02-19-2008 01:55 PM
I have configured a cisco pix firewall with 7.x IOS.
Everything is working fine. But I am having a strange problem with a server in inside.
I just allowed the ICMP for inside server. Nothing else.
But client is still able to open remote desktop on the client machine. Nothing is there except the static and access-list.
static (inside,dmz) 172.28.32.18 172.28.32.18 netmask 255.255.255.255
access-list dmz_acl extended permit icmp host 10.1.1.10 host 172.28.32.18
Why it is so. please help me out
02-21-2008 05:35 PM
Hi,
Where is the client and where is the server?
Thanks
John
02-22-2008 12:34 AM
Thanks for the reply, client is in dmz and server is located in inside of pix firewall.
02-25-2008 07:53 PM
Hi,
Post your config, making sure you remove any sensitive info.
Thanks
John
02-26-2008 01:56 AM
please the configuration and do let me know why user are able to do all things though I have only permitted only icmp.
dcpix# sh run
: Saved
:
PIX Version 7.2(3)8
!
hostname dcpix
enable password xxx
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.x.61 255.255.255.224 standby x.x.x.62
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 172.28.95.12 255.255.255.0 standby 172.28.95.10
!
interface Ethernet2
speed 100
duplex full
nameif dmz
security-level 90
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet6
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet7
description LAN/STATE Failover Interface
speed 100
duplex full
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list icmp extended permit ip host 10.0.0.3 any
access-list icmp_out extended permit tcp any host x.x.x.60
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
failover
failover lan unit primary
failover lan interface faillink Ethernet7
failover lan enable
failover link faillink Ethernet7
failover interface ip faillink 192.168.1.1 255.255.255.0 standby 192.168.1.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.28.95.21 255.255.255.255
nat (dmz) 1 10.0.0.0 255.255.255.0
static (inside,dmz) 172.28.95.21 172.28.95.21 netmask 255.255.255.255
static (dmz,outside) 41.223.188.60 10.0.0.3 netmask 255.255.255.255
access-group icmp_out in interface outside
access-group icmp in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.34 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
03-01-2008 12:20 AM
Hi,
Firstly , there in to ACL entry as you mentioned in the first message ( acl_dmz) .
Secondly , in the configuration I can see you are permitting IP access in the access-list for the host 10.0.0.3 , so everything is opened for this server ( tcp,udp and ICMP)
You have a static nat entry for dmz and inside , so all the ports will work in this case
Please change the ACL entry only to icmp it it wll work fine.
HTH,
Parvees
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: