Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

creating rules on cisco pix

Could anyone help me to create a few basic rules that will allow this traffic to flow thru the cisco pix firewall?

internal networks:

192.168.1.0/24

192.168.2.0/24

both needs to be able to search internet websites, browse, and connect to other remote networks (ex. 10.5.1.0/24)

On the other hand, a remote network (ex. 10.5.1.0/24) needs to have access to internal network 192.168.1.0/24

Can you provide an example?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: creating rules on cisco pix

Just remove the previous rules typing the same command again with the keyword ''no'' in front.

Try to get Internet access from the internal networks.

I saw the diagram, just out of curiosity, why do you have public IP addresses in your internal networks?

Federico.

37 REPLIES

Re: creating rules on cisco pix

Hi,

These are the basic Firewall rules:

The traffic flow through interfaces based on the security level.

Security level ranges from (0-100)

When communicating from a higher security interface to a lower security interface (inside to outside), you need a STATIC NAT and ACL permiting the traffic.

When communicating from a lower security interface to a higher security interface (outside to inside), you just need NAT.

In your example:

To allow

192.168.1.0/24

192.168.2.0/24

to get to the Internet, you should have:

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 2 192.168.2.0 255.255.255.0

global (outside) 1 interface

global (outside) 2 interface

To allow communication TO servers in the internal network 192.168.1.0/24 from the Internet, for example to 192.168.1.8

static (in,out) public_IP 192.168.1.8

access-list OUTSIDE permit ip any host public_IP

access-group OUTSIDE in interface outside

Federico.

New Member

Re: creating rules on cisco pix

hi federico,

I created the rules base on your instructions, but, the internal network can not access any outside websites.

The 192.168.1.0/24 and 192.168.2.0/24 do not have any servers to offer to the public. Instead, the internal networks are computers that needs to access resources outside of the firewall.

Re: creating rules on cisco pix

Ok,

What you're missing is the routing.

The internal networks should have a route to the Internet pointing to the ASA (or have the ASA as their default gateway).

The ASA as well should have a default gateway:

route outside 0 0 x.x.x.x

In this case x.x.x.x represents the IP of the next-hop (next device) in the path to the Internet from the ASA.

Check it out and let us know.

Federico.

New Member

Re: creating rules on cisco pix

ok, let me send you my temporary configuration.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password DAyT8Zy5o1YlaDcM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname LVCLC-FW

domain-name lv.psu.edu

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service webservices tcp

  port-object eq www

  port-object eq https

  port-object eq ftp

  port-object eq telnet

  port-object eq ssh

object-group icmp-type icmp-allowed

  icmp-object echo

  icmp-object time-exceeded

object-group protocol tcpudp

  protocol-object udp

  protocol-object tcp

  protocol-object esp

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 172.31.53.100 255.255.255.0

ip address inside 146.186.174.129 255.255.255.192

ip address intf2 128.118.6.129 255.255.255.128

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

route inside 0.0.0.0 0.0.0.0 172.31.53.100 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 146.186.174.128 255.255.255.192 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Re: creating rules on cisco pix

I see some problems.

The PIX has no clue as to where networks 192.168.1.0/24 and 192.168.2.0/24 are (there are no routes)

Are those networks reachable via which interface on the ASA?

The default route on the PIX is set to the inside interface. Is this the interface connected to the Internet?

Federico.

New Member

Re: creating rules on cisco pix

on the configuration file, the two internal networks are:

146.186.174.128 255.255.255.192

128.118.6.128 255.255.255.128

The external (public address) is 172.31.53.0/24 or 172.31.53.100/24

Both internal networks needs to go out. These are just computers that will access resources (servers, webserservers, etc.) to public network.

Take a look at the attach file.|

Re: creating rules on cisco pix

nat (inside) 1 146.186.174.128 255.255.255.129
nat (intf2) 1 128.118.6.128 255.255.255.128
global (outside) 1 interface

access-list inside permit ip any any

Make sure that both internal networks have the ASA as the default gateway.

Federico.

