Re: Are these PIX configurations ok ?

haseeb_eng · ‎08-28-2003

I have pix 515 with UR liscence . Currently my mail and www server are outside my pix . I had installed a dmz interface and put both of them on the dmz but it is not working . I am following the standard method . Can you please check what could be the possible problem in the configuration(DNS IS ON THE ISP SIDE . COULD THIS BE PROBLEM?) I had open all the ports but still not working . Configurations:-

pixfirewall# sh ver

Cisco PIX Firewall Version 6.2(2)

Cisco PIX Device Manager Version 2.1(1)

Compiled on Fri 07-Jun-02 17:49 by morlee

pixfirewall up 7 mins 55 secs

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5

0: ethernet0: address is 000a.b79e.5449, irq 10

1: ethernet1: address is 000a.b79e.544a, irq 11

2: ethernet2: address is 0003.47ac.5c73, irq 5

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES: Enabled

Maximum Interfaces: 6

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

Serial Number: 806342412 (0x300fcf0c)

Running Activation Key: 0xee400caf 0xd29872dd 0x03c643ab 0x43f86be7

Configuration last modified by enable_15 at 14:49:30.456 UTC Thu Aug 28 2003

pixfirewall# sh config

: Saved

: Written by enable_15 at 14:40:28.625 UTC Thu Aug 28 2003

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password xxxx encrypted

passwd xxxxxencrypted

hostname pixfirewall

domain-name http://www.sh.com.kw

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 102 (1) permit tcp any host x.x.81.26

access-list 102 (1) permit udp any host x.x.81.26

access-list 102 (1) permit ip any host x.x.81.26

access-list 102 (1) permit tcp any host x.x.81.27

access-list 102 (1) permit udp any host x.x.81.27

access-list 102 (1) permit ip any host x.x.81.27

access-list 102 (1) permit tcp any host x.x.81.26 eq smtp

access-list 102 (1) permit tcp any host x.x.81.26 eq pop3

access-list 102 (1) permit tcp any host x.x.81.26 eq domain

access-list 102 (1) permit tcp any host x.x.81.26 eq www

access-list 102 (1) permit tcp any host x.x.81.26 eq imap4

access-list 102 (1) permit udp any host x.x.81.26 eq 25

access-list 102 (1) permit udp any host x.x.81.26 eq 110

access-list 102 (1) permit udp any host x.x.81.26 eq 143

access-list 102 (1) permit udp any host x.x.81.27 eq 80

access-list 102 (1) permit udp any host x.x.81.27 eq 143

access-list 102 (1) permit tcp any host x.x.81.27 eq www

access-list 102 (1) permit tcp any host x.x.81.27 eq domain

access-list 102 (1) permit tcp any host x.x.81.27 eq imap4

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside x.x.81.2 255.255.255.240

ip address inside x.x.200.1 255.255.255.0

ip address dmz x.x.81.25 255.255.255.240

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

pdm location x.x.200.48 255.255.255.255 inside

pdm location x.x.81.26 255.255.255.255 dmz

pdm location x.x.81.27 255.255.255.255 dmz

pdm history enable

arp timeout 14400

global (outside) 1 x.x.81.14 netmask 255.255.255.255

nat (inside) 1 200.200.200.0 255.255.255.0 0 0

nat (dmz) 0 0.0.0.0 0.0.0.0 0 0

static (inside,dmz) 200.200.200.0 200.200.200.0 netmask 255.255.255.0 0 0

static (dmz,outside) x.x.81.27 x.x.81.27 dns netmask 255.255.255.255 0 0

static (dmz,outside) x.x.81.26 168.187.81.26 dns netmask 255.255.255.255 0 0

access-group 102 in interface outside

route outside 0.0.0.0 0.0.0.0 168.187.81.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 200.200.200.48 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 200.200.200.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxxx

pixfirewall#

jmia · ‎08-28-2003

Hi Abdul,

Please read this document and if this helps:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

Hope this helps - Jay

jmia · ‎08-28-2003

Abdul, also here are some grate documents from a world reknowned expert and mentor:

http://www.netcraftsmen.net/welcher/papers/pix01.html

http://www.netcraftsmen.net/welcher/papers/pix02.html

and try changing this: nat (dmz) 0 0.0.0.0 0.0.0.0 0 0 to this: nat(dmz)1 0.0.0.0 0.0.0.0 0 0

Thanks -

mostiguy · ‎08-28-2003

I am not able to ping any of your ip addresses, nor your default gateway. I also cannot telnet to any of your ports (smtp, etc) to test. Are you able to ping your default gateway - 168.187.81.1 from the pix?

Your dns settings with your isp look fine, and so does your pix config.

haseeb_eng · ‎08-28-2003

i can access the internet and these 2 servers from my inside network . And even i can ping my router from dmz servers also . But browsing does'nt work also on the dmz servers . I wil try to change nat statments as you had said .

thanks for your reply

haseeb_eng · ‎08-30-2003

i had changed the nat statement but this did not working still the same problem is coming . What else could be the problem ?

bdube · ‎08-31-2003

Hi, you mentioned that you can access your servers, the ones into the DMZ, but i can't figured out how you may achieved that since you don't have a global statement applied to the DMZ. The NAT (inside) 1... statement must match with a global (dmz) 1 statement.

First, make your dmz's servers accessible from inside. This will prove correct servers config.

Regards,

Ben

haseeb_eng · ‎08-31-2003

For that i had configured static command . Static command takes priority over NAT command and i can also access the servers in DMZ from my inside network .

ONE MORE STRANGE PROBLEM IS that i can't access the internet from the dmz servers but I CAN PING MY ISP DNS AND I CAN ALSO PING ANOTHER NETWORK WHICH IS ALSO CONNECTED TO SAME ISP . So do you think so this could be the problem from isp side ?

Another exception is that may be dmz interface is faulty but again if it is then from dmz i should not ping anyone outside .

bdube · ‎08-31-2003

It's the first time i heard that it's possible to give access from higher security interface(inside) to lower security interface (DMZ) using "static". What i know, static permits the converse situation, lower to higher sec i/f.

If you are reaching servers within your DMZ, is it possible they are accessible through another path ?

Are you able to surf Web from inside ?

Ben

l.mourits · ‎09-05-2003

Dear haseeb,

Please, do not use ping to test your connections. Ping uses ICMP and is not statefully inspected and is handled differently then TCP and UDP traffic within the PIX Adaptive Security Algorithm (in fact, ICMP isnt handled by ASA at all).

Zo, whatever you are testing with ping (ICMP' does not necessarily represent what your PIX is doing with UDP and/or TCP traffic.

Just a tip, little of topic, but in my humble opnion quite important to know.

Kind regards,

Leo