09-04-2013 05:16 AM - edited 03-11-2019 07:33 PM
Stefan
Solved! Go to Solution.
09-04-2013 07:41 AM
Hi,
There are a couple of problems.
First one is that you have configured all interfaces with the same "security-level" value. This essentially means that traffic will be blocked whatever ACL you configure on the interface.
The way around this is to use "same-security-traffic permit inter-interface" command.
Naturally better choice might be changing the internal interfaces "security-level" to the usual value of "100"
Then there is also problem with the ACL. No HTTP connection will have both the source and the destination port as TCP/80. Also since this is a Statefull Firewall we dont need to take into consideration return traffic.
So I would suggest the following modifications to the firewall configurations.
clear configure access-group
clear configure access-list
The above commands will first remove all the ACLs from the interfaces and it will then remove all the ACLs from the device.
After this add the new configurations
access-list INTERNAL-IN remark Only permit HTTP traffic
access-list INTERNAL-IN permit tcp any any eq www
access-group INTERNAL-IN in interface internal
access-list EXTERNAL-IN remark Only permit HTTP traffic
access-list EXTERNAL-IN permit tcp any any eq www
access-group EXTERNAL-IN in interface external
Do notice that will only allow HTTP traffic from behind either interface. All other traffic will be blocked.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if this didnt solve the problem
- Jouni
09-04-2013 09:01 AM
Hi,
Are the default gateway configuration correct on both sides of the PIX so that the traffic is first forwarded to the PIX and then back to the PIX from the other network?
Are there any hitcounts on the ACLs when you use command "show access-list"
You could always also check what the ASDM says in the Monitoring section when you try to initiate the connections.
Oh and I just noticed, you were talking about network 192.168.1.0/24 which is not behind "internal" interface but actually "management"
- Jouni
09-04-2013 05:29 AM
Hi,
It would be easier to check the actual problem if you could provide us with the CLI format configuration of the PIX.
Naturally if there is any sensitive information you could remove those.
- Jouni
09-04-2013 06:05 AM
Well here the CLI output of running config.:
: Saved
:
PIX Version 7.2(2)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif internal
security-level 0
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet1
nameif external
security-level 0
ip address 10.0.0.1 255.0.0.0
!
interface Ethernet2
nameif mgmt
security-level 0
ip address 192.168.1.251 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list external_access_out extended permit tcp any eq www any eq www
access-list external_access_in extended permit tcp any eq www any eq www
access-list internal_access_in extended permit tcp any eq www any eq www
access-list internal_access_out extended permit tcp any eq www any eq www
pager lines 24
mtu internal 1500
mtu external 1500
mtu mgmt 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
access-group internal_access_in in interface internal
access-group internal_access_out out interface internal
access-group external_access_in in interface external
access-group external_access_out out interface external
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 mgmt
http 192.168.0.0 255.255.255.0 mgmt
http 192.168.1.254 255.255.255.255 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d1f415fe5f3e74fd0fd80ffb05a3d348
: end
I apologize for my small knowledges I am just CCNA 1,2 done.
Stefan
09-04-2013 07:41 AM
Hi,
There are a couple of problems.
First one is that you have configured all interfaces with the same "security-level" value. This essentially means that traffic will be blocked whatever ACL you configure on the interface.
The way around this is to use "same-security-traffic permit inter-interface" command.
Naturally better choice might be changing the internal interfaces "security-level" to the usual value of "100"
Then there is also problem with the ACL. No HTTP connection will have both the source and the destination port as TCP/80. Also since this is a Statefull Firewall we dont need to take into consideration return traffic.
So I would suggest the following modifications to the firewall configurations.
clear configure access-group
clear configure access-list
The above commands will first remove all the ACLs from the interfaces and it will then remove all the ACLs from the device.