New Member

Re: creating rules on cisco pix

what should I do with the other rules created? should I have them removed?

On my last submission, I uploaded a diagram for you to comment on.

Re: creating rules on cisco pix

Just remove the previous rules typing the same command again with the keyword ''no'' in front.

Try to get Internet access from the internal networks.

I saw the diagram, just out of curiosity, why do you have public IP addresses in your internal networks?

Federico.

New Member

Re: creating rules on cisco pix

these are testing ip address, until we get the firewall correctly working..

New Member

Re: creating rules on cisco pix

Before uploading the new config, is this sound much better?

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password DAyT8Zy5o1YlaDcM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname LVCLC-FW

domain-name lv.psu.edu

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service webservices tcp

  port-object eq www

  port-object eq https

  port-object eq ftp

  port-object eq telnet

  port-object eq ssh

object-group icmp-type icmp-allowed

  icmp-object echo

  icmp-object time-exceeded

object-group protocol tcpudp

  protocol-object udp

  protocol-object tcp

  protocol-object esp

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 172.31.53.100 255.255.255.0

ip address inside 146.186.174.129 255.255.255.192

ip address intf2 128.118.6.129 255.255.255.128

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

nat (inside) 1 146.186.174.128 255.255.255.129
nat (intf2) 1 128.118.6.128 255.255.255.128
global (outside) 1 interface

access-list inside permit ip any any
route inside 0.0.0.0 0.0.0.0 172.31.53.100 1
timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 146.186.174.128 255.255.255.192 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cisco Employee

Re: creating rules on cisco pix

This route is incorrect: route inside  0.0.0.0 0.0.0.0 172.31.53.100 1

172.31.53.100 is your outside interface ip address. You can't route the default gateway back to your inside.

The default route should say: route outside 0.0.0.0 0.0.0.0 172.31.53.x

172.31.53.x should the next hop router ip address connected to the PIX outside interface.

and please remove the "route inside" command.

New Member

Re: creating rules on cisco pix

ok, thanks for the suggestion..

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password DAyT8Zy5o1YlaDcM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname LVCLC-FW

domain-name lv.psu.edu

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service webservices tcp

  port-object eq www

  port-object eq https

  port-object eq ftp

  port-object eq telnet

  port-object eq ssh

object-group icmp-type icmp-allowed

  icmp-object echo

  icmp-object time-exceeded

object-group protocol tcpudp

  protocol-object udp

  protocol-object tcp

  protocol-object esp

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 172.31.53.100 255.255.255.0

ip address inside 146.186.174.129 255.255.255.192

ip address intf2 128.118.6.129 255.255.255.128

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

nat (inside) 1 146.186.174.128 255.255.255.129
nat (intf2) 1 128.118.6.128 255.255.255.128
global (outside) 1 interface

access-list inside permit ip any any
route outside 0.0.0.0 0.0.0.0 172.31.53.100 172.31.53.106

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 146.186.174.128 255.255.255.192 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Re: creating rules on cisco pix

Have you tried it already?

Federico.

New Member

Re: creating rules on cisco pix

I will have it tested tomorrow morning.

On the other hand, does these settings provide some protection to the internal network?

Re: creating rules on cisco pix

The internal hosts should access the web getting translated to the outside IP of the ASA.

There's protection in terms that no inbound access is permitted by the ASA (with the exception of the replies for the outbound connections).

It's in fact a very basic configuration and normally you would want to change your internal addressing scheme to a private range of IPs.

Federico.

New Member

Re: creating rules on cisco pix

Now, the host behind the firewall will need to access other services:

Telnet

Printing thru Print Server

FTP

https

Microsoft DFS

Check EMail

And, in both internal networks, these computers are join to an active directory server located remotely. Therefore, the remote servers will need to have access to these two networks. Can you provide a simple rule(s) that allow the servers to make sure authentication, active directory communication does not get interrupted?

And, in some communication instances, the internal clients will have a direct communication to other network(s). In other words, communication between the internal subnet(s) and other remote subnet(s) should be opened. This is most certain between trusted network(s).

