Help requested: Cisco-PIX501 config not working

Answered Question
Aug 27th, 2010
User Badges:

Hi all,


I'm experiencing trouble with a PIX501 config. I hope someone is willing to help me on this, since I dont' have too much experience with Cisco-firewalls. I have an ASA5510 (configured by a specialist, I only add/remove/alter IP's) and I tried to apply the same sort of config to the PIX. Many commands are not accepted by the PIX, probably because of the older software-version.


The config is pasted below, an expert on this probably understands the purpose of this config...


Thx in advance!



The problem is that the servers cannot connect from inside to outside (tested http://www.google.com), and that the servers cannot be reached from the outside. SSH and ping do work from inside and outside.



PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname ****
domain-name ****
clock timezone CEST 1
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.199.62 FirewallGateway
name **** srcCasperHome
name **** srcJaapHQ
name **** srcViking
name 172.16.199.48 svrWE01Inside
name ****.199.48 svrWE01Outside
name 172.16.199.49 svrvWEPROD01Inside
name ****.199.49 svrvWEPROD01Outside
name 172.16.199.50 svrvWEPROD02Inside
name ****.199.50 svrvWEPROD02Outside
name 172.16.199.51 svrvWETEST01Inside
name ****.199.51 svrvWETEST01Outside
object-group service Services_Public_svrWE01 tcp
object-group service Services_NonPublic_svrWE01 tcp
  port-object eq www
  port-object eq 3389
object-group service Services_Public_svrvWEPROD01 tcp
  port-object eq www
  port-object eq https
  port-object eq ftp
object-group service Services_NonPublic_svrvWEPROD01 tcp
  port-object eq 3389
object-group service Services_Public_svrvWEPROD02 tcp
  port-object eq www
object-group service Services_NonPublic_svrvWEPROD02 tcp
  port-object eq ftp
  port-object eq 3389
object-group network Trusted_Overall
  network-object host srcCasperHome
  network-object host srcJaapHQ
  network-object host srcViking
object-group network Trusted_svrW01
object-group network Trusted_svrvWEPROD01
object-group network Trusted_svrvWEPROD02
object-group network Trusted_svrvWETEST01
object-group service Services_NonPublic_svrvWETEST01 tcp
  port-object eq 3389
object-group service Services_Public_svrvWETEST01 tcp
  port-object eq www
  port-object eq https
  port-object eq ftp
access-list outside_access_in permit tcp any host svrvWEPROD01Inside object-group Services_Public_svrvWEPROD01
access-list outside_access_in permit tcp any host svrvWEPROD02Inside object-group Services_Public_svrvWEPROD02
access-list outside_access_in permit tcp any host svrvWETEST01Inside object-group Services_Public_svrvWETEST01
access-list outside_access_in permit tcp object-group Trusted_Overall host svrWE01Inside object-group Services_NonPublic_svrWE01
access-list outside_access_in permit tcp object-group Trusted_Overall host svrvWEPROD01Inside object-group Services_NonPublic_svrvWEPROD01
access-list outside_access_in permit tcp object-group Trusted_Overall host svrvWEPROD02Inside object-group Services_NonPublic_svrvWEPROD02
access-list outside_access_in permit tcp object-group Trusted_Overall host svrvWETEST01Inside object-group Services_NonPublic_svrvWETEST01
access-list outside_access_in permit icmp object-group Trusted_Overall any
pager lines 24
logging on
logging buffered debugging
icmp permit host srcJaapHQ outside
icmp permit host srcViking outside
icmp permit host srcCasperHome outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside ****.199.47 255.255.255.224
ip address inside FirewallGateway 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) svrWE01Outside svrWE01Inside dns netmask 255.255.255.255 0 0
static (outside,inside) svrvWEPROD01Outside svrvWEPROD01Inside dns netmask 255.255.255.255 0 0
static (outside,inside) svrvWEPROD02Outside svrvWEPROD02Inside dns netmask 255.255.255.255 0 0
static (outside,inside) svrvWETEST01Outside svrvWETEST01Inside dns netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ****.199.62 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh srcJaapHQ 255.255.255.255 outside
ssh srcViking 255.255.255.255 outside
ssh srcCasperHome 255.255.255.255 outside
ssh 172.16.199.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
username weadmin password ztUzXsDyW6EdO7Uz encrypted privilege 15
terminal width 80
Cryptochecksum:3df02ef47f61ab4080d096b55fb51066
: end

Correct Answer by Kevin Redmon about 6 years 8 months ago

Casper,


There are three key items that a host needs in order to traverse a firewall - Permissions, Translations, and Routes.


