Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
5
Replies

PIX 515E ouside access to internal servers

bjwethington
Level 1
Level 1

‎10-10-2003 08:03 AM - edited ‎02-20-2020 11:02 PM

Hello All;

I was wondering if I could ask for some assistance. I am very new to configuring PIX devices, and I am currently having a problem allowing external users to access some of our servers.

I am trying to allow http, smtp, pop3, and RDP (port 3389) traffic through to our web, mail and terminal servers. I think I have the right commands, but it doesn't seem to be working.

Here is a copy of my current config:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password xxxxx encrypted

passwd xxxxxxxencrypted

hostname ymcapix

domain-name ymcadallas.org

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit tcp any host xxx.xxx.xxx.3 eq smtp

access-list 101 permit tcp any host xxx.xxx.xxx.3 eq pop3

access-list 101 permit tcp any host xxx.xxx.xxx.4 eq www

access-list 101 permit tcp any host xxx.xxx.xxx.5 eq 3389

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside xxx.xxx.xxx.2 255.255.255.240

ip address inside 192.168.1.3 255.255.255.0

ip address intf2 x.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.0 255.255.0.0 inside

pdm history enable

arp timeout 14400

global (outside) 1 xxx.xxx.xxx.14 netmask 255.255.255.240

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) xxx.xxx.xxx.3 192.168.1.10 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.4 192.168.1.9 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.5 192.168.1.11 netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1

route inside 192.168.0.0 255.255.0.0 192.168.1.251 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxx

Feel free to critique at will. I haven't ever configured one of these devices, so I probably made numerous mistakes. Any advice/help is greatly appreciated.

Thank you all.

0 Helpful
5 Replies 5

gfullage
Cisco Employee
Cisco Employee

‎10-10-2003 08:19 PM

Actually for a first time you did pretty good. Can't see anything obviously wrong with what you've done. The best way to see what's going on with problems connecting thru a PIX is to turn on syslogging, the PIX will generally tell ou exactly what the problem is. Do:

logging on

logging buffer debug

sho log

This will give you a good indication of what's happening. Most syslog messages are pretty self-explanatory, but here's the full list of them for your reference:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/syslog/pixemsgs.htm

Of course if you're not sure what's happening post the syslog output and we'll help interpret. If you don't see any syslog messages then there's a chance your ISP isn't routing the .3-.5 IP addresses through to you, or hasn't activated them, or is filtering low port connections to them, I've seen that numerous times.

0 Helpful

navid.islam
Level 1
Level 1
In response to gfullage

‎10-14-2003 03:30 PM

I have a question on this post, can anyone describe what filtering low port connections is?

I have not heard of that before.

0 Helpful

d-garnett
Level 3
Level 3

‎10-11-2003 11:23 AM

is your ISP's DNS resolving those names to IP appropriately? does your inside traffic successfully get out to the Internet (is nat working right (request and return traffic))?

if your servers are using private inside addressing, you should try redirecting the ports

static (inside, outside) tcp X.X.X.4 80 [yourInsideWWWaddy] 80 netmask 255.255.255.255 0 0

static (inside, outside) tcp X.X.X.3 25 [yourInsideSMTPaddy] 25 netmask 255.255.255.255 0 0

static (inside, outside) tcp X.X.X.3 110 [yourInsidePOP3addy] 110 netmask 255.255.255.255 0 0

static (inside, outside) tcp X.X.X.5 3389 [yourInsideTSsrvaddy] 3389 netmask 255.255.255.255 0 0

this tells the firewall, " any traffic that hits at these IP's on ports 80, 25, 110, or 3389 - translate the public IPs to the appropriate Inside configured servers".

your acl 101 takes care of allowing the in from the traffic from the Internet.

for security reasons, you should not allow SMTP or POP3 because you can:

SMTP - sniff traffic and read people email (it's clear text protocol

POP3 - it is very easy to sniff passwds as people check their email and then spoof email once the passwd is gained.

I would really use a VPN for terminal services traffic (to stay away from the possibilty of brute force attacks and the trust relationships that can be expoited if one is successful)

also for reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic9

Good Luck

Don Garnett

Network Support Specialist

0 Helpful

bjwethington
Level 1
Level 1

‎10-14-2003 12:21 PM

Thank you for helping me out. I got the pix working.

clear xlate and clear arp do wonders. Thanks again.

0 Helpful

rvdoever
Level 1
Level 1
In response to bjwethington

‎11-04-2003 10:31 PM

The reason clear arp helped may be because you have overlapping translations:

You have assigned a pool for outgoing traffic:

global (outside) 1 xxx.xxx.xxx.14 netmask 255.255.255.240

And you also have addresses from this pool assigned to servers:

static (inside,outside) xxx.xxx.xxx.3 192.168.1.10 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.4 192.168.1.9 netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.5 192.168.1.11 netmask 255.255.255.255 0 0

To prevent problems in the future I think you better change the global line to:

global (outside) 1 interface

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card