Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 506e Inbound Rule

Greetings--I am working on putting together a Cisco lab, and to that end I have a PIX 506e on the perimeter of my home-network (replacing an ISA box). The PIX is configured with the standard out-of-the-box setup, with a couple of changes (no DHCP Service on inside being the most material).

I can't seem to get inbound access-lists to work properly, however, and when I do... all of my external access goes down! I know I'm missing something fairly simple, and I'm hoping someone here can tell me what it is. I'll attach a dump of my config below.

----- snip -------

Milton# pager 0

Milton# show running-config

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname Milton

domain-name clownworld.com

clock timezone PST -8

clock summer-time PDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_outbound_nat0_acl permit ip any host 192.168.1.224

access-list outside_cryptomap_dyn_20 permit ip any host 192.168.1.224

access-list INBOUND permit tcp any host 192.168.1.10 eq 57601

access-list INBOUND permit udp any host 192.168.1.10 eq 57601

access-list INBOUND deny ip any any

no pager

logging on

icmp deny any outside

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool REMOTES 192.168.1.224

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group INBOUND in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 192.168.1.10 PIX_CONFIG_BACKUP

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup ADMINS address-pool REMOTES

vpngroup ADMINS idle-time 1800

vpngroup ADMINS password ********

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

management-access inside

console timeout 0

dhcpd lease 3000

dhcpd ping_timeout 750

dhcpd domain clownworld.com

dhcpd auto_config outside

terminal width 80

banner motd "This is a test of the Emergency Broadcorping Castration..."

Cryptochecksum:xxxx

: end

1 REPLY

Re: PIX 506e Inbound Rule

The static command for the NAT translation is missing and the access-list on the outside interface should have the public IP configured not the private ones.

1.) Remove the old access-list first:

no access-list INBOUND permit tcp any host 192.168.1.10 eq 57601

no access-list INBOUND permit udp any host 192.168.1.10 eq 57601

no access-list INBOUND deny ip any any

Note: You do not have to add This line is added automaticly by the PIX. If you whish to add special logging options then it could be useful.

2.) Change access-list to:

access-list INBOUND permit tcp any host PublicIP eq 57601

access-list INBOUND permit udp any host PublicIP eq 57601

access-group INBOUND in interface outside

3a.) Scenario with one Public IP, I assume as you use DHCP ?

PublicIP could be outside interface IP, replace the keyword PublicIP with: < interface outside >

Final config:

access-list INBOUND permit tcp any interface outside eq 57601

access-list INBOUND permit udp any interface outside eq 57601

access-group INBOUND in interface outside

Add a static (Port redirection):

static (inside,outside) tcp interface 57601 192.168.1.10 57601 netmask 0255.255.255.255

static (inside,outside) udp interface 57601 192.168.1.10 57601 netmask 255.255.255.255

After changing all settings execute a:

clear xlate

sincerely

Patrick

173
Views
5
Helpful
1
Replies
CreatePlease to create content