Looking at the Translations, it looks as though you may have the interfaces "backwards":


static (outside,inside) svrWE01Outside svrWE01Inside dns netmask 255.255.255.255 0 0
static (outside,inside) svrvWEPROD01Outside svrvWEPROD01Inside dns netmask 255.255.255.255 0 0
static (outside,inside) svrvWEPROD02Outside svrvWEPROD02Inside dns netmask 255.255.255.255 0 0
static (outside,inside) svrvWETEST01Outside svrvWETEST01Inside dns netmask 255.255.255.255 0 0


In this case, the interfaces should be listed as "static (inside,outside) " - it is likely that this is the reason you cannot get to the inside servers.


Just reviewing the Permissions (via the access-group) - these lookk good on the surface - as do the routes.  At this point, it looks as though the 'static' statements are your only problem.


If this resolves your issues, please be sure to mark this thread as answered.


Have a great weekend,

Kevin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Kevin Redmon Fri, 08/27/2010 - 07:47
User Badges:
  • Cisco Employee,

Casper,


There are three key items that a host needs in order to traverse a firewall - Permissions, Translations, and Routes.


Looking at the Translations, it looks as though you may have the interfaces "backwards":


static (outside,inside) svrWE01Outside svrWE01Inside dns netmask 255.255.255.255 0 0
static (outside,inside) svrvWEPROD01Outside svrvWEPROD01Inside dns netmask 255.255.255.255 0 0
static (outside,inside) svrvWEPROD02Outside svrvWEPROD02Inside dns netmask 255.255.255.255 0 0
static (outside,inside) svrvWETEST01Outside svrvWETEST01Inside dns netmask 255.255.255.255 0 0


In this case, the interfaces should be listed as "static (inside,outside) " - it is likely that this is the reason you cannot get to the inside servers.


Just reviewing the Permissions (via the access-group) - these lookk good on the surface - as do the routes.  At this point, it looks as though the 'static' statements are your only problem.


If this resolves your issues, please be sure to mark this thread as answered.


Have a great weekend,

Kevin

Casperdegeus Fri, 08/27/2010 - 08:17
User Badges:

Hi Kevin,


Thanks so much for your reply! Below I posted the config of the ASA5510 which resides in the same rack/network. I used this as an example because this device works properly. Do you know why these static lines seem to be ok since the device works?


Thx!


