Problem with PIX 525

Chris Mickle · ‎10-06-2010

I have a problem with a pix 525 firewall that I recently aquired. I have setup multiple interfaces using NAT and PAT. Everything is working so far except communication from higher security interfaces to lower security.

inside1

192.168.0.X

security-level 100

inside2

192.168.1.X

security-level 90

I am not able to access inside2 interface from inside1. It was my understanding that the PIX allows communication to lower security level interfaces by default and access from all interfaces to outside is working.

I am new to PIX and routing in general.

Where am I going wrong?

Nagaraja Thanthry · ‎10-06-2010

Hello,

Can you please post the NAT configurations here? Also, please post the access-list entries for both inside and inside2 interface.

Regards,

NT

Chris Mickle · ‎10-06-2010

Sure, here is the info you requested.

Thanks for looking at this.

access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq 4100 log
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 3389
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq smtp
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq www
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq https
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq pop3
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq ftp
access-list 101 extended permit ip any host xxx.xxx.xxx.155
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq 5000
access-list 101 extended permit gre any host xxx.xxx.xxx.153
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq pptp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside1 1500
mtu inside2 1500
mtu dmz 1500
mtu internet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 xxx.xxx.xxx.154
global (outside) 3 xxx.xxx.xxx.155
global (outside) 4 xxx.xxx.xxx.156
nat (inside1) 1 192.168.0.0 255.255.255.0
nat (inside2) 2 192.168.1.0 255.255.255.0
nat (dmz) 3 192.168.2.0 255.255.255.0
nat (internet) 4 192.168.3.0 255.255.255.0
static (inside2,outside) tcp xxx.xxx.xxx.154 ftp 192.168.1.2 ftp netmask 255.255.255.255
static (inside1,outside) tcp interface smtp 192.168.0.2 smtp netmask 255.255.255.255
static (inside1,outside) tcp interface 5000 192.168.0.100 5000 netmask 255.255.255.255
static (inside1,outside) tcp interface www 192.168.0.2 www netmask 255.255.255.255
static (inside1,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255
static (inside1,outside) tcp interface pop3 192.168.0.2 pop3 netmask 255.255.255.255
static (inside1,outside) tcp interface pptp 192.168.0.2 pptp netmask 255.255.255.255
static (inside2,outside) tcp xxx.xxx.xxx.154 3389 192.168.1.2 3389 netmask 255.255.255.255
static (inside1,outside) tcp interface 4100 192.168.0.2 4100 netmask 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.155 192.168.2.2 netmask 255.255.255.255
access-group 101 in interface outside

Nagaraja Thanthry · ‎10-06-2010

Hello,

Please try the following:

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside1) 0 access-list nonat

Hope this helps.

Regards,

NT

Chris Mickle · ‎10-06-2010

Yes thank you that worked. I can now access the FTP server on inside2 from inside1 but not the other way which is what I want.

So was I wrong to think that the pix allows communication to lower security interfaces by default?

Also, could you explain what this config means in detail. I am trying to learn this device.

Nagaraja Thanthry · ‎10-06-2010

Hello,

The configuration I have provided basically tells the firewall that when you are going from Inisde1 to Inside2, the source address should not be changed i.e. you have to bypass the NAT rules. This will satisfy the NAT requirement between higher security interface and the lower security interface. It will also allow the Inside2 to open a connection towards Inside1 hosts. The reason you are not able to initiate connections from Inside2 towards Inside1 is because Inside2 is at a lower security level and you need to have an exclusive access-list allowing that access. You can try the following:

access-list 102 permit ip any host

access-list 102 deny ip any 192.168.0.0 255.255.255.0

access-list 102 permit ip any any

access-group 102 in interface Inside2

In the above configuration is the host that you need access to from Inside2 subnet. If you want unlimited access between Inisde1 and Inside2, then you can ignore the first two lines and just add the 3rd line.

Hope this helps.

Regards,

NT

Chris Mickle · ‎10-06-2010

No I would only like connections to be initialted from inside1. Interface inside2 has an old FTP server on it that I dont want to have access to my domain network on inside1. This is exactly what I wanted to do.

So let me see if I understand this correctly.

The line...

nat (inside1) 0 access-list nonat

sets up a NAT rule for inside1 that is defined by what is in the access list "nonat" rather than an IP like in my config (nat (inside1) 1 192.168.0.0).

and then that access list sets the rules for communication between the interfaces in this case allowing all trafic from inside1 clients to inside2 clients.

So if I wanted to expand on this an give inside1 access to another interface (inside3; 192.168.2.0; sec. lev. 80 for example), I could add the following...

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

Also, am I correct to assume that I don't need to tie the nonat access list to an interface using the access-group command because it is already tied to that interface within the NAT statement?

Sorry if my terminology is not 100%

Thanks a million for all you help. I have been looking everywhere for the answer to this question.