Pix 501 configuring....

Answered Question
Mar 29th, 2010
User Badges:

My client has recently purchased a fiber line. The ISP provided th following information:

IP routes:

Interface IP 216.x.x.x

Gateway IP 216.x.x.x

Mask 255.255.255.252

and DNS servers


They also provided "Routed Network Info", which is confusing to me.

Subnet is 24.x.x.x/29 with 6 usable IPs

Gateway 24.x.x.x

Mask 255.255.255.248



My first task is to try to configure a Pix 501 for insdie - out internet access

Second task is to set up the RDP access to individual computers on the LAN. I had done this before using DD-WRT port forwarding on a router where I could give the client the public IP with a port number (public:1234) and configure a forwarding table to relay each assigned port to their computer IP on port 3389. Now that I am introducing the Pix and the additional routing info from ISP I am way confused. Any help would be appreciated. I would settle for getting internet access from the inside at this point.


I will try to get what I have configured (but not tested) posted soon.


Thanks!

Correct Answer by JORGE RODRIGUEZ about 7 years 2 months ago

Hi Mike, good that  you are making progress.


The  access-list outbound permit ip any any applied to inside interface s fine and you can leave it, simply it allows TCP/UDP outbound from any inside hosts, so you do not need these .

These three lines ca be removed - as long you leave access-list outbound permit ip any any applied to inside interface.
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp


As for not being unable to ping the ISP gateway  it most likely is that ISP blocking icmps , but you have confirmed internet connectivity to 4.2.2.2 from pix and inside hosts after you added outside permit ip any any to inside interface.


As for Site to Site VPN go to this link and reference in mid page down Site to Site VPN (L2L) with PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html



Don't forget to reate helpful posts


Regards

Correct Answer by JORGE RODRIGUEZ about 7 years 2 months ago

Mike, you posted output of show interface which looks  interfaces are up for both inside and outside,   from the PIX console   can you post the output of "show arp"    pix#show arp  



Again you can ping the ISP gateway from PIX console


PIX#ping  216.x.x.229    <--  can you ping the gateway from pix?   if you can ping gateway , also try  other public IP like the one posted  ,  ping 4.2.2.2  from the PIX console, if you can ping these addresse form PIX you have connectivity to internet, then move onto next task but please first confirm you can reach ISP gateway and 4.2.2.2 IP.


Regards

Correct Answer by JORGE RODRIGUEZ about 7 years 2 months ago

Hi Mike,


by default from the pix itself you should be able to ping the ISP router gateway ,  however plese add to your config ( icmp permit any outside)  for ping test to ISP gateway from the PIX itself.


Also if you are trying to ping from a PC in the LAN you need to allow the replies back in in firewall.


access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any source-quench
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded


access-group outside_in in interface outside



With these above you can ping by IP address , try pinging  this opened public IP 4.2.2.2    either from PIX firewall or PC , post results.

Correct Answer by JORGE RODRIGUEZ about 7 years 2 months ago

In addition  after you verify pinging the ISP gateway from the PIX itself  what Jon have suggested take note of following configuration to be corrected after you have confirmed ISP gateway is ICMP reachable from the pix.


Secondly :
You have two different access list for inbound access (outside_in) and(ANYRDP) and have not yet being applied  to outside interface.
For consistancy  in access-list naming try  using  one access list  for specified interface, as it will be much easier down the road to reference them per interface as suppose to different/many  acl names per interfaces.



Based on your static NAT translation you have these two acl statements shown bellow  , for the tcp port 1000 use the same acl name as the first one you have for port 3389


access-list outside_in permit tcp any interface outside eq 3389
access-list ANYRDP permit tcp any interface outside eq 1000

Above acls should appear as:

access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 1000


apply the outside_in access-list to outside interface by adding bellow statement

access-group outside_in in interface outside



After you have corrected these above ensure the servers 192.168.1.253  and 192.168.1.55 are indeed listening on RDP , then test them from outside internet.


Regards

Correct Answer by Jon Marshall about 7 years 2 months ago

Mike


Can you post output of "sh interface" from the pix ?


