Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
279
Views
0
Helpful
1
Replies

Unsecured firewall?

davidrawle
Level 1
Level 1

‎01-24-2008 02:47 AM - edited ‎03-03-2019 08:24 PM

Hi,

This has to be an easy one...

I have it connected to DSL on a subnet 255.255.255.248.

The main IP (113) needs to be stealthed with ssh open, 114 need asterisk on tcp 5060 open, everything else stealthed, 118 has a web server.

After 10 very difficult days with a new 877, I still cannot get the firewall to stealth mode only all ports closed. Also I cannot seem to be able to allow any 80 or 5060 traffic in.

The bits of my config are:

interface Dialer0

description Internet

ip address 1.2.3.113 255.255.255.248

ip access-group 150 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname mylogin@adsllogin.co.uk

ppp chap password 7 mypassword

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.7.114 5060 1.2.3.114 5060 extendable

ip nat inside source static tcp 192.168.7.118 80 1.2.3.118 80 extendable

logging trap debugging

access-list 1 remark NAT ACCESS

access-list 1 permit 192.168.7.0 0.0.0.255

access-list 23 remark MANAGEMENT LIST

access-list 23 permit 192.168.7.0 0.0.0.255

access-list 150 remark INBOUND CONNECTIONS

access-list 150 permit tcp any host 1.2.3.118 eq www

access-list 150 permit ip any host 1.2.3.114

access-list 150 deny ip 10.0.0.0 0.255.255.255 any

access-list 150 deny ip 172.16.0.0 0.15.255.255 any

access-list 150 deny ip 192.168.0.0 0.0.255.255 any

access-list 150 deny ip 127.0.0.0 0.255.255.255 any

access-list 150 deny ip host 255.255.255.255 any

access-list 150 deny ip host 0.0.0.0 any

access-list 150 permit ip any any

dialer-list 1 protocol ip permit

no cdp run

(I still cannot find any docs on cisco.com that are in any way comprehensible)

BTW, SDM doesn't seem to work so I am forced into the rather cryptic CLI

Thanks,

David

Labels:
0 Helpful
1 Reply 1

jsivulka
Level 5
Level 5

‎01-30-2008 07:35 AM

Basically what you will need to do varies a little depending on your setup but you will need to set up access-list to allow ports 5060,80, 137, 138, and 139 through the PIX. Here is a design guide on it

http://www.cisco.com/warp/public/110/pixnetbios.html

On your config I take it is probally your WINS. I'm not sure who is the pdc and who is the wins Your acls are a little confusing beacuse you have the same network in both parts of the acl

Since I can not open the VSD's that you sent I am not sure what you are referenceing with the addresses

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card