Re: pix 501 - can't get on the internet and smtp/ftp nat don't p

innerspaceservices · ‎11-03-2003

Please can you help with this, the scenario is as follows:

internal ip address allocation:

192.168.1.1 - internal pix

192.168.1.2 - file server (2k domain)

192.168.1.3 - exchange server 2k - SMTP

192.168.1.3 - Outlook web access

192.168.1.7 - ftp server (allow incoming connections)

External address range:

80.168.XXX.16 - 22

16 - unallocated

17 - BT ADSL Router

18 - PIX external Wan

19 - SMTP

20 - OWA

21 - FTP

I need a stealthy firewall configuration, but need HTTP/HTTPS - web browsing and incoming OWA, SMTP Mail from ISP, FTP both directions for downloading and for external connecting into our ftp, and VPN connections by a group of external users, they need to connect to an internal workstation running PC Anywhere client software - waiting for connection/listening, it has a static IP address, I need to know the command line and I will complete the static ip address later.

we just need to access the outside world normally and prevent any unwanted traffic or snoopers in.

If you can help, please just list the no statements then the add statements, exactly as I need to type them in configuration mode.

pinging these gets the following results

internal network - ok

internal pix interface - ok

80.168.XXX.17 - Router ok

80.168.XXX.18 - Pix external ok

80.168.XXX.19 - SMTP *NO*

80.168.XXX.20 - OWA *NO*

80.168.XXX.21 - FTP *NO*

80.168.XXX.22 - Global *NO*

I can ping external dns server on the internet 212.42.162.2 - YES OK

Can't browse the internet - changed the network card gateway to internal pix ip, also changed the lan settings in internet explorer options to internal pix interface on port 80.

I wondered if I am supposed to insert some kind of record/ptr or similar on my internal DNS server (Active Directory integrated W2K Domain), if I do have to insert something on DNS, can somebody please hold my hand on this because I don't know anything about DNS records...

is there supposed to be a fixup protocol https 443?

Anyway here is the latest config - what else can I do to make it work - I have not included VPN for the time being - let's just get the normal firewall services working first.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXX encrypted

hostname PIX

domain-name XXXXXXXX.co.uk

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit icmp any any

access-list 101 permit tcp any host 80.168.XXX.18 eq www

access-list 101 permit tcp any host 80.168.XXX.18 eq https

access-list 101 permit tcp any host 80.168.XXX.19 eq smtp

access-list 101 permit tcp any host 80.168.XXX.20 eq www

access-list 101 permit tcp any host 80.168.XXX.21 eq ftp

access-list 101 permit tcp any host 80.168.XXX.21 eq ftp-data

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 80.168.XXX.18 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 10.10.11.1-10.10.11.20

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 80.168.XXX.22 netmask 255.255.255.248

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 80.168.XXX.19 smtp 192.168.1.3 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 80.168.XXX.20 www 192.168.1.3 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 80.168.XXX.21 ftp 192.168.1.7 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp 80.168.XXX.21 ftp-data 192.168.1.7 ftp-data netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 80.168.XXX.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.2 255.255.255.254 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.2 255.255.255.254 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxxxxx

: end

p.mcgowan · ‎11-04-2003

your dhcp scope seems to include the iup addresses of some of your servers, change this so your servers have static addresses and cannot be allocated via dhcp.

innerspaceservices · ‎11-04-2003

all the servers, workstations and printers are statically assigned ip addresses, we do have a scope set up which is a special range of address not rally used - it is really set up for fallback etc.

so should I do this:

no dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd address inside

the internal servers have already got static ip address, are you saying that I should change that range above and alter the dhcp scope in Pix to not include them.

Do you have any idea why I can't ping the external smtp, owa and ftp ip addresses that are statically set up, do you think that the above was causing the problem, (I am pinging inside the pix)

any idea how to set up pdm vpn, I don't know how to get it working either?

thanks for your help.

Julie-Ellen

p.mcgowan · ‎11-04-2003

configuring the dhcp command will setup the pix to be a dhcp server on the inside interface, if you don't want your pix to be a dhcp server don't use it.

you will not be able to ping the external static addresses from inside the pix, you will only be able to ping them from outside.

to use pdm you need to tell the pix what device will access pdm

e.g

pdm location 192.168.1.10 255.255.255.255 inside

this tells the pix that only device 192.168.1.10 that si located on the inside interface can access pdm.

To use pdm the pc will need to browse the inside ip address of the pix using https

kagodfrey · ‎11-04-2003

"you will not be able to ping the external static addresses from inside the pix, you will only be able to ping them from outside."...

Also, as you are only translating the specific ports with your static statements, rather than the entire address, I would imagine that you won't be able to ping the addresses from the outside either.

innerspaceservices · ‎11-05-2003

so should I do this and get rid of dhcp altogether, I already have a scope on the real DHCP server in W2K domain:

no dhcpd address 192.168.1.2-192.168.1.129 inside

PDM - what if I want to set it up for a few external vpn connections, none of these external hosts have static ip addresses - what do I do about that. They also only need to get to one internal machine, which will run pc anywhere in listening mode. do I have to open a port or add a static entry to enable this to happen?

I can't get into PDM, when I connected it according to the instructions, ie setting the computer to dhcp and opening a browser, I even connected the cables with the right colours as specified in the manual and it tried to open the PDM, it gave me a logon etc, in the instructions it told me to just click enter to get in - no default name or password by the sounds of it, then it just hung stating that PDM was loading. Should I just reinstall from tftp - if so how do I do it?

Also to get into the webadmin what do I type in the browser

https://192.168.1.1

or

https:192.168.1.1

or should I be typing a port number after for example

https://192.168.1.1:80

thanks to all those people who are helping me...

innerspaceservices · ‎11-05-2003

I was given the instructions below to put an entry into my W2K Internal AD integrated DNS server, but I don't know how to configure a forwarder, please somebody help with the exact instructions of how to put this entry into DNS, what do I set up ie host, ptr etc etc, I don't understand DNS very well.

Here is the instructions I was given....

set up your dns server to use the ISP's dns server 212.42.162.2 as a forwarder

therefore when clients wish to browse the internet they.......

1. hit the internal dns server first to look for, say........www.google.com

2. the Win2K box doen't know about the google zone so it forwards it to 212.42.162.2.

3. 212.42.162.2 resolves the Query for www.google.com and returns your Internal Win2K DNS

server which sends that IP to the internel web client.

4. the internal web client will connect to the web server at port 80.

pix 501 - can't get on the internet and smtp/ftp nat don't ping