ASA Version 8.2(2)
!
hostname Nemo1
domain-name default.domain.invalid
enable password 9HQ3YZN4r6yXmgGR encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name **** srcJaapHQ
name **** srcParthaHome
name **** srcViking
name **** srcWEWWW01
name 172.16.199.41 svrYawsInside
name ***.***.199.41 svrYawsOutside
name 172.16.199.42 svrFlipperInside
name ***.***.199.42 svrFlipperOutside
name 172.16.199.43 svrArielInside
name ***.***.199.43 svrArielOutside
name 122.165.1.193 srcNeeSoftHQ
name 172.16.199.44 svrSeabertInside
name ***.***.199.44 svrSeabertOutside
name **** srcTTYGroningen
name **** srcJarno_Tty_Nl
name **** srcJaap_Tty_nl
name **** srcJappe_Tty_nl
name **** srcJaccoHome
name ***.***.199.58 svrZeekoeOutside
name 172.16.199.58 svrZeekoeInside
name **** srcDsbBankHQ
name **** srcJaapHQ2
name 172.16.199.39 svrSteffieInside
name **** srcNeeSoftHQ2
name **** srcJaccoAlmere
name ***.***.199.45 svrKwalOutside
name 172.16.199.45 svrKwalInside
name **** srcCasperHome
!
interface Ethernet0/0
nameif outside
security-level 0
ip address ***.***.199.40 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.199.62 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service NeptuneAPI tcp
port-object eq 8000
object-group service Services_NonPublic_Yaws tcp
port-object eq 3389
object-group service Services_NonPublic_Flipper tcp
port-object eq 3389
port-object eq ftp
object-group service Services_NonPublic_Ariel tcp
port-object eq 3389
port-object eq 8443
object-group service Services_Public_Flipper tcp
port-object eq www
object-group network FullyTrustedSources
network-object host srcJaapHQ
network-object host srcViking
network-object host srcWEWWW01
network-object host srcTTYGroningen
network-object host srcJarno_Tty_Nl
network-object host srcJaap_Tty_nl
network-object host srcJappe_Tty_nl
network-object host srcJaccoHome
network-object host srcDsbBankHQ
network-object host srcJaapHQ2
network-object host srcJaccoAlmere
network-object host srcCasperHome
object-group network India
network-object host srcParthaHome
network-object host srcNeeSoftHQ
network-object host srcNeeSoftHQ2
object-group service Services_NonPublic_Seabert tcp
port-object eq 3389
object-group service Services_NonPublic_Zeekoe tcp
port-object eq 3389
port-object eq ftp
object-group service Services_Public_Zeekoe tcp
port-object eq www
object-group service Services_NonPublic_Kwal tcp
port-object eq 3389
access-list outside_access_in extended permit tcp object-group FullyTrustedSources host svrYawsOutside object-group Services_NonPublic_Yaws
access-list outside_access_in extended permit tcp object-group FullyTrustedSources host svrFlipperOutside object-group Services_NonPublic_Flipper
access-list outside_access_in extended permit tcp object-group FullyTrustedSources host svrArielOutside object-group Services_NonPublic_Ariel
access-list outside_access_in extended permit tcp any host svrFlipperOutside object-group Services_Public_Flipper
access-list outside_access_in extended permit tcp object-group FullyTrustedSources host svrArielOutside object-group NeptuneAPI
access-list outside_access_in extended permit tcp object-group India host svrArielOutside object-group NeptuneAPI
access-list outside_access_in extended permit icmp object-group FullyTrustedSources any
access-list outside_access_in extended permit tcp object-group FullyTrustedSources host svrSeabertOutside object-group Services_NonPublic_Seabert
access-list outside_access_in extended permit tcp object-group FullyTrustedSources host svrZeekoeOutside object-group Services_NonPublic_Zeekoe
access-list outside_access_in extended permit tcp any host svrZeekoeOutside object-group Services_Public_Zeekoe
access-list outside_access_in extended permit tcp object-group FullyTrustedSources host svrKwalOutside object-group Services_NonPublic_Kwal
access-list inside_nat0_outbound extended permit ip any 172.16.199.32 255.255.255.224
access-list Private standard permit 172.16.199.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPN_pool 172.16.199.100-172.16.199.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) svrYawsOutside svrYawsInside netmask 255.255.255.255 dns
static (inside,outside) svrFlipperOutside svrFlipperInside netmask 255.255.255.255 dns
static (inside,outside) svrArielOutside svrArielInside netmask 255.255.255.255 dns
static (inside,outside) svrSeabertOutside svrSeabertInside netmask 255.255.255.255 dns
static (inside,outside) svrZeekoeOutside svrZeekoeInside netmask 255.255.255.255 dns
static (inside,outside) svrKwalOutside svrKwalInside netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.199.62 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http **** 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 management
http srcJaapHQ 255.255.255.255 outside
http srcCasperHome 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set aes128sha esp-aes esp-sha-hmac
crypto ipsec transform-set aes128sha mode transport
crypto ipsec transform-set aes256sha esp-aes-256 esp-sha-hmac
crypto ipsec transform-set aes256sha mode transport
crypto ipsec transform-set 3desmd5 esp-3des esp-sha-hmac
crypto ipsec transform-set 3desmd5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map out_dyn_map 10 set transform-set aes128sha aes256sha 3desmd5
crypto map vpn 20 ipsec-isakmp dynamic out_dyn_map
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
telnet timeout 5
ssh srcJaapHQ 255.255.255.255 outside
ssh srcViking 255.255.255.255 outside
ssh srcWEWWW01 255.255.255.255 outside
ssh srcCasperHome 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 213.239.154.12 source outside prefer
webvpn
enable outside
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 2
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 172.16.199.41 172.16.199.51
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Private
group-policy nemo1 internal
group-policy nemo1 attributes
dns-server value 85.17.150.123 85.17.96.69
vpn-tunnel-protocol IPSec
group-policy AnyGroup internal
group-policy AnyGroup attributes
vpn-tunnel-protocol svc
username Casper password GuN2yHGa.QngQtJa encrypted privilege 0
username Casper attributes
vpn-group-policy AnyGroup
username setict password sb4z1PnahJA3dzhH encrypted privilege 15
username Jacco password h4I5tgnnFL2JaZyd encrypted privilege 0
username Jacco attributes
vpn-group-policy AnyGroup
username jaapadmin password 33TkgTBpS3jOqhOq encrypted privilege 15
username timv password VDxt13UmaVSs/K3W encrypted privilege 0
username timv attributes
vpn-group-policy nemo1
username lswadmin password ol/uHR/3k8aXa5Pu encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_pool
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_pool
tunnel-group AnyVPN type remote-access
tunnel-group AnyVPN general-attributes
address-pool VPN_pool
default-group-policy AnyGroup
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f244f6adc3628749c955d8cfa5792e92
: end