After this add the new configurations
access-list INTERNAL-IN remark Only permit HTTP traffic
access-list INTERNAL-IN permit tcp any any eq www
access-group INTERNAL-IN in interface internal
access-list EXTERNAL-IN remark Only permit HTTP traffic
access-list EXTERNAL-IN permit tcp any any eq www
access-group EXTERNAL-IN in interface external
Do notice that will only allow HTTP traffic from behind either interface. All other traffic will be blocked.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if this didnt solve the problem
- Jouni
09-04-2013 07:44 AM
Also,
If you have other networks than those configured on the interface then you will need to confiugre Static routes for them. You also have no default route configured on the firewall.
I take it this is some test setup perhaps?
- Jouni
09-04-2013 08:36 AM
Hi Jouni !
Firstly, thanks very much for your answer.
Yes, this is just some school project where I check firewall performance. For that reason I need to configure firewall with mentioned interfaces and rules about http service. Everything else ought to be in default mode and no other network is beyound firewall interfaces so no static or any routing is required. The traffic simulated here is common http client- server communication process .
Stefan
09-04-2013 08:42 AM
Hi,
Were you able to test the configuration changes and get the connections to work?
- Jouni
09-04-2013 08:55 AM
Helo,
our university-laboratory just bought a device which can emulate clients or even client-server traffic. For example, eth0 generates clients requests and eht1 of the device is waiting for generated requests. And now , the firewall is in the middle of mentioned ports .
Anyway, I have just done changes you recommended but no success at all. I paste here config again:
PIX Version 7.2(2)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif internal
security-level 0
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet1
nameif external
security-level 0
ip address 10.0.0.1 255.0.0.0
!
interface Ethernet2
nameif mgmt
security-level 0
ip address 192.168.1.251 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list INTERNAL-IN remark Only permit HTTP traffic
access-list INTERNAL-IN extended permit tcp any any eq www
access-list EXTERNAL-IN remark Only permit HTTP traffic
access-list EXTERNAL-IN extended permit tcp any any eq www
pager lines 24
mtu internal 1500
mtu external 1500
mtu mgmt 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
access-group INTERNAL-IN in interface internal
access-group EXTERNAL-IN in interface external
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 mgmt
http 192.168.0.0 255.255.255.0 mgmt
http 192.168.1.254 255.255.255.255 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:000ce33fe38ed23a52556df44dace546
: end
I just used "same-security-traffic permit inter-interface" instead of different port security levels , because it is more similar to default config.
Thanks.
Stefan
09-04-2013 09:01 AM
Hi,
Are the default gateway configuration correct on both sides of the PIX so that the traffic is first forwarded to the PIX and then back to the PIX from the other network?
Are there any hitcounts on the ACLs when you use command "show access-list"
You could always also check what the ASDM says in the Monitoring section when you try to initiate the connections.
Oh and I just noticed, you were talking about network 192.168.1.0/24 which is not behind "internal" interface but actually "management"
- Jouni
09-04-2013 09:32 AM
Hello,
It is sending to wrong interface. destination port should be "external" not "mgmt" (management).
Through-the-device packet to/from management-only network is denied: tcp source "internal":192.168.100.174/46718 destination "mgmt":192.168.1.1/80 I think it just found more match with 192.168.1.0/24 interface so it routes to that port. But I need to packets be forwarded only between "internal" port- clients and "external" port- servers. Thanks ! Stefan |
09-04-2013 09:40 AM
Hi,
Just make sure that the Client is connected to the physical port "internal" (Ethernet0) and the Server is connected to "external" (Ethernet1)
There should be no problem with the firewalls routing as all networks are directly connected. Just make sure they are connected to the correct physical interface and are configured with the correct IP address and network mask.
Also,
Client should have the default gateway set to 192.168.100.1
Server should have the default gateway set to 10.0.0.1
This should pretty much be it.
- Jouni
09-04-2013 09:51 AM
Hi ,
yes I am thinking about that software which emulates http get- requests just generate wrong destination IP addess,because ASDM says that destination address is denied and destination address is my management port.
Show interface commnad confirmed that physical connections are alright and up-up links as well.
I will contact my teachet about this issue.
Thanks a lot !
All the best,
Stefan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide