01-18-2012 11:10 AM - edited 03-11-2019 03:16 PM
Hello,
I am new to PIX and Cisco.
I have a PIX 525 ver 8.0(2) Unrestricted that I need some help configuring.
First, the unit has 6 interfaces, one outside (eth0) and five inside (eth1-eth5).
I have a block of 5 static IPs from my ISP and am using NAT on all 5 interfaces to route traffic from specific WAN IPs to each inside interface (I believe this is called hairpinning).
WAN IP xxx.xxx.xxx.153 is NATed to eth1
WAN IP xxx.xxx.xxx.154 is NATed to eth2
and so on...
Outside is eth0
My domain network is on interface eth1
FTP server on interface eth2
Interfaces eth3 and eth4 are for testing perposes
Another group of users is on eth5
On my domain network (eth1) there is an Excahnge server that users on eth5 need to access. They only need access to the OWA site using ports 80 and 443.
I have been able to get the users access by changeing the security level on eth5 to the same or higher level as eth1, but this gives them total access. I have tried to create access rules and static routes to restrict communication to only the nessissary ports, but it doesn't work. The only way I can give them access is by increasing the security level of eth5 and this is unacceptable.
Can someone please tell me what I am doing wrong?
Please let me know if you need me to post the config.
Thanks
Solved! Go to Solution.
01-18-2012 11:53 AM
Hello ,
You need the following
static (inside,chuly) exchangeserver_ip exchangeserver_ip
access-list chuly_in permit tcp any host exchangeserver_ip eq xx(Port needs to be access)
access-list chuly_in permit tcp any host exchangeserver_ip eq xx(Port needs to be access)
access-list chuly_in permit tcp any host exchangeserver_ip eq xx(Port needs to be access)
access-list chuly_in deny ip any host exchangeserver_ip
access-list chuly_in permit ip any any
access-group chuly_in in interface chuly
Regards,
Julio
Rate all the posts that are helpful!!
01-18-2012 11:14 AM
Hello Chris,
Please post your configuration because as you explain it an ACL inside direction on Eth5 should be able to restrict that traffic.
Regards,
Julio
01-18-2012 11:26 AM
Thanks very much for looking at this for me!
Took me a few minutes to scrubb the config, but here it is...
PIX Version 8.0(2)
!
hostname xxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.153 255.255.255.248
ospf cost 10
!
interface Ethernet1
nameif domain
security-level 100
ip address 192.168.0.1 255.255.255.0
ospf cost 10
!
interface Ethernet2
nameif ftp
security-level 60
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Ethernet3
nameif test
security-level 80
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet4
nameif internet
security-level 50
ip address 192.168.3.1 255.255.255.0
ospf cost 10
!
interface Ethernet5
nameif chuly
security-level 90
ip address 192.168.4.1 255.255.255.0
!
passwd xxxxxxxxxxxxxxxxxxxx encrypted
!
time-range IPBlocked
absolute end 01:12 28 October 2010
periodic daily 0:00 to 23:59
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq smtp
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq https
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq pop3
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq ftp
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq 5000
access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 7707
access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 7708
access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 7717
access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 28852
access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 20560
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 20560
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 8075
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 28852
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq www
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq 587
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq www
access-list 101 extended permit ip any host xxx.xxx.xxx.157
access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 20800
access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 20810
access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 28960
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 28960
access-list 301 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 401 extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu domain 1500
mtu ftp 1500
mtu test 1500
mtu internet 1500
mtu chuly 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 xxx.xxx.xxx.154
global (outside) 3 xxx.xxx.xxx.155
global (outside) 4 xxx.xxx.xxx.156
global (outside) 5 xxx.xxx.xxx.157
nat (domain) 0 access-list 301
nat (domain) 1 192.168.0.0 255.255.255.0
nat (ftp) 2 192.168.1.0 255.255.255.0