Kevin Redmon Fri, 08/27/2010 - 12:10
User Badges:
  • Cisco Employee,

Casper,


These static commands work as I would estimate due to the order of the interfaces as listed in ( ).  When explaining 'static' statements to customers, I use the following example:


static (real_interface,proxy_interface) proxy_ip real_ip


In this example, real_interface and real_ip, as the name indicates, is the interface of the ASA where the host REALLY resides as well as the REAL IP address that is configured on the device (ie, the address that is shown via 'ipconfig' or 'ifconfig' on the device).  The proxy_interface and proxy_ip are the interfaces of the ASA that will act as a "forwarding device" for the traffic and the IP address that the ASA will respond to for that traffic (ie the NATed IP).  For instance, consider the following scenarios:


----

Correct Topology/Configuration:

----


server (10.1.1.2) -> (inside/10.1.1.1) ASA (outside/1.1.1.1) -> Internet -> ClientPC (1.1.1.3)


In this scenario, to host the server (10.1.1.2) on the internet using the IP address, 1.1.1.2, I would use the command:


static (inside,outside) 1.1.1.2 10.1.1.2 netmask 255.255.255.255


----

BROKEN Topology/Configuration:

----

IF I were to reverse the order of the interfaces on the 'static' statement such as:


static (outside,inside) 1.1.1.2 10.1.1.2 netmask 255.255.255.255


The topology that this would represent is:


Client (1.1.1.3) -> (inside/1.1.1.1) ASA (outside/10.1.1.1) -> Internet -> Server (10.1.1.2)


I hope this helps.


Best Regards,

Kevin

Casperdegeus Sat, 08/28/2010 - 06:28
User Badges:

Hi Kevin,


Thank you for your explanation. This is really helpfull, and makes me understand things a little more. However, since the ASA5510-config works, I've been looking around some more and got it to work, with the 'faulty' statics. I found some example-configs at cisco.com that used the same static with the strange ordering.

The problem was that the permissions were wrong: I gave permissions on the Inside-IP's of the servers, instead of the Outside-IP's. Your first answer made me figure this out (Permissions, Translations, and Routes) so thank you for your help!


Regards Casper.

Actions

This Discussion