Can you ping the ISP default-gateway from the pix ?


Jon

Correct Answer by JORGE RODRIGUEZ about 7 years 2 months ago

Hi Mike,  I know Jon will never get mad by adding additional info.. just wrote the answer but Jon's speed of light reply always takes me off guard :-)


Should be straight forward what you need to accomplish, and you have come to the right place here for us to help.

First lets star to understand  what ISP has giving you, it is always good to ask ISP when in doubt.

1 - IP routes:

Interface IP 216.x.x.x

Gateway IP 216.x.x.x

Mask 255.255.255.252

and DNS servers


Above information is provided for your PIX  interface facing ISP configuration ,and looking at your PIX configuration
it looks like  you have already acomplish that with outside interface IP address and default route for your PIX gateway.
DNS servers info  will be for your inside hosts in the event that you do not have local DNS server.



2- "Routed Network Info",

Subnet is 24.x.x.x/29 with 6 usable IPs

Gateway 24.x.x.x

Mask 255.255.255.248


Routed network in your ISP case simply means that they have provided you with a /29 public IP block , they will
route the the /29 block towards your oustide PIX interface IP,  meaning that you may use those /29 IP addresses as NAT
address or NAT pool addresses etc as John indicated .  Since it is expected ISP to route this block back to your PIX you do not need
to do anything other than, again, using those addresses for one-to-one NAT translations or global Pools as ilustrated by Jon.


Regards

Correct Answer by Jon Marshall about 7 years 2 months ago

Mike


They also provided "Routed Network Info", which is confusing to me.

Subnet is 24.x.x.x/29 with 6 usable IPs

Gateway 24.x.x.x

Mask 255.255.255.248


This is an IP range that the ISP will route to you so you can use it to present internal/dmz servers to the internet eg.


static (inside,outside) 24.x.x.1 192.168.5.10 netmask 255.255.255.255


would present the inside server of 192.168.5.10 as 24.x.x.1 to the outside. You can also be more specific and use ports eg.


static (inside,outside) tcp 24.x.x.1 80 192.168.5.10 80 netmask 255.255.255.255


would present just port 80 for 192.168.5.10 as 24.x.x.1 on port 80 so you can use the same public IP for different ports and private IPs.


Your config looks fine to test with. Most people NAT the internal addresses to the outside interface IP but it looks like you have used one of your 24.x.x.x addresses. Nothing wrong with what you have done.


Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.9 (9 ratings)
Loading.
mikentosh Mon, 03/29/2010 - 11:09
User Badges:

To make matters worse (for me) I am having to do everything in the console. Here is the configuration (sans sensitive info):



HELP> login
Username: admin
Password: **********
HELP# conf term
HELP(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname HELP
domain-name HELP.org
clock timezone EST -5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any interface outside eq 3389
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 216.x.x.x 255.255.255.252
ip address inside 192.168.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 24.x.x.x
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 216.x.x.x 3389 192.168.1.253 3389 netmask 255.255.255.255 0 0
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.x.x.x 1 <------Gateway IP
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.1.4 source inside
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username admin password .xxxxxxxxxxxxxxx encrypted privilege 15
terminal width 90
Cryptochecksum:eb81abfdc7e2b02e12b91a8836670df1
: end
HELP(config)#

Correct Answer
Jon Marshall Mon, 03/29/2010 - 13:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mike


They also provided "Routed Network Info", which is confusing to me.

Subnet is 24.x.x.x/29 with 6 usable IPs

Gateway 24.x.x.x

Mask 255.255.255.248


This is an IP range that the ISP will route to you so you can use it to present internal/dmz servers to the internet eg.


static (inside,outside) 24.x.x.1 192.168.5.10 netmask 255.255.255.255


would present the inside server of 192.168.5.10 as 24.x.x.1 to the outside. You can also be more specific and use ports eg.


static (inside,outside) tcp 24.x.x.1 80 192.168.5.10 80 netmask 255.255.255.255


would present just port 80 for 192.168.5.10 as 24.x.x.1 on port 80 so you can use the same public IP for different ports and private IPs.


Your config looks fine to test with. Most people NAT the internal addresses to the outside interface IP but it looks like you have used one of your 24.x.x.x addresses. Nothing wrong with what you have done.


Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Correct Answer
JORGE RODRIGUEZ Mon, 03/29/2010 - 13:37
User Badges:
  • Green, 3000 points or more

Hi Mike,  I know Jon will never get mad by adding additional info.. just wrote the answer but Jon's speed of light reply always takes me off guard :-)


Should be straight forward what you need to accomplish, and you have come to the right place here for us to help.

First lets star to understand  what ISP has giving you, it is always good to ask ISP when in doubt.

1 - IP routes:

Interface IP 216.x.x.x

Gateway IP 216.x.x.x

Mask 255.255.255.252

and DNS servers


Above information is provided for your PIX  interface facing ISP configuration ,and looking at your PIX configuration
it looks like  you have already acomplish that with outside interface IP address and default route for your PIX gateway.
DNS servers info  will be for your inside hosts in the event that you do not have local DNS server.



2- "Routed Network Info",

Subnet is 24.x.x.x/29 with 6 usable IPs

Gateway 24.x.x.x

Mask 255.255.255.248


Routed network in your ISP case simply means that they have provided you with a /29 public IP block , they will
route the the /29 block towards your oustide PIX interface IP,  meaning that you may use those /29 IP addresses as NAT
address or NAT pool addresses etc as John indicated .  Since it is expected ISP to route this block back to your PIX you do not need
to do anything other than, again, using those addresses for one-to-one NAT translations or global Pools as ilustrated by Jon.


Regards

mikentosh Mon, 03/29/2010 - 14:53
User Badges:

I am grateful to both of you. I will hopefully be able to test it tonight. I will let you know what happens. Thanks again!

mikentosh Tue, 03/30/2010 - 05:11
User Badges:

Darn! It didn't work......... Not even the first task (getting internet access). Here's the rundown:

I connected the ISP ethernet line (from fiber box) to Pix WAN, connected Pix to laptop with ethernet, successfully pinged Pix (192.168.1.2), got "hardware error" when pinging outside.


I know I am doing something wrong. Would probably be much easier if I could get the PDM interface to work, but that is another story. I am posting the config again hoping someone can tell me where I am screwing up.

Note- the ANYRDP acl was just to test if I could access a specific inside system by using 24.x.x.33:1000 for a sort of one-to-one mapping of outside access in via RDP.

Again, any help is greatly appreciated...........


>>The ISP provided information:

>>IP routes:

>>Interface IP 216.x.x.230

>>Gateway IP 216.x.x.229

>>Mask 255.255.255.252

>>and DNS servers


>>They also provided "Routed Network Info", which is confusing to me.

>>Subnet is 24.x.x.33/29 with 6 usable IPs

>>Gateway 24.x.x.33

>>Mask 255.255.255.248

 
>>My first task is to try to configure a Pix 501 for inside - out internet access

>>Second task is to set up the RDP access to individual computers on the LAN. I had done this before using DD-WRT port >>forwarding on a router where I could give the client the public IP with a port number (public:1234) and configure a >>forwarding table to relay each assigned port to their computer IP on port 3389. Now that I am introducing the Pix and >>the additional routing info from ISP I am way confused. Any help would be appreciated. I would settle for getting >>internet access from the inside at this point.



CISCO SYSTEMS PIX-501
Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08
Compiled by morlee
16 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00  00  00   1022   3000  Host Bridge
00  11  00   8086   1209  Ethernet           9
00  12  00   8086   1209  Ethernet           10

Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001
Platform PIX-501
Flash=E28F640J3 @ 0x3000000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 1974784 bytes of image from flash.
#################################################################################################################
16MB RAM
mcwa i82559 Ethernet at irq  9  MAC: xxxx.xxxx.xxxx
mcwa i82559 Ethernet at irq 10  MAC: xxxx.xxxx.xxxx
Flash=E28F640J3 @ 0x3000000
BIOS Flash=E28F640J3 @ 0xD8000

                        Cisco PIX Firewall

Cisco PIX Firewall Version 6.3(5)
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                10
Throughput:                  Unlimited
IKE peers:                   10

This PIX has a Restricted (R) license.

