515 Config need help

ejllantino · ‎02-12-2004

Hey guys I need a help please check out my configuration and help how to permit selected pc to user messenger programs.

thanks

soldier

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

clock timezone AST 3

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 172.16.1.14 Proxy_Server

name 172.16.1.12 DNS_Server

name 172.16.1.87 SysLogServer

name 172.16.1.15 A3MX

name 192.168.1.1 MailGateway

name 172.19.1.14 D3MX

access-list compiled

access-list inside_outbound_nat0_acl permit ip any 10.10.10.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 10.10.10.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip 172.16.0.0 255.255.0.0 10.10.10.0 255.255.255.0

access-list outside_authentication_csnt deny tcp any host 212.102.23.36 eq smtp

access-list outside_authentication_csnt permit ip any any

access-list outside_authorization_csnt deny tcp any host 212.102.23.36 eq smtp

access-list outside_authorization_csnt permit ip any any

access-list outside_accounting_csnt deny tcp any host 212.102.23.36 eq smtp

access-list outside_accounting_csnt permit ip any any

access-list outside_access_in permit tcp any host 212.102.23.36 eq smtp

access-list outside_access_in permit tcp any host 212.102.23.38 eq www

access-list outside_access_in permit tcp any host 212.102.23.39 eq www

access-list vpngroup_splitTunnelAcl permit ip 172.16.0.0 255.255.0.0 10.10.10.0 255.255.255.0

access-list outside_cryptomap_dyn_40 permit ip any 10.10.10.0 255.255.255.0

access-list dmz_access_in permit udp host MailGateway any eq domain

access-list dmz_access_in permit tcp host MailGateway any eq smtp

access-list dmz_access_in permit tcp host MailGateway host 192.168.1.15

access-list dmz_access_in permit tcp host MailGateway host 192.168.1.14

access-list inside_access_in permit tcp host Proxy_Server any

access-list inside_access_in permit tcp host A3MX host MailGateway

access-list inside_access_in permit tcp host Ar3MX any eq www

access-list inside_access_in permit udp host DNS_Server any

access-list inside_access_in permit tcp host DSvr3MX host MailGateway

access-list inside_access_in permit tcp host DSvr3MX any eq www

pager lines 24

icmp permit any echo-reply outside

icmp permit any unreachable outside

icmp permit any redirect outside

icmp permit any time-exceeded outside

ip address outside 212.102.23.34 255.255.255.240

ip address inside 172.16.1.2 255.255.0.0

ip address dmz 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool poolname 10.10.10.1-10.10.10.254

pdm location 172.16.1.1 255.255.255.255 inside

pdm location Proxy_Server 255.255.255.255 inside

pdm location 172.16.1.34 255.255.255.255 inside

pdm location SysLogServer 255.255.255.255 inside

pdm location 172.16.1.1 255.255.255.255 dmz

pdm location 172.16.0.0 255.255.0.0 dmz

pdm location DNS_Server 255.255.255.255 inside

pdm location A3MX 255.255.255.255 inside

pdm location 10.10.10.0 255.255.255.0 outside

pdm location MailGateway 255.255.255.255 dmz

pdm location 172.16.1.11 255.255.255.255 inside

pdm location D3MX 255.255.255.255 inside

pdm logging debugging 100

pdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_outbound_nat0_acl

static (inside,outside) 212.102.23.35 Proxy_Server netmask 255.255.255.255 500 300

static (inside,outside) 212.102.23.37 DNS_Server netmask 255.255.255.255 0 0

static (inside,outside) 212.102.23.38 A3MX netmask 255.255.255.255 500 250

static (inside,dmz) 192.168.1.15 AMX netmask 255.255.255.255 0 0

static (dmz,outside) 212.102.23.36 MailGateway netmask 255.255.255.255 500 250

static (inside,dmz) 192.168.1.14 D3MX netmask 255.255.255.255 0 0

static (inside,outside) 212.102.23.39 D3MX netmask 255.255.255.255 500 250

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 212.102.23.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:15:00 absolute uauth 0:05:00 inactivity

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server csnt protocol tacacs+

aaa-server csnt (inside) host DNS_Server secretkey timeout 5

aaa authentication http console csnt

aaa authentication ssh console csnt

aaa authentication telnet console csnt

aaa authentication match outside_authentication_csnt outside csnt

aaa authorization match outside_authorization_csnt outside csnt

aaa accounting match outside_accounting_csnt outside csnt

filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

filter activex 8080 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

filter java 8080 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

http server enable

http 172.16.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside SysLogServer \cisco

floodguard enable

sysopt connection permit-ipsec

auth-prompt prompt Authentication process from the Firewall...

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication csnt

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpngroup address-pool poolname

vpngroup vpngroup split-tunnel vpngroup_splitTunnelAcl

vpngroup vpngroup idle-time 1800

telnet SysLogServer 255.255.255.255 inside

telnet 172.16.1.34 255.255.255.255 inside

telnet 172.16.1.1 255.255.255.255 inside

telnet 172.16.1.11 255.255.255.255 inside

telnet timeout 60

ssh 172.16.1.2 255.255.255.255 inside

ssh timeout 5

console timeout 0

jmia · ‎02-12-2004

Hi -

What kind of messenger programs, i.e. MSN/AOL etc ?

And have you got any syslog messages that you can provide.

Thanks - Jay.

l.mourits · ‎02-12-2004

Since you have an access-lists bound to the inside interface you will have to permit the tcp/udp portnumbers that are used from the internal subnet to any.

So, you would have to add something like this:

access-list inside_access_in permit tcp any eq 1863

This one would be for MSN messenger. Other messenger do use other ports. Here's a good link where you will find ports used for several kinds of messengers:

http://www.ccie.no/ports.html

Kind regards,

Leo