New PIX 525 config help

Chris Mickle · ‎09-24-2010

Hello,

I am a new member on the forum and new to routing and Cisco products. I am a Windows network administrator. One of my clients recently went out of business and in lew of some money that they owed me; they gave me some equipment including a PIX 525.

I am interested in learning more about routing and cisco equipment so I am trying to use the PIX in my own network. I have downloaded the configuration guide (version 6.3) from cisco and read topics from this and other forums and have managed to put together a config that seems to be doing what I want it to do for the most part. I have run into a few problems that I would like you folks to help me with if possible. The problem I have is that the cisco documentation assumes that you are intimately familiar with routing and also IOS which I am not.

Here is my network setup…

I have a range of static IPs from my cable ISP xxx.xxx.xxx.153-157

I have a windows SBS server running exchange and PPTP vpn.

I have another windows server running an FTP site.

I have a windows server that I use to test new configurations that will potentially run any number of hosted services (mail, web, ftp, vpn etc.).

I use one of my IPs for internet access only for guests.

Previously, I had only one static IP and was using Linksys routers with port forwarding so that I could host my services. The problem was that I couldn’t host more than one mail server or have remote desktop access to more than one server without changing the listening ports. To solve this, I upgraded to a block of 5 static IPs.

My goal now is to use the PIX 525 to direct traffic to each server which resides on a different physical interface with a different subnet. I am currently using NAT and access lists to route traffic coming in on each public IP to a specific internal interface. So far everything seems to be working for the most part.

The interface labeled dmz is the interface my test server resides on. The goal here was to direct any incoming ip traffic to this interface and allow a Linksys router to do the port forwarding. I thought this would be simpler to configure since this machine will host different services depending on what I am working with at the time.

Interface inside1 is my own SBS server with exchange.

Interface inside2 is where my FTP server is.

Interface internet is the guest access internet only subnet

Below is the software version info from the PIX…

Cisco PIX Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)

Compiled on Fri 15-Jun-07 18:25 by builders
System image file is "flash:/pix802.bin"
Config file at boot was "startup-config"

pixfirewall up 1 hour 24 mins

Hardware: PIX-525, 384 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash E28F400B5T @ 0xfffd8000, 32KB

Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)
0: Ext: Ethernet0           : address is 0005.9bca.3356, irq 10
1: Ext: Ethernet1           : address is 0005.9bca.3357, irq 11
2: Ext: Ethernet2           : address is 00e0.b604.f027, irq 11
3: Ext: Ethernet3           : address is 00e0.b604.f026, irq 10
4: Ext: Ethernet4           : address is 00e0.b604.f025, irq 9
5: Ext: Ethernet5           : address is 00e0.b604.f024, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs                : 100
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Cut-through Proxy            : Enabled
Guards                       : Enabled
URL Filtering                : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : Unlimited

Below is the scrubbed config I have setup…

PIX Version 8.0(2)
!
hostname pixfirewall
enable password xxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.153 255.255.255.248
ospf cost 10
!
interface Ethernet1
nameif inside1
security-level 100
ip address 192.168.0.1 255.255.255.0
ospf cost 10
!
interface Ethernet2
nameif inside2
security-level 90
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Ethernet3
nameif dmz
security-level 80
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet4
nameif internet
security-level 70
ip address 192.168.3.1 255.255.255.0
ospf cost 10
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd xxxxxxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq 3389
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 3389
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq smtp
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq www
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq https
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq pop3
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq ftp
access-list 101 extended permit ip any host xxx.xxx.xxx.155
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq 5000
pager lines 24
mtu outside 1500
mtu inside1 1500
mtu inside2 1500
mtu dmz 1500
mtu internet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 xxx.xxx.xxx.154
global (outside) 3 xxx.xxx.xxx.155
global (outside) 4 xxx.xxx.xxx.156
nat (inside1) 1 192.168.0.0 255.255.255.0
nat (inside2) 2 192.168.1.0 255.255.255.0
nat (dmz) 3 192.168.2.0 255.255.255.0
nat (internet) 4 192.168.3.0 255.255.255.0
static (inside2,outside) tcp xxx.xxx.xxx.154 3389 192.168.1.2 3389 netmask 255.255.255.255
static (inside1,outside) tcp interface 3389 192.168.0.2 3389 netmask 255.255.255.255
static (inside1,outside) tcp interface smtp 192.168.0.2 smtp netmask 255.255.255.255
static (inside1,outside) tcp interface 5000 192.168.0.100 5000 netmask 255.255.255.255
static (inside2,outside) tcp xxx.xxx.xxx.154 ftp 192.168.1.2 ftp netmask 255.255.255.255
static (inside1,outside) tcp interface www 192.168.0.2 www netmask 255.255.255.255
static (inside1,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255
static (inside1,outside) tcp interface pop3 192.168.0.2 pop3 netmask 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.155 192.168.2.2 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.158 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside1
ssh timeout 30
console timeout 0
dhcpd dns xxx.xxx.xxx.xxx
!
dhcpd address 192.168.3.10-192.168.3.254 internet
dhcpd enable internet
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 207.46.197.32 source outside prefer
prompt hostname context
Cryptochecksum:167b34c03df2ce6f2b65763838740d93
: end

I would appreciate if you guys could take a look at this to see if I set it up correctly and give me any recommendations you see fit.