Global 24.x.x.33 will be Port Address Translated
.
Cryptochecksum(unchanged): 398d5ff2 fcb99bb7 0cdd07ce ba58c30b

Cannot select private keyType help or '?' for a list of available commands.
JMSBC> login
Username: admin
Password: *************
%Login failed
Username: admin
Password: **********
JMSBC# conf t
JMSBC(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname JMSBC
domain-name JMSBC.org
clock timezone EST -5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any interface outside eq 3389
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list ANYRDP permit tcp any interface outside eq 1000
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 216.x.x.230 255.255.255.252
ip address inside 192.168.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 24.x.x.33
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 192.168.1.55 3389 netmask 255.255.255.255 0 0
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.x.x.229 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.1.4 source inside
http server enable
http 192.168.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username admin password xxxxxxxxxxxxxxxx encrypted privilege 15
terminal width 90
Cryptochecksum:398d5ff2fcb99bb70cdd07ceba58c30b
: end
JMSBC(config)#

Correct Answer
Jon Marshall Tue, 03/30/2010 - 05:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mike


Can you post output of "sh interface" from the pix ?


Can you ping the ISP default-gateway from the pix ?


Jon

mikentosh Tue, 03/30/2010 - 07:18
User Badges:

Yes, I iwll post as soon as I can. I have to go there in the evenings after my "primary" job. I will get it tonight (hopefully). Do both of these commands require the pix to be connected to the outside (I know ping would). I have the Pix with me but am nowhere near the site. I can run sh interface, but probably wont be any results you are looking to see.


Thanks for taking the time to help me!

Correct Answer
JORGE RODRIGUEZ Tue, 03/30/2010 - 14:04
User Badges:
  • Green, 3000 points or more

In addition  after you verify pinging the ISP gateway from the PIX itself  what Jon have suggested take note of following configuration to be corrected after you have confirmed ISP gateway is ICMP reachable from the pix.


Secondly :
You have two different access list for inbound access (outside_in) and(ANYRDP) and have not yet being applied  to outside interface.
For consistancy  in access-list naming try  using  one access list  for specified interface, as it will be much easier down the road to reference them per interface as suppose to different/many  acl names per interfaces.



Based on your static NAT translation you have these two acl statements shown bellow  , for the tcp port 1000 use the same acl name as the first one you have for port 3389


access-list outside_in permit tcp any interface outside eq 3389
access-list ANYRDP permit tcp any interface outside eq 1000

Above acls should appear as:

access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 1000


apply the outside_in access-list to outside interface by adding bellow statement

access-group outside_in in interface outside



After you have corrected these above ensure the servers 192.168.1.253  and 192.168.1.55 are indeed listening on RDP , then test them from outside internet.


Regards

mikentosh Wed, 03/31/2010 - 04:39
User Badges:

Still can't get out.....

Ping results are hardware errors.

Here is the sh interface results:


JMSBC(config)# sh interface
interface ethernet0 "outside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0012.0059.dd6b
  IP address 216.x.x.230, subnet mask 255.255.255.252
  MTU 1500 bytes, BW 100000 Kbit full duplex
        9 packets input, 564 bytes, 0 no buffer
        Received 1 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        2 packets output, 120 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        1 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/3)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
  Hardware is i82559 ethernet, address is 0012.0059.dd6c
  IP address 192.168.1.2, subnet mask 255.255.255.0
  MTU 1500 bytes, BW 100000 Kbit full duplex
        41 packets input, 2852 bytes, 0 no buffer
        Received 37 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        70 packets output, 4256 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/3)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
JMSBC(config)#



Any ideas??


