Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Pix 525 interface communication question

Hello,

I am new to PIX and Cisco.

I have a PIX 525 ver 8.0(2) Unrestricted that I need some help configuring.

First, the unit has 6 interfaces, one outside (eth0) and five inside (eth1-eth5).

I have a block of 5 static IPs from my ISP and am using NAT on all 5 interfaces to route traffic from specific WAN IPs to each inside interface (I believe this is called hairpinning).

WAN IP xxx.xxx.xxx.153 is NATed to eth1

WAN IP xxx.xxx.xxx.154 is NATed to eth2

and so on...

Outside is eth0

My domain network is on interface eth1

FTP server on interface eth2

Interfaces eth3 and eth4 are for testing perposes

Another group of users is on eth5

On my domain network (eth1) there is an Excahnge server that users on eth5 need to access. They only need access to the OWA site using ports 80 and 443.

I have been able to get the users access by changeing the security level on eth5 to the same or higher level as eth1, but this gives them total access. I have tried to create access rules and static routes to restrict communication to only the nessissary ports, but it doesn't work. The only way I can give them access is by increasing the security level of eth5 and this is unacceptable.

Can someone please tell me what I am doing wrong?

Please let me know if you need me to post the config.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Pix 525 interface communication question

Hello ,

You need the following

static (inside,chuly) exchangeserver_ip exchangeserver_ip

access-list chuly_in permit tcp any host exchangeserver_ip eq xx(Port needs to be access)

access-list chuly_in permit tcp any host exchangeserver_ip eq xx(Port needs to be access)

access-list chuly_in permit tcp any host exchangeserver_ip eq xx(Port needs to be access)

access-list chuly_in deny ip any host  exchangeserver_ip

access-list chuly_in permit ip any any

access-group chuly_in in interface chuly

Regards,

Julio

Rate all the posts that are helpful!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
9 REPLIES

Pix 525 interface communication question

Hello Chris,

Please post your configuration because as you explain it an ACL inside direction on Eth5 should be able to restrict that traffic.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Pix 525 interface communication question

Thanks very much for looking at this for me!

Took me a few minutes to scrubb the config, but here it is...

PIX Version 8.0(2)

!

hostname xxxxxxxx

enable password xxxxxxxxxxxxxxxxxxxxx encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address xxx.xxx.xxx.153 255.255.255.248

ospf cost 10

!

interface Ethernet1

nameif domain

security-level 100

ip address 192.168.0.1 255.255.255.0

ospf cost 10

!

interface Ethernet2

nameif ftp

security-level 60

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Ethernet3

nameif test

security-level 80

ip address 192.168.2.1 255.255.255.0

ospf cost 10

!

interface Ethernet4

nameif internet

security-level 50

ip address 192.168.3.1 255.255.255.0

ospf cost 10

!

interface Ethernet5

nameif chuly

security-level 90

ip address 192.168.4.1 255.255.255.0

!

passwd xxxxxxxxxxxxxxxxxxxx encrypted

!

time-range IPBlocked

absolute end 01:12 28 October 2010

periodic daily 0:00 to 23:59

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq smtp

access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq https

access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq pop3

access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq ftp

access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq 5000

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 7707

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 7708

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 7717

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 28852

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 20560

access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 20560

access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 8075

access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 28852

access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq www

access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq 587

access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq www

access-list 101 extended permit ip any host xxx.xxx.xxx.157

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 20800

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 20810

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 28960

access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 28960

access-list 301 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 401 extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu domain 1500

mtu ftp 1500

mtu test 1500

mtu internet 1500

mtu chuly 1500

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 2 xxx.xxx.xxx.154

global (outside) 3 xxx.xxx.xxx.155

global (outside) 4 xxx.xxx.xxx.156

global (outside) 5 xxx.xxx.xxx.157

nat (domain) 0 access-list 301

nat (domain) 1 192.168.0.0 255.255.255.0

nat (ftp) 2 192.168.1.0 255.255.255.0

nat (test) 3 192.168.2.0 255.255.255.0

nat (internet) 4 192.168.3.0 255.255.255.0

nat (chuly) 0 access-list 401

nat (chuly) 5 192.168.4.0 255.255.255.0

static (ftp,outside) tcp xxx.xxx.xxx.154 ftp 192.168.1.2 ftp netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 7708 192.168.1.2 7708 netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 7707 192.168.1.2 7707 netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 7717 192.168.1.2 7717 netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 28852 192.168.1.2 28852 netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 20560 192.168.1.2 20560 netmask 255.255.255.255

