PIX Firewall problem

Unanswered Question
Feb 19th, 2008
User Badges:

I have configured a cisco pix firewall with 7.x IOS.


Everything is working fine. But I am having a strange problem with a server in inside.


I just allowed the ICMP for inside server. Nothing else.




But client is still able to open remote desktop on the client machine. Nothing is there except the static and access-list.


static (inside,dmz) 172.28.32.18 172.28.32.18 netmask 255.255.255.255


access-list dmz_acl extended permit icmp host 10.1.1.10 host 172.28.32.18



Why it is so. please help me out


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
johnd2310 Thu, 02/21/2008 - 17:35
User Badges:
  • Silver, 250 points or more

Hi,


Where is the client and where is the server?


Thanks

John

wasiimcisco Fri, 02/22/2008 - 00:34
User Badges:

Thanks for the reply, client is in dmz and server is located in inside of pix firewall.



johnd2310 Mon, 02/25/2008 - 19:53
User Badges:
  • Silver, 250 points or more

Hi,


Post your config, making sure you remove any sensitive info.


Thanks

John

wasiimcisco Tue, 02/26/2008 - 01:56
User Badges:

please the configuration and do let me know why user are able to do all things though I have only permitted only icmp.


dcpix# sh run

: Saved

:

PIX Version 7.2(3)8

!

hostname dcpix

enable password xxx

names

!

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address x.x.x.61 255.255.255.224 standby x.x.x.62

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 172.28.95.12 255.255.255.0 standby 172.28.95.10

!

interface Ethernet2

speed 100

duplex full

nameif dmz

security-level 90

ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet6

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet7

description LAN/STATE Failover Interface

speed 100

duplex full

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list icmp extended permit ip host 10.0.0.3 any

access-list icmp_out extended permit tcp any host x.x.x.60

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

failover

failover lan unit primary

failover lan interface faillink Ethernet7

failover lan enable

failover link faillink Ethernet7

failover interface ip faillink 192.168.1.1 255.255.255.0 standby 192.168.1.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 172.28.95.21 255.255.255.255

nat (dmz) 1 10.0.0.0 255.255.255.0

static (inside,dmz) 172.28.95.21 172.28.95.21 netmask 255.255.255.255

static (dmz,outside) 41.223.188.60 10.0.0.3 netmask 255.255.255.255

access-group icmp_out in interface outside

access-group icmp in interface dmz

route outside 0.0.0.0 0.0.0.0 x.x.x.34 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end


parvees123 Sat, 03/01/2008 - 00:20
User Badges:

Hi,


Firstly , there in to ACL entry as you mentioned in the first message ( acl_dmz) .


Secondly , in the configuration I can see you are permitting IP access in the access-list for the host 10.0.0.3 , so everything is opened for this server ( tcp,udp and ICMP)


You have a static nat entry for dmz and inside , so all the ports will work in this case



Please change the ACL entry only to icmp it it wll work fine.

HTH,

Parvees


Actions

This Discussion