Current config:


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxx encrypted
hostname JMSBC
domain-name JMSBC.org
clock timezone EST -5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any interface outside eq 3389
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list outbound permit icmp 192.168.1.0 255.255.255.0 any
access-list ANYRDP permit tcp any interface outside eq 1000
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 216.x.x.230 255.255.255.252
ip address inside 192.168.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 192.168.1.55 3389 netmask 255.255.255.255 0 0
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.x.x.229 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.1.4 source inside
http server enable
http 192.168.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username admin password .xxxxxxxxxxxxxxxxx encrypted privilege 15
terminal width 90
Cryptochecksum:1adc46e73a8c32004d2b3d81143476ed
: end



Thanks for any help!!!

Correct Answer
JORGE RODRIGUEZ Wed, 03/31/2010 - 07:33
User Badges:
  • Green, 3000 points or more

Hi Mike,


by default from the pix itself you should be able to ping the ISP router gateway ,  however plese add to your config ( icmp permit any outside)  for ping test to ISP gateway from the PIX itself.


Also if you are trying to ping from a PC in the LAN you need to allow the replies back in in firewall.


access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any source-quench
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded


access-group outside_in in interface outside



With these above you can ping by IP address , try pinging  this opened public IP 4.2.2.2    either from PIX firewall or PC , post results.

mikentosh Wed, 03/31/2010 - 11:14
User Badges:

Thanks for your patience! Yes, I was trying to ping from an internal PC, I couldn't connect to any known IPs either. Forgive me for being so ignorant about the PIX firewall, but can I ping from the console? The sh interface results I posted earlier were from the PC. Am I using the right gateway? Again this is what the ISP provided:



Interface IP: 216.x.x.230

Gateway IP: 216.x.x.229

Subnetmask: 255.255.255.252

DNS Servers: 69.1.30.18 and .19

Routed Network Information:

Subnet is: 24.x.x.32/29 with 6 usable IPs

Usable IP Range: 24.x.x.33 - 24.x.x.38

Gateway: 24.x.x.33

Subnetmask: 255.255.255.248


I must be plugging something in wrong because I just cannot get out. Does it look right to you where I have the GWs/IPs?


I will try what you suggested.


Thanks again!

Correct Answer
JORGE RODRIGUEZ Wed, 03/31/2010 - 14:14
User Badges:
  • Green, 3000 points or more

Mike, you posted output of show interface which looks  interfaces are up for both inside and outside,   from the PIX console   can you post the output of "show arp"    pix#show arp  



Again you can ping the ISP gateway from PIX console


PIX#ping  216.x.x.229    <--  can you ping the gateway from pix?   if you can ping gateway , also try  other public IP like the one posted  ,  ping 4.2.2.2  from the PIX console, if you can ping these addresse form PIX you have connectivity to internet, then move onto next task but please first confirm you can reach ISP gateway and 4.2.2.2 IP.


Regards

mikentosh Wed, 03/31/2010 - 17:12
User Badges:

jorgemcse,

Here is what I got when I did the ping test with the last configuration I revealed:


JMSBC(config)# ping 4.2.2.2
        4.2.2.2 response received -- 10ms
        4.2.2.2 response received -- 0ms
        4.2.2.2 response received -- 0ms
JMSBC(config)# ping 216.x.x.230
        216.x.x.230 response received -- 0ms
        216.x.x.230 response received -- 0ms
        216.x.x.230 response received -- 0ms
JMSBC(config)# ping 216.x.x.229
        216.x.x.229 response received -- 0ms
        216.x.x.229 response received -- 0ms
        216.x.x.229 response received -- 0ms
JMSBC(config)# ping 24.x.x.33
        24.x.x.33 NO response received -- 1000ms
        24.x.x.33 NO response received -- 1000ms
        24.x.x.33 NO response received -- 1000ms
JMSBC(config)# ping 24.x.x.32
        24.x.x.32 NO response received -- 1000ms
        24.x.x.32 NO response received -- 1000ms
        24.x.x.32 NO response received -- 1000ms
JMSBC(config)# ping 24.x.x.34
        24.x.x.34 NO response received -- 1000ms
        24.x.x.34 NO response received -- 1000ms
        24.x.x.34 NO response received -- 1000ms


I have since added the following line to the configuration:


access-list outbound permit ip any any


After adding this, the pings went through from the PC. As I write this I am using the firewall connection to do so.


