topic Pix 525 interface communication question in Network Security

Pix 525 interface communication question

Chris Mickle — Mon, 11 Mar 2019 22:16:13 GMT

Hello,

I am new to PIX and Cisco.

I have a PIX 525 ver 8.0(2) Unrestricted that I need some help configuring.

First, the unit has 6 interfaces, one outside (eth0) and five inside (eth1-eth5).

I have a block of 5 static IPs from my ISP and am using NAT on all 5 interfaces to route traffic from specific WAN IPs to each inside interface (I believe this is called hairpinning).

WAN IP xxx.xxx.xxx.153 is NATed to eth1

WAN IP xxx.xxx.xxx.154 is NATed to eth2

and so on...

Outside is eth0

My domain network is on interface eth1

FTP server on interface eth2

Interfaces eth3 and eth4 are for testing perposes

Another group of users is on eth5

On my domain network (eth1) there is an Excahnge server that users on eth5 need to access. They only need access to the OWA site using ports 80 and 443.

I have been able to get the users access by changeing the security level on eth5 to the same or higher level as eth1, but this gives them total access. I have tried to create access rules and static routes to restrict communication to only the nessissary ports, but it doesn't work. The only way I can give them access is by increasing the security level of eth5 and this is unacceptable.

Can someone please tell me what I am doing wrong?

Please let me know if you need me to post the config.

Thanks

Pix 525 interface communication question

Julio Carvajal — Wed, 18 Jan 2012 19:14:17 GMT

Hello Chris,

Please post your configuration because as you explain it an ACL inside direction on Eth5 should be able to restrict that traffic.

Regards,

Julio

Pix 525 interface communication question

Chris Mickle — Wed, 18 Jan 2012 19:26:13 GMT

Thanks very much for looking at this for me!

Took me a few minutes to scrubb the config, but here it is...

PIX Version 8.0(2)

hostname xxxxxxxx

enable password xxxxxxxxxxxxxxxxxxxxx encrypted

names

interface Ethernet0

nameif outside

security-level 0

ip address xxx.xxx.xxx.153 255.255.255.248

ospf cost 10

interface Ethernet1

nameif domain

security-level 100

ip address 192.168.0.1 255.255.255.0

ospf cost 10

interface Ethernet2

nameif ftp

security-level 60

ip address 192.168.1.1 255.255.255.0

ospf cost 10

interface Ethernet3

nameif test

security-level 80

ip address 192.168.2.1 255.255.255.0

ospf cost 10

interface Ethernet4

nameif internet

security-level 50

ip address 192.168.3.1 255.255.255.0

ospf cost 10

interface Ethernet5

nameif chuly

security-level 90

ip address 192.168.4.1 255.255.255.0

passwd xxxxxxxxxxxxxxxxxxxx encrypted

time-range IPBlocked

absolute end 01:12 28 October 2010

periodic daily 0:00 to 23:59

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq smtp

access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq https

access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq pop3

access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq ftp

access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq 5000

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 7707

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 7708

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 7717

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 28852

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 20560

access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 20560

access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 8075

access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 28852

access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq www

access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq 587

access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq www

access-list 101 extended permit ip any host xxx.xxx.xxx.157

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 20800

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 20810

access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 28960

access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 28960

access-list 301 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 401 extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu domain 1500

mtu ftp 1500

mtu test 1500

mtu internet 1500

mtu chuly 1500

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 2 xxx.xxx.xxx.154

global (outside) 3 xxx.xxx.xxx.155

global (outside) 4 xxx.xxx.xxx.156

global (outside) 5 xxx.xxx.xxx.157

nat (domain) 0 access-list 301

nat (domain) 1 192.168.0.0 255.255.255.0

nat (ftp) 2 192.168.1.0 255.255.255.0

nat (test) 3 192.168.2.0 255.255.255.0

nat (internet) 4 192.168.3.0 255.255.255.0

nat (chuly) 0 access-list 401

nat (chuly) 5 192.168.4.0 255.255.255.0

static (ftp,outside) tcp xxx.xxx.xxx.154 ftp 192.168.1.2 ftp netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 7708 192.168.1.2 7708 netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 7707 192.168.1.2 7707 netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 7717 192.168.1.2 7717 netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 28852 192.168.1.2 28852 netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 20560 192.168.1.2 20560 netmask 255.255.255.255

