open specific port for outside public ip using pix from inside

Answered Question
Jun 11th, 2010
User Badges:

hi, i have a request of providing access for any inside user in pix. So that they can access the public ip 79.125.x.x to the port 3128 or 8080 0r 443 or 80. Although in pix from inside to outside all are accessible.


Below is the configuration we have done for that marked in blue....


PIX Version 7.2(2)
!
hostname
enable password 54KV/iNGn6iowxMX encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.18.254 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.100.2 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd 54KV/iNGn6iowxMX encrypted
ftp mode passive
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit tcp host x.x.x.x host 192.168.17.9 eq citrix-ica
access-list 101 extended permit tcp host x.x.x.x host 192.168.17.9 eq 2598
access-list 101 extended permit tcp any host 192.168.17.9 eq 2598
access-list 101 extended permit tcp any host 192.168.17.9 eq citrix-ica

access-list 101 extended permit tcp any host 79.125.8.156 eq 3128
access-list 101 extended permit tcp any host 79.125.8.156 eq 8080

access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq 3128
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq 8080
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq www
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq https

access-list 101 extended permit tcp any interface outside eq 3128
access-list 101 extended permit tcp any interface outside eq https
access-list 101 extended permit tcp any interface outside eq 8080
access-list 101 extended permit tcp any interface outside eq www
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.18.1 1
route inside 192.168.42.0 255.255.255.0 172.16.100.1 1
route inside 192.168.20.0 255.255.255.0 172.16.100.1 1
route inside 175.10.10.0 255.255.255.0 172.16.100.1 1
route inside 170.10.10.0 255.255.255.0 172.16.100.1 1
<--- More --->
route inside 192.168.17.0 255.255.255.0 172.16.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
snmp-server host inside 192.168.17.6 community xxxx version 2c
no snmp-server location
no snmp-server contact
snmp-server community xxxxx

snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0c833b0c4d6d76f063dee0e1680499e2
: end


so pplease let me know whether this configuration is right or wrong ?? or i have missed something.....


Waiting for ur reply ASAP......

Correct Answer by edadios about 6 years 10 months ago

It looks like 79.125.8.156 is some sort of web proxy server/web filtering server.


Are you trying to restrict all users, so that they can only access the proxy server, and nothing else?


If that is the case, then what you need is something like the following;


access-list 102 permit tcp any host 79.125.8.156 eq http
access-list 102 permit tcp any host 79.125.8.156 eq 443
access-list 102 permit tcp any host 79.125.8.156 eq 8080
access-list 102 permit tcp any host 79.125.8.156 eq 3128


access-group 102 in interface inside



With the above configuration, your inside host may have their browser to use the proxy server, and get to browse the internet after authentication.

They will not be able to browse the internet without going through the proxy server. Any other traffic will be denied.



The lines in blue are incorrect as mentioned by Andrew.



If I have misunderstood your intention, it will be best to provide source ip/protocol/port  and destination ip/protocol/port of the traffic you want to pass though the pix. And some clarification of the host 79.125.8.156 is supposed to do, and what the subnet 208.87.137.0 255.255.255.0 represent

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

By default ALL traffic from the inside to the outside is permitted.


The config:-


access-list 101 extended permit tcp any host 79.125.8.156 eq 3128 - does nothing
access-list 101 extended permit tcp any host 79.125.8.156 eq 8080 - does nothing

access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq 3128- does nothing
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq 8080 - does nothing
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq www-  does nothing
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq https - does nothing

access-list 101 extended permit tcp any interface outside eq 3128 - allows ANY device from the outside to connec to the pix outside interface using TCP port 3128
access-list 101 extended permit tcp any interface outside eq https - allows ANY device from the outside to connec to the pix outside interface using TCP port 443
access-list 101 extended permit tcp any interface outside eq 8080 - allows ANY device from the outside to connec to the pix outside interface using TCP port 8080
access-list 101 extended permit tcp any interface outside eq www - allows ANY device from the outside to connec to the pix outside interface using TCP port 80


This config is wrong - what are you trying to do?

Correct Answer
edadios Fri, 06/11/2010 - 05:10
User Badges:
  • Silver, 250 points or more

It looks like 79.125.8.156 is some sort of web proxy server/web filtering server.


Are you trying to restrict all users, so that they can only access the proxy server, and nothing else?


If that is the case, then what you need is something like the following;


access-list 102 permit tcp any host 79.125.8.156 eq http
access-list 102 permit tcp any host 79.125.8.156 eq 443
access-list 102 permit tcp any host 79.125.8.156 eq 8080
access-list 102 permit tcp any host 79.125.8.156 eq 3128


access-group 102 in interface inside



With the above configuration, your inside host may have their browser to use the proxy server, and get to browse the internet after authentication.

They will not be able to browse the internet without going through the proxy server. Any other traffic will be denied.



The lines in blue are incorrect as mentioned by Andrew.



If I have misunderstood your intention, it will be best to provide source ip/protocol/port  and destination ip/protocol/port of the traffic you want to pass though the pix. And some clarification of the host 79.125.8.156 is supposed to do, and what the subnet 208.87.137.0 255.255.255.0 represent

tuhinbhowmick Fri, 06/11/2010 - 06:11
User Badges:

Thanks Andrew and Edadios for your support and comments. Actually this configuration has been done by our client and send it to us for checking. Also Edadios, you are absolutely correct about our requirements.



Open TCP ports: 80, 443, 3128,8080 to the following range 208.87.137.0 - 208.87.137.255 and 208.87.136.0 - 208.87.136.255 for any inside user









Open TCP ports: 3128 and 8080 to the following IP’s and IP Ranges 194.116.198.0 - 194.116.198.255  and 79.125.8.156 for any inside user.

Thanks once again for your support.

tuhinbhowmick Fri, 06/11/2010 - 07:40
User Badges:

hi,


For the follwing....


Open TCP ports: 80, 443, 3128,8080 to the following range 208.87.137.0 - 208.87.137.255 and 208.87.136.0 - 208.87.136.255


we applied the below commands....


access-list 102 permit tcp any 208.87.136.0 255.255.255.0 eq 3128
access-list 102 permit tcp any 208.87.136.0 255.255.255.0 eq 8080
access-list 102 permit tcp any 208.87.136.0 255.255.255.0 eq 443
access-list 102 permit tcp any 208.87.136.0 255.255.255.0 eq 80

access-list 102 permit tcp any 208.87.137.0 255.255.255.0 eq 3128
access-list 102 permit tcp any 208.87.137.0 255.255.255.0 eq 8080
access-list 102 permit tcp any 208.87.137.0 255.255.255.0 eq 443
access-list 102 permit tcp any 208.87.137.0 255.255.255.0 eq 80



Please rectify the same if it is wrong...........


waiting for ur help......

edadios Tue, 06/15/2010 - 22:26
User Badges:
  • Silver, 250 points or more

That is correct .


Regards,

Actions

This Discussion