Need help with pix501

Unanswered Question
Mar 2nd, 2007

Hi,

I need some help with my new pix501 router, the problem is I cannot get it configured, I folow the instructions given in user manuals and stuff, but some how I still cannot use it the way I want, the thing is I want to make sure that everything from inside can go outside no mather what just anything ( as far I understood this is default set)

and to make sure that speciefied ipaddress from outside gets acces on specified port to speciefied host on inside. So I first tryd it with PDM but everytime i made new rule in acl I got some errors, and stuff, so I tryd this time from console and, everything went well but still there is no acces from outside, and this time even after totaal reset I cannot acces pdm anymore. here Is more info about configs.

this is what I did.

1: setting folowing settings

hostname pix

domain-name ew

ip address inside 192.168.2.1 255.255.255.0

ip address outside 192.168.1.17 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.1.254

dhcpd address 192.168.2.2-192.168.2.10 inside

dhcpd dns 192.168.1.254

dhcpd enable inside

ssh 192.168.1.20 255.255.255.0

ssh 192.168.2.2 255.255.255.0 inside

passwd 12345678

access-list outside_access_in permit tcp any host 192.168.1.20 eq 5900

access-group outside_access_in in interface outside

static (inside,outside) tcp 192.168.1.20 5900 192.168.2.2 5900 netmask 255.255.255.255

Here some info from show:

"" pixtest(config)# show route

outside 0.0.0.0 0.0.0.0 192.168.1.254 1 OTHER static

outside 192.168.1.0 255.255.255.0 192.168.1.17 1 CONNECT static

inside 192.168.2.0 255.255.255.0 192.168.2.1 1 CONNECT static

pixtest(config)# ""

""pixtest(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list outside_access_in; 2 elements

access-list outside_access_in line 1 permit tcp any host 192.168.1.20 eq 5900 (hitcnt=0)

access-list outside_access_in line 2 permit tcp any host 192.168.1.20 eq 5800 (hitcnt=0)

pixtest(config)# ""

""pixtest(config)# show dhcpd

dhcpd address 192.168.2.2-192.168.2.10 inside

dhcpd dns 192.168.1.254

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

pixtest(config)# ""

""pixtest(config)# show ip

System IP Addresses:

ip address outside 192.168.1.17 255.255.255.0

ip address inside 192.168.2.1 255.255.255.0

Current IP Addresses:

ip address outside 192.168.1.17 255.255.255.0

ip address inside 192.168.2.1 255.255.255.0

pixtest(config)# ""

"" pixtest(config)# show nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

pixtest(config)# ""

"" pixtest(config)# show access-group

access-group outside_access_in in interface outside

pixtest(config)# ""

I was tryng to make sure that computer with IP : 192.168.1.20(outside) can acces my pc with vnc on port 5900, my pc has ip : 192.168.2.2 inside,

and shh , but does not work too, not from inside not form outside...

what do I do wrong ???

and pdm is not working anymore.

folowing>>>

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ikturalo1981 Fri, 03/02/2007 - 06:10

pixtest(config)# show config

: Saved

: Written by enable_15 at 11:49:02.670 UTC Fri Mar 2 2007

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd Vyg.xxxxxxxxxx encrypted

hostname pixtest

domain-name ew

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit tcp any host 192.168.1.20 eq 5900

access-list outside_access_in permit tcp any host 192.168.1.20 eq 5800

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.1.17 255.255.255.0

ip address inside 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.2.2 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 192.168.1.20 5900 192.168.2.2 5900 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.1.20 5800 192.168.2.2 5800 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.254 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 outside

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.2.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.2.2-192.168.2.10 inside

dhcpd dns 192.168.1.254

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxxxxxxxxxx

I need this :

1. setting the outside to use specific IP/mask/dns (no dhcp)

2. setting inside to use dhcp or specified ip/mask/dns

3. making sure that internet is accesable

4. making sure that some ip's from outside can acces some host's inside on speciefied port's.

5. that all traffic from inside to outside is permitted.

6. that specified IP can login to pix from outside to config it.

please help if you can.

Jon Marshall Fri, 03/02/2007 - 08:08

Hi

Which bits are not working, everything or outside access.

You say that you are trying to allow access from a computer on the outside with IP 192.168.1.20 to your pc 192.168.2.2.

The statement

static (inside,outside) tcp 192.168.1.20 5900 192.168.2.2 5900 netmask 255.255.255.255

does not do this. What this says is to present your internal IP address 192.168.2.2 as 192.168.1.20 to the outside.

Try this to see if it works

static (inside,outside) tcp 192.168.2.2 192.168.2.2 netmask 255.255.255.255

access-list outside_access_in permit tcp host 192.168.1.20 host 192.168.2.2 eq 5900

Let me know if that works.

As far as the internet goes, your outside IP address is 192.168.1.17 which is not routable on the internet so unless there is some other NAT going on somewhere you will not get internet access with this setup.

HTH

Jon

ikturalo1981 Fri, 03/02/2007 - 11:23

Well yes what I'm tryn to do is make sure that pc 192.168.1.20 from outside can acces my pc 192.168.2.2 on inside on port 5900, and there is no special natting, this router have static IP 192.168.1.17 and thats it..

Jon Marshall Fri, 03/02/2007 - 23:35

Hi

Okay, try what i've said in the previous post and let me know how you get on.

Jon

ikturalo1981 Sat, 03/03/2007 - 07:28

That didnot work, but you ware near to the right thing,

I did this

access-list outside_access_in permit tcp any host 192.168.1.17 eq 5900

access-list outside_access_in permit tcp any host 192.168.1.17 eq 5800

static (inside,outside) tcp 192.168.1.17 5900 192.168.2.2 5900 netmask 255.255.255.255 0 0

static (inside,outside) tcp 192.168.1.17 5800 192.168.2.2 5800 netmask 255.255.255.255 0 0

this I got from another forum, Cisco engineer helped lillbit, but you ware right only it had to be not on 192.168.2.2 but all to 192.168.1.17.

now I'm going to play with this lil more to understand it, and also try to get the PDM back, cause now its not working anymore.

Actions

This Discussion