What did this command do? Is it ok to use it without vulnerabilities?


Dare I try to move on to remoting in???


Thanks for your assistance and patience!

mikentosh Wed, 03/31/2010 - 19:52
User Badges:

My TERMSERV ACL is good for RDP. I can get in using 216.x.x.230:1000 and it routes to 3389 on the designated internal PC. Now what I need to do (if possible) is set a range of 20 individual connections similar. Is there a way to designate say incoming 1000-1020 to an internal router where I can do the port forwarding?


By the way in my excitement (and some tweaking) I lost the ability to ping out from the PC again. Connection works to internet, but can't ping out (can ping in though). Can you identify the error in the configuration below:



:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxx encrypted

hostname JMSBC

domain-name JMSBC.org

clock timezone EST -5

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_in permit icmp any any time-exceeded

access-list outside_in permit tcp any interface outside eq 3389

access-list outside_in permit icmp any any echo-reply

access-list outside_in permit icmp any any unreachable

access-list outside_in permit icmp any any source-quench

access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data

access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp

access-list outbound permit ip any any

access-list TERMSERV permit tcp any interface outside eq 1000

pager lines 24

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 216.x.x.230 255.255.255.252

ip address inside 192.168.1.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1000 192.168.1.55 3389 netmask 255.255.255.255 0 0

access-group TERMSERV in interface outside

access-group outbound in interface inside

route outside 0.0.0.0 0.0.0.0 216.x.x.229 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

ntp server 192.168.1.4 source inside

http server enable

http 192.168.1.3 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

username admin password .xxxxxxxxxxxxxxx encrypted privilege 15

terminal width 90

Cryptochecksum:8f7d937a3d6ce0bceb6c332114927321

: end

mikentosh Thu, 04/01/2010 - 05:06
User Badges:

ok i'm pinging again. figured out i was missing the access-group outside_in. now for the rdp problems.... and did i mention i would be setting up a site to site vpn?

Correct Answer
JORGE RODRIGUEZ Thu, 04/01/2010 - 08:07
User Badges:
  • Green, 3000 points or more

Hi Mike, good that  you are making progress.


The  access-list outbound permit ip any any applied to inside interface s fine and you can leave it, simply it allows TCP/UDP outbound from any inside hosts, so you do not need these .

These three lines ca be removed - as long you leave access-list outbound permit ip any any applied to inside interface.
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp


As for not being unable to ping the ISP gateway  it most likely is that ISP blocking icmps , but you have confirmed internet connectivity to 4.2.2.2 from pix and inside hosts after you added outside permit ip any any to inside interface.


As for Site to Site VPN go to this link and reference in mid page down Site to Site VPN (L2L) with PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html



Don't forget to reate helpful posts


Regards

mikentosh Mon, 04/05/2010 - 07:22
User Badges:

jorgemcse,


Thanks for the link to Site to Site VPN, I will look at that next. I will also remove the lines you specified for www, ftp & ftp-data.


As for the RDP access, I currently have configured to allow 3389 acces to the internal Terminal Server as follows:


access-list outside_in permit tcp any interface outside eq 3389

static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255 0 0


Am I missing the "access-group outside_in in interface outside" to allow the above configuration to work?




I currently have the additional routing to a specific internal workstation for a user set as follows:


access-list RDPUSER permit tcp any interface outside eq 1000

static (inside,outside) tcp interface 1000 192.168.1.55 3389 netmask 255.255.255.255 0 0

access-group RDPUSER in interface outside


Can I add more of these one to one configurations, such as 1001 to x.x.x.56? Will the following work?


access-list RDPUSER permit tcp any interface outside eq 1001

static (inside,outside) tcp interface 1000 192.168.1.56 3389 netmask 255.255.255.255 0 0

access-list RDPUSER permit tcp any interface outside eq 1002

static (inside,outside) tcp interface 1000 192.168.1.57 3389 netmask 255.255.255.255 0 0

access-list RDPUSER permit tcp any interface outside eq 1003

static (inside,outside) tcp interface 1000 192.168.1.58 3389 netmask 255.255.255.255 0 0


Will they all use the access-group RDPUSER in interface outside?