static (ftp,outside) tcp xxx.xxx.xxx.154 20560 192.168.1.2 20560 netmask 255.255.255.255

static (ftp,outside) tcp xxx.xxx.xxx.154 8075 192.168.1.2 8075 netmask 255.255.255.255

static (ftp,outside) tcp xxx.xxx.xxx.154 28852 192.168.1.2 28852 netmask 255.255.255.255

static (ftp,outside) tcp xxx.xxx.xxx.154 www 192.168.1.2 www netmask 255.255.255.255

static (domain,outside) tcp interface smtp 192.168.0.3 smtp netmask 255.255.255.255

static (domain,outside) tcp interface 5000 192.168.0.10 5000 netmask 255.255.255.255

static (domain,outside) tcp interface https 192.168.0.3 https netmask 255.255.255.255

static (domain,outside) tcp interface pop3 192.168.0.3 pop3 netmask 255.255.255.255

static (domain,outside) tcp interface 587 192.168.0.3 587 netmask 255.255.255.255

static (domain,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 28960 192.168.1.2 28960 netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 20810 192.168.1.2 20810 netmask 255.255.255.255

static (ftp,outside) udp xxx.xxx.xxx.154 20800 192.168.1.2 20800 netmask 255.255.255.255

static (ftp,outside) tcp xxx.xxx.xxx.154 28960 192.168.1.2 28960 netmask 255.255.255.255

static (chuly,outside) xxx.xxx.xxx.157 192.168.4.2 netmask 255.255.255.255

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.158 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.255.0 domain

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet 192.168.0.0 255.255.255.0 domain

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 domain

ssh timeout 30

console timeout 0

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.2.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.3.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.4.0 255.255.255.0

threat-detection statistics

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

service-policy global_policy global

ntp server 207.46.197.32 source outside prefer

prompt hostname context

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

: end

asdm image flash:/asdm-602.bin

no asdm history enable

Pix 525 interface communication question

Julio Carvajal — Wed, 18 Jan 2012 19:53:36 GMT

Hello ,

You need the following

static (inside,chuly) exchangeserver_ip exchangeserver_ip

access-list chuly_in permit tcp any host exchangeserver_ip eq xx(Port needs to be access)

access-list chuly_in deny ip any host exchangeserver_ip

access-list chuly_in permit ip any any

access-group chuly_in in interface chuly

Regards,

Julio

Rate all the posts that are helpful!!

Pix 525 interface communication question

Chris Mickle — Wed, 18 Jan 2012 20:18:51 GMT

THANK YOU SO MUCH!!!!!

I have been messing with this on and off for weeks and couln't make it work.

My users on eth5 can now access OWA on domain withought access to anything else!

Now all I have left to do is create A records on the domain controller on that interface to point the traffic via host name and that's it!

Is there anything else you can see in my config that I should do differantly?

Pix 525 interface communication question

Julio Carvajal — Wed, 18 Jan 2012 20:31:43 GMT

Hello Chris,

Glad I could help!!

No, reading the configuration and based on what you were looking for I think your configuration is fine the way it is now.

Regards,

Julio

Rate helpful posts

Pix 525 interface communication question

Chris Mickle — Wed, 18 Jan 2012 20:33:56 GMT

Thanks again...I do have one more question actually...

What does the following do specifically?

access-list chuly_in permit ip any any

thanks

Pix 525 interface communication question

Julio Carvajal — Wed, 18 Jan 2012 20:50:00 GMT

Hello Chris,

It is going to allow all ip traffic coming from the chuly host to any other host on another interface, except for the deny rule we configured before.

Regards,

Julio

Pix 525 interface communication question

Chris Mickle — Wed, 18 Jan 2012 20:53:46 GMT

ok I see...

one more thing and then that is it I promiss

static (inside,chuly) exchangeserver_ip exchangeserver_ip

Why are the IPs the same for this static rule?

static (domain,chuly) 192.168.0.3 192.168.0.3

Pix 525 interface communication question

Julio Carvajal — Wed, 18 Jan 2012 21:23:57 GMT

Hello Chris,

We are doing in this case a Identity nat translation so users on the other interface( chuly) will go to the real ip address of the server ( domain interface), we could also translate it to a different ip address if that were the setup you were looking for.

Regards,

Julio

Rate posts that help!