Thanks a million.

praprama · ‎09-24-2010

Hi,

The config looks alright based on the below 2 lines:

static (dmz,outside) xxx.xxx.xxx.155 192.168.2.2 netmask 255.255.255.255

access-list 101 extended permit ip any host xxx.xxx.xxx.155

I am not sure of what problem you are facing currently.

Regards,

Prapanch

Chris Mickle · ‎09-24-2010

No problems on the dmz interface so far. The only poorblems I have still are the following...

No access to other public IPs from inside interfaces. For instance, I can't access ftp://xxx.xxx.xxx.154 from machines on interface1 even though the ADSM interface has inharent rules that were apparently automatically created to allow from higher security to lower security.

I used to have PPTP vpn that I could access from a client computer in the inside1 interface and I can't get PPTP trafic to pass through anymore even if I forward port 1723 and dissable the PPTP fixup protocol. The connections just hang at verrifying username and password. If I reconnect everything the way it was befrore the PIX it works again.

I know the PIX no longer supports PPTP VPN itself after software version 7.x I think, but I dont understand why I can't still allow the traffic to pass through to another server.

Also I just wanted to see if the entire config was in good shape and avoid any problems if any were evident or see if the current config is the best way to accomplish my goals.

Sorry I forgot to include the above in my original post.

praprama · ‎09-24-2010

Hey,

So you are trying to performing hairpinning on the PIX. When you try to access xxx.xxx.xxx.154 from the inside1 interface, you will need the below static commands in place:

static (inside2,inside1) tcp xxx.xxx.xxx.154 3389 192.168.1.2 3389 netmask 255.255.255.255

static (inside2,inside1) tcp xxx.xxx.xxx.154 ftp 192.168.1.2 ftp netmask 255.255.255.255

Now this traffic is going from higher to lower security level so it should work by default. Now if you want to allow inside2 users to access xxx.xxx.xxx.153 which is the outisde IP address, you will need the below commands:

static (inside1,inside2) tcp interface 3389 192.168.0.2 3389 netmask 255.255.255.255
static (inside1,inside2) tcp interface smtp 192.168.0.2 smtp netmask 255.255.255.255
static (inside1,inside2) tcp interface 5000 192.168.0.100 5000 netmask 255.255.255.255

static (inside1,inside2) tcp interface www 192.168.0.2 www netmask 255.255.255.255
static (inside1,inside2) tcp interface https 192.168.0.2 https netmask 255.255.255.255
static (inside1,inside2) tcp interface pop3 192.168.0.2 pop3 netmask 255.255.255.255

In addition to this, you will need access-lists permitting respective traffic to the xxx.xxx.xxx.153 IP address on the inside2 interface as well as this is from a lower to higher security lever interface.

Coming to PPTP VPN pass through, i guess you are trying to connect to the PPTP VPN server behind your pix. Is it the xxx.xxx.xxx.155 IP address server that is hosting the PPTP VPN? Or is it some other server?

PPTP in general does not work with a Static PAT because it involves GRE and since GRE does not have port numbers, PAT does not work with PPTP. You will need a 1:1 NAT for the PPTP server's IP address as in the case of xxx.xxx.xxx.155.

Hope this helps!!

Regards,

Prapanch

Chris Mickle · ‎09-24-2010

Thanks for all the info so far Prapanch,

First, what is hairpinning?

Second, after reviewing your response I realized i had meant to say that I cant access inside interfaces with lower security levels. For instance, a computer on inside1 with ip 192.168.0.100 where the security-level is 100 can not get to the ftp site hosted on inside2 192.168.1.2 security-level 90. I was under the impression that the pix allowed this by default. As it is though I can not access the ftp site with the url ftp://192.168.1.2. So do I have to create a static command or an access list or what? I don't see any need to access higher security interfaces from lower secureity interfaces on this setup.

Third. That explains why the VPN won't work. Unfortunately, the VPN server was my SBS server on inside1 xxx.xxx.xxx153. I dont think 1:1 nat would work because then I would have to use another router on inside1 right? This is possible but it really defeats my goal of trying to use the pix for as many things as possible in order to learn it. 1:1 NAT would be good for the DMZ though because I want another router to control the port forwarding to that network anyway because it is the test network.

What then would be a good alternative to PPTP on SBS server? The goal is to have access to resources on inside1 from the outside that I could configure easily on client computers.