I know I'm asking many questions here, but I just want to provide a solution for the port forwarding we used to do in the router.....at the perimeter (Pix) now. I don't want to go the VPN route for fear of trashing the office network with home computer bugs.


Please let me know if you think this is feasible and my configuration examples are proper (albeit unorthodox).


As always, Thanks for your time and help!

JORGE RODRIGUEZ Mon, 04/05/2010 - 11:43
User Badges:
  • Green, 3000 points or more

Hi Mike, thanks for rating ..  using rating system will also allow  Cisco to  contributing $1  to help  Haiti earthquake victims . 



For bellow scenario you cannot do it this way using same port 1000 forwarding based on the static PAT translation, you
will get error on duplicate existing NAT, I think you probably meant tcp ports  1001,1002 etc.. based on your acl.

access-list RDPUSER permit tcp any interface outside eq 1001
static (inside,outside) tcp interface 1000 192.168.1.56 3389 netmask 255.255.255.255 0 0
access-list RDPUSER permit tcp any interface outside eq 1002
static (inside,outside) tcp interface 1000 192.168.1.57 3389 netmask 255.255.255.255 0 0
access-list RDPUSER permit tcp any interface outside eq 1003
static (inside,outside) tcp interface 1000 192.168.1.58 3389 netmask 255.255.255.255 0 0


So it will look  like this bellow , using different ports

static (inside,outside) tcp interface 1001 192.168.1.56 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1002 192.168.1.57 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1003 192.168.1.58 3389 netmask 255.255.255.255 0 0

access-list RDPUSER permit tcp any interface outside eq 1001
access-list RDPUSER permit tcp any interface outside eq 1002
access-list RDPUSER permit tcp any interface outside eq 1003



As for the RDP access, I currently have configured to allow 3389 acces to the internal Terminal Server as follows:
access-list outside_in permit tcp any interface outside eq 3389
static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255 0 0


The access-list and static nat above is fine, bu the acl named ( outside_in ) needs to be applied to outside interface. 
Use one access-list ( naming ) per interface  like I said before.  Elimimate the RDPUSER access list, or the other one (outside_access_in)
and stick with one acl for outside interface.


So your ultimate configuration for your inbound rules to these systems  would be  like this bellow, consolidate the access-list rules in one acl for outside interface.


static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 1001 192.168.1.56 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 1002 192.168.1.57 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 1003 192.168.1.58 3389 netmask 255.255.255.255

access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 1001
access-list outside_in permit tcp any interface outside eq 1002
access-list outside_in permit tcp any interface outside eq 1003


Remove access-group RDPUSER from outside interface

no access-group RDPUSER in interface outside


and apply new access-list to it

access-group outside_in in interface outside


Regards

mikentosh Tue, 04/06/2010 - 04:42
User Badges:

jorgemcse,


Once again, thank you. I will try the suggested configuration and let you know the results later this week. Thanks!

mikentosh Wed, 04/07/2010 - 04:01
User Badges:

jorgemcse,


Configuration works great! Thank You!! Tested on one PC (separate from domain). Just have to change gateway and DNS servers for all internal PC, then plug in the new fiber line to switches and remove the DSL. I will be working on the Site to Site connection next and I will keep you posted on the progress.


-Mike

JORGE RODRIGUEZ Wed, 04/07/2010 - 05:07
User Badges:
  • Green, 3000 points or more

Hi Mike, glad you got  it working ..


On the site-to-site VPN reference the link I provided in previous post, try attempting to configure the tunnel, if issues with that open a new L2L thread  on this same forum category.


Regards

Actions

This Discussion