static (ftp,outside) tcp xxx.xxx.xxx.154 20560 192.168.1.2 20560 netmask 255.255.255.255

static (ftp,outside) tcp xxx.xxx.xxx.154 8075 192.168.1.2 8075 netmask 255.255.255.255

static (ftp,outside) tcp xxx.xxx.xxx.154 28852 192.168.1.2 28852 netmask 255.255.255.255

static (ftp,outside) tcp xxx.xxx.xxx.154 www 192.168.1.2 www netmask 255.255.255.255

static (domain,outside) tcp interface smtp 192.168.0.3 smtp netmask 255.255.255.255

static (domain,outside) tcp interface 5000 192.168.0.10 5000 netmask 255.255.255.255

static (domain,outside) tcp interface https 192.168.0.3 https netmask 255.255.255.255

static (domain,outside) tcp interface pop3 192.168.0.3 pop3 netmask 255.255.255.255

static (domain,outside) tcp interface 587 192.168.0.3 587 netmask 255.255.255.255

static (domain,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 28960 192.168.1.2 28960 netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 20810 192.168.1.2 20810 netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 20800 192.168.1.2 20800 netmask 255.255.255.255

static (ftp,outside) tcp xxx.xxx.xxx.154 28960 192.168.1.2 28960 netmask 255.255.255.255

static (chuly,outside) xxx.xxx.xxx.157 192.168.4.2 netmask 255.255.255.255

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.158 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.255.0 domain

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet 192.168.0.0 255.255.255.0 domain

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 domain

ssh timeout 30

console timeout 0

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.2.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.3.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.4.0 255.255.255.0

threat-detection statistics

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect pptp

!

service-policy global_policy global

ntp server 207.46.197.32 source outside prefer

prompt hostname context

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

: end

asdm image flash:/asdm-602.bin

no asdm history enable

Pix 525 interface communication question

Hello ,

You need the following

static (inside,chuly) exchangeserver_ip exchangeserver_ip

access-list chuly_in permit tcp any host exchangeserver_ip eq xx(Port needs to be access)

access-list chuly_in permit tcp any host exchangeserver_ip eq xx(Port needs to be access)

access-list chuly_in permit tcp any host exchangeserver_ip eq xx(Port needs to be access)

access-list chuly_in deny ip any host  exchangeserver_ip

access-list chuly_in permit ip any any

access-group chuly_in in interface chuly

Regards,

Julio

Rate all the posts that are helpful!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Pix 525 interface communication question

THANK YOU SO MUCH!!!!!

I have been messing with this on and off for weeks and couln't make it work.

My users on eth5 can now access OWA on domain withought access to anything else!

Now all I have left to do is create A records on the domain controller on that interface to point the traffic via host name and that's it!

Is there anything else you can see in my config that I should do differantly?

Pix 525 interface communication question

Hello Chris,

Glad I could help!!

No, reading the configuration and based on what you were looking for I think your configuration is fine the way it is now.

Regards,

Julio

Rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Pix 525 interface communication question

Thanks again...I do have one more question actually...

What does the following do specifically?

access-list chuly_in permit ip any any

thanks

Pix 525 interface communication question

Hello Chris,

It is going to allow all ip traffic coming from the chuly host to any other host on another interface, except for the deny rule we configured before.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Pix 525 interface communication question

ok I see...

one more thing and then that is it I promiss

static (inside,chuly) exchangeserver_ip exchangeserver_ip

Why are the IPs the same for this static rule?

static (domain,chuly) 192.168.0.3 192.168.0.3

Pix 525 interface communication question

Hello Chris,

We are doing in this case a Identity nat translation so users on the other interface( chuly) will go to the real ip address of the server ( domain interface), we could also translate it to a different ip address if that were the setup you were looking for.

Regards,

Julio

Rate posts that help!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
336
Views
0
Helpful
9
Replies
CreatePlease to create content