nat (test) 3 192.168.2.0 255.255.255.0
nat (internet) 4 192.168.3.0 255.255.255.0
nat (chuly) 0 access-list 401
nat (chuly) 5 192.168.4.0 255.255.255.0
static (ftp,outside) tcp xxx.xxx.xxx.154 ftp 192.168.1.2 ftp netmask 255.255.255.255
static (ftp,outside) udp xxx.xxx.xxx.154 7708 192.168.1.2 7708 netmask 255.255.255.255
static (ftp,outside) udp xxx.xxx.xxx.154 7707 192.168.1.2 7707 netmask 255.255.255.255
static (ftp,outside) udp xxx.xxx.xxx.154 7717 192.168.1.2 7717 netmask 255.255.255.255
static (ftp,outside) udp xxx.xxx.xxx.154 28852 192.168.1.2 28852 netmask 255.255.255.255
static (ftp,outside) udp xxx.xxx.xxx.154 20560 192.168.1.2 20560 netmask 255.255.255.255
static (ftp,outside) tcp xxx.xxx.xxx.154 20560 192.168.1.2 20560 netmask 255.255.255.255
static (ftp,outside) tcp xxx.xxx.xxx.154 8075 192.168.1.2 8075 netmask 255.255.255.255
static (ftp,outside) tcp xxx.xxx.xxx.154 28852 192.168.1.2 28852 netmask 255.255.255.255
static (ftp,outside) tcp xxx.xxx.xxx.154 www 192.168.1.2 www netmask 255.255.255.255
static (domain,outside) tcp interface smtp 192.168.0.3 smtp netmask 255.255.255.255
static (domain,outside) tcp interface 5000 192.168.0.10 5000 netmask 255.255.255.255
static (domain,outside) tcp interface https 192.168.0.3 https netmask 255.255.255.255
static (domain,outside) tcp interface pop3 192.168.0.3 pop3 netmask 255.255.255.255
static (domain,outside) tcp interface 587 192.168.0.3 587 netmask 255.255.255.255
static (domain,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255
static (ftp,outside) udp xxx.xxx.xxx.154 28960 192.168.1.2 28960 netmask 255.255.255.255
static (ftp,outside) udp xxx.xxx.xxx.154 20810 192.168.1.2 20810 netmask 255.255.255.255
static (ftp,outside) udp xxx.xxx.xxx.154 20800 192.168.1.2 20800 netmask 255.255.255.255
static (ftp,outside) tcp xxx.xxx.xxx.154 28960 192.168.1.2 28960 netmask 255.255.255.255
static (chuly,outside) xxx.xxx.xxx.157 192.168.4.2 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.158 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 domain
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.0.0 255.255.255.0 domain
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 domain
ssh timeout 30
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.2.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.3.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.4.0 255.255.255.0
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
ntp server 207.46.197.32 source outside prefer
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
asdm image flash:/asdm-602.bin
no asdm history enable
01-18-2012 11:53 AM
Hello ,
You need the following
static (inside,chuly) exchangeserver_ip exchangeserver_ip
access-list chuly_in permit tcp any host exchangeserver_ip eq xx(Port needs to be access)
access-list chuly_in permit tcp any host exchangeserver_ip eq xx(Port needs to be access)
access-list chuly_in permit tcp any host exchangeserver_ip eq xx(Port needs to be access)
access-list chuly_in deny ip any host exchangeserver_ip
access-list chuly_in permit ip any any
access-group chuly_in in interface chuly
Regards,
Julio
Rate all the posts that are helpful!!
01-18-2012 12:18 PM
THANK YOU SO MUCH!!!!!
I have been messing with this on and off for weeks and couln't make it work.
My users on eth5 can now access OWA on domain withought access to anything else!
Now all I have left to do is create A records on the domain controller on that interface to point the traffic via host name and that's it!
Is there anything else you can see in my config that I should do differantly?
01-18-2012 12:31 PM
Hello Chris,
Glad I could help!!
No, reading the configuration and based on what you were looking for I think your configuration is fine the way it is now.
Regards,
Julio
Rate helpful posts
01-18-2012 12:33 PM
Thanks again...I do have one more question actually...
What does the following do specifically?
access-list chuly_in permit ip any any
thanks
01-18-2012 12:50 PM
Hello Chris,
It is going to allow all ip traffic coming from the chuly host to any other host on another interface, except for the deny rule we configured before.
Regards,
Julio
01-18-2012 12:53 PM
ok I see...
one more thing and then that is it I promiss
static (inside,chuly) exchangeserver_ip exchangeserver_ip
Why are the IPs the same for this static rule?
static (domain,chuly) 192.168.0.3 192.168.0.3
01-18-2012 01:23 PM
Hello Chris,
We are doing in this case a Identity nat translation so users on the other interface( chuly) will go to the real ip address of the server ( domain interface), we could also translate it to a different ip address if that were the setup you were looking for.
Regards,
Julio
Rate posts that help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide