Unsecured firewall?

Unanswered Question
Jan 24th, 2008
User Badges:

Hi,


This has to be an easy one...


I have it connected to DSL on a subnet 255.255.255.248.


The main IP (113) needs to be stealthed with ssh open, 114 need asterisk on tcp 5060 open, everything else stealthed, 118 has a web server.


After 10 very difficult days with a new 877, I still cannot get the firewall to stealth mode only all ports closed. Also I cannot seem to be able to allow any 80 or 5060 traffic in.


The bits of my config are:


interface Dialer0

description Internet

ip address 1.2.3.113 255.255.255.248

ip access-group 150 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname [email protected]

ppp chap password 7 mypassword


ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.7.114 5060 1.2.3.114 5060 extendable

ip nat inside source static tcp 192.168.7.118 80 1.2.3.118 80 extendable


logging trap debugging

access-list 1 remark NAT ACCESS

access-list 1 permit 192.168.7.0 0.0.0.255

access-list 23 remark MANAGEMENT LIST

access-list 23 permit 192.168.7.0 0.0.0.255

access-list 150 remark INBOUND CONNECTIONS

access-list 150 permit tcp any host 1.2.3.118 eq www

access-list 150 permit ip any host 1.2.3.114

access-list 150 deny ip 10.0.0.0 0.255.255.255 any

access-list 150 deny ip 172.16.0.0 0.15.255.255 any

access-list 150 deny ip 192.168.0.0 0.0.255.255 any

access-list 150 deny ip 127.0.0.0 0.255.255.255 any

access-list 150 deny ip host 255.255.255.255 any

access-list 150 deny ip host 0.0.0.0 any

access-list 150 permit ip any any

dialer-list 1 protocol ip permit

no cdp run


(I still cannot find any docs on cisco.com that are in any way comprehensible)


BTW, SDM doesn't seem to work so I am forced into the rather cryptic CLI


Thanks,


David







  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jsivulka Wed, 01/30/2008 - 07:35
User Badges:
  • Bronze, 100 points or more

Basically what you will need to do varies a little depending on your setup but you will need to set up access-list to allow ports 5060,80, 137, 138, and 139 through the PIX. Here is a design guide on it

http://www.cisco.com/warp/public/110/pixnetbios.html

On your config I take it is probally your WINS. I'm not sure who is the pdc and who is the wins Your acls are a little confusing beacuse you have the same network in both parts of the acl

Since I can not open the VSD's that you sent I am not sure what you are referenceing with the addresses


Actions

This Discussion