Thanks

New Member

Re: creating rules on cisco pix

Fransisco,

I made the changes in accord to the new configuration file, and the internal network can't still see any host on the 172.31.53.0/24 network. The 172.31.53.0/24 would be oustide of the firewall.

Re: creating rules on cisco pix

The internal networks can go to the Internet?

If so, then the ASA is allowing the traffic out fine.

According to the diagram, the external network is outside the ASA (but is not directly connected is it?).  Is this external network another office geographically located on a different site?

We need to check if the problem is with your ASA or with the external network not knowing how to reach your internal networks.

Federico.

New Member

Re: creating rules on cisco pix

The internal host can't see any host outside of the firewall.

Re: creating rules on cisco pix

Do the following for testing purposes:

access-list OUTSIDE permit icmp any any

access-group OUTSIDE in interface outside

Then, try to PING 172.31.53.106 from an internal host.

You should see a translation when doing ''sh xlate local x.x.x.x''  where x.x.x.x is the IP of the inside machine sourcing the PING packets.

Federico.

New Member

Re: creating rules on cisco pix

from inside of the network, ping from 146.186.174.133 thru the firewall to outside network and attempting to ping 172.31.53.106, it failed.

However, from inside of the firewall, I can ping both directions, internal and external hosts.

Re: creating rules on cisco pix

You say:

However, from inside of the firewall, I can ping both directions, internal and external hosts.

This means that you have Internet access from your internal network through the Firewall?

Federico.

New Member

Re: creating rules on cisco pix

Federico,

What I meant was within the firewall appliance. Not from the internal host(s).

In other words, if I connect to the firewall using putty, the firewall appliance can ping. But, both side of the network internal and external can not see each other.

Re: creating rules on cisco pix

Do you see the ''xlate''  created as i said?

Federico.

New Member

Re: creating rules on cisco pix

Yes, it says PAT GLOBALS 172.31.53.100(5) Local 146.186.174.133 ICMP

id 512

New Member

Re: creating rules on cisco pix

Eureka, pinging works from inside to outside.

Now, the host(s) behind the firewall will need to access other services:

Do I have to always use NAT? for example, if there is a remote network that I can trust (active directory) then, it needs to see the computers behind the firewall. otherwise, microsoft active directory won't be able to communicate properly

Next, I need to allow this type of traffic from inside to outside

Telnet

Printing thru Print Server

FTP

https

Microsoft DFS

Check EMail

And, in both internal networks, these computers are join to an active directory server located remotely. Therefore, the remote servers will need to have access to these two networks. Can you provide a simple rule(s) that allow the servers to make sure authentication, active directory communication does not get interrupted?

And, in some communication instances, the internal clients will have a direct communication to other network(s). In other words, communication between the internal subnet(s) and other remote subnet(s) should be opened. This is most certain between trusted network(s).

Thanks

Re: creating rules on cisco pix

Hi,

If you like to learn, the idea is simple:

Communication from inside to outside needs NAT and permit ACL.

Communication from outside to inside needs STATIC NAT and permit ACL.

This means that if you want to provide Internet access to your internal network x.x.x.x/24, you do:

nat (inside) 1 x.x.x.x 255.255.255.0

global (outside) 1 interface

For inbound access to an HTTP server:

static (in,out) public_IP_FTP z.z.z.z

z.z.z.z will be the real IP of the FTP server

public_IP_FTP will be the public IP assigned to the FTP server so that will be reachable from the Internet.

access-list OUTSIDE permit tcp any host public_IP_FTP eq 80

access-group OUTSIDE in interface outside

Same basic rules applies for all scenarios (like I said based on security levels).

Federico.

New Member

Re: creating rules on cisco pix

Hi,

Everything you say makes senses.

so for allowing:

1) internal host to browse the internet:

access-list inside permit tcp any any eq 80

2) internal host to ftp to a remote ftp server

access-list inside permit tcp any any eq 22

3) internal host to https websites

access-list inside permit tcp any any eq 443

1386
Views
75
Helpful
37
Replies
CreatePlease to create content