what I am doing.  :-(  I really am struggling to understand the cause / effect relationship of the 1:1 NAT.  I assumed the firewall would not allow traffic unless I carved a hole in it for such access.  I just removed all the HTTP HTTPS rules from the WAN and Incoming NAT (left the 1:1 in place) and I can still open the web page on my test server from my home computer.  Does just setting up 1:1 NAT on the LAN and DMZ open the whole network?  I thought removing the HTTP rules on WAN and Incoming NAT would block me from getting in.  It did not . . . .

Maybe there is someting else at play here?

This is my current config, do you see anything terribly wrong with it?


<?xml version="1.0"?>
<m0n0wall>
    <version>1.8</version>
    <lastchange>1305289548</lastchange>
    <system>
        <hostname>m0n0wall</hostname>
        <domain>xxxxx.net</domain>
        <dnsallowoverride/>
        <username>xxxxx</username>
        <password>xxxxx</password>
        <timezone>America/New_York</timezone>
        <time-update-interval>300</time-update-interval>
        <timeservers>1.m0n0wall.pool.ntp.org</timeservers>
        <webgui>
            <protocol>http</protocol>
            <port/>
        </webgui>
        <dnsserver>8.8.8.8</dnsserver>
        <dnsserver>8.8.4.4</dnsserver>
    </system>
    <interfaces>
        <lan>
            <if>bge1</if>
            <ipaddr>172.18.1.123</ipaddr>
            <subnet>24</subnet>
            <media/>
            <mediaopt/>
        </lan>
        <wan>
            <if>bge0</if>
            <blockpriv/>
            <media/>
            <mediaopt/>
            <ipaddr>x.x.116.123</ipaddr>
            <subnet>24</subnet>
            <gateway>x.x.116.1</gateway>
            <spoofmac/>
        </wan>
        <opt1>
            <if>em0</if>
            <descr>DMZ</descr>
            <ipaddr>172.18.2.123</ipaddr>
            <subnet>24</subnet>
            <bridge/>
            <enable/>
        </opt1>
    </interfaces>
    <staticroutes/>
    <pppoe/>
    <pptp/>
    <dyndns>
        <type>dyndns</type>
        <username/>
        <password/>
        <host/>
        <mx/>
        <server/>
        <port/>
    </dyndns>
    <dnsupdate/>
    <dhcpd>
        <lan>
            <range>
                <from>192.168.1.100</from>
                <to>192.168.1.199</to>
            </range>
        </lan>
    </dhcpd>
    <pptpd>
        <mode>server</mode>
        <nunits>32</nunits>
        <redir/>
        <localip>172.18.1.254</localip>
        <remoteip>172.18.1.128</remoteip>
        <radius>
            <server/>
            <secret/>
        </radius>
        <user>
            <name>xxxxx</name>
            <ip/>
            <password>xxxxx</password>
        </user>
    </pptpd>
    <dnsmasq>
        <enable/>
    </dnsmasq>
    <snmpd>
        <syslocation/>
        <syscontact/>
        <rocommunity>public</rocommunity>
    </snmpd>
    <diag/>
    <bridge/>
    <syslog>
        <nentries>50</nentries>
        <remoteserver>172.18.1.11</remoteserver>
        <remoteport/>
        <filter/>
        <system/>
        <enable/>
        <dhcp/>
        <portalauth/>
        <vpn/>
        <rawfilter/>
    </syslog>
    <nat>
        <advancedoutbound/>
        <onetoone>
            <external>x.x.114.0</external>
            <internal>172.18.1.0</internal>
            <subnet>24</subnet>
            <descr>LAN (Internal)</descr>
            <interface>wan</interface>
        </onetoone>
        <onetoone>
            <external>x.x.115.0</external>
            <internal>172.18.2.0</internal>
            <subnet>24</subnet>
            <descr>DMZ (Perimeter)</descr>
            <interface>wan</interface>
        </onetoone>
        <rule>
            <protocol>tcp</protocol>
            <external-port>20</external-port>
            <target>WEBHST1</target>
            <local-port>20</local-port>
            <interface>wan</interface>
            <descr>FTP Port 20 on WEBHST1</descr>
        </rule>
        <rule>
            <protocol>tcp</protocol>
            <external-port>21</external-port>
            <target>WEBHST1</target>
            <local-port>21</local-port>
            <interface>wan</interface>
            <descr>FTP on WEBHST1</descr>
        </rule>
        <rule>
            <protocol>tcp</protocol>
            <external-port>1433</external-port>
            <target>SQLHST2</target>
            <local-port>1433</local-port>
            <interface>wan</interface>
            <descr/>
        </rule>
        <rule>
            <protocol>tcp</protocol>
            <external-port>49152-65535</external-port>
            <target>WEBHST1</target>
            <local-port>49152</local-port>
            <interface>wan</interface>
            <descr>FTP Data on WEBHST1</descr>
        </rule>
    </nat>
    <filter>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <source>
                <any/>
            </source>
            <destination>
                <network>opt1</network>
            </destination>
            <descr/>
        </rule>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>WEBHST1</address>
                <port>21</port>
            </destination>
            <descr>NAT FTP on WEBHST1</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>WEBHST1</address>
                <port>49152-65535</port>
            </destination>
            <descr>NAT FTP Data on WEBHST1</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>WEBHST1</address>
                <port>20</port>
            </destination>
            <descr>NAT FTP Port 20 on WEBHST1</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>SQLHST2</address>
                <port>1433</port>
            </destination>
            <descr>NAT </descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>pptp</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <log/>
            <descr>Default PPTP --&gt; any</descr>
        </rule>
        <rule>
            <type>block</type>
            <interface>opt1</interface>
            <source>
                <any/>
            </source>
            <destination>
                <network>lan</network>
            </destination>
            <descr>Block DMZ traffic to LAN</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>opt1</interface>
            <source>
                <network>opt1</network>
            </source>
            <destination>
                <network>lan</network>
                <not/>
            </destination>
            <descr>Permit DMZ to any *BUT* LAN</descr>
        </rule>
        <rule>
            <type>pass</type>
            <descr>Default LAN -&gt; any</descr>
            <interface>lan</interface>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any/>
            </destination>
        </rule>
        <rule>
            <type>pass</type>
            <descr>Default IPsec VPN</descr>
            <interface>ipsec</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
        </rule>
    </filter>
    <shaper/>
    <ipsec/>
    <aliases>
        <alias>
            <name>WEBHST1</name>
            <address>172.18.2.30</address>
            <descr>WEBHST1 Private IP</descr>
        </alias>
        <alias>
            <name>DMZ-Private-IP</name>
            <address>172.18.2.0/24</address>
            <descr>DMZ Private IP</descr>
        </alias>
        <alias>
            <name>DMZ-Public-IP</name>
            <address>x.x.115.0/24</address>
            <descr>DMZ Public IP</descr>
        </alias>
        <alias>
            <name>Robin</name>
            <address>x.x.114.110</address>
            <descr>Robin Public IP</descr>
        </alias>
        <alias>
            <name>SQL2</name>
            <address>x.x.115.145</address>
            <descr>SQL2 Public IP</descr>
        </alias>
        <alias>
            <name>EXCHSVR</name>
            <address>172.18.1.10</address>
            <descr>Exchange Server</descr>
        </alias>
    </aliases>
    <proxyarp>
        <proxyarpnet>
            <interface>wan</interface>
            <network>x.x.114.0/24</network>
            <descr>NAT LAN (Internal)</descr>
        </proxyarpnet>
        <proxyarpnet>
            <interface>wan</interface>
            <network>x.x.115.0/24</network>
            <descr>NAT DMZ (Perimeter)</descr>
        </proxyarpnet>
    </proxyarp>
    <wol/>
</m0n0wall>

Ok, just noticed, I have a rule on the WAN allowing all traffic to the DMZ.  Bad! Bad!
Don't know when or why I put that in, but now it's gone and the firewall is working (blocking) as expected.

So if I understand your response from earlier, I do not need to do the rules in NAT, just in the WAN to access the EXCHSVR.   I used the PassiveFTP wiki article to set up FTP on the DMZ and I still need to do the same for FTP on the LAN. I will work through that process today and get back to the forum with results and more questions (I am sure).

Thanks again,

David G.

Can anyone explain why this is getting blocked?

Jun  2 09:57:14 ipmon[122]: 09:57:14.172407 bge0 @0:17 b xxx.xxx.xxx.xxx,80 -> yyy.yyy.yyy.yyy,4365 PR tcp len 20 40 -AR IN NAT

(bge0 = WAN)

For this host, I have a WAN rule in place: 

Proto   |   Source   |   Port   |   Destination   |   Port |
*              *               *            yyy.yyy.yyy.yyy  *

Shouldn't that allow everything in to the host yyy.yyy.yyy.yyy?