topic Re: PIX 515e help! in Network Security

PIX 515e help!

Robert Ansell — Mon, 11 Mar 2019 22:50:09 GMT

Hi,

I'm having issues both with port forwarding and VPN with my PIX. I've tried different ways to set up port forwarding for remote desktop, but I still haven't had any luck.

With the VPN, I can secure a connection into the PIX, but I cannot access the internet or ping any of my devices on the remote network.

The config is below.

Thanks!

hostname PIX-515E-1

domain-name #####

enable password ##### encrypted

passwd ##### encrypted

names

interface Ethernet0

description Outside

nameif Outside

security-level 0

ip address x.x.x.x 255.255.255.224

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

ftp mode passive

dns server-group DefaultDNS

domain-name #####

object-group service RDP tcp

port-object eq 3389

access-list Outside_access_in extended permit icmp any any

access-list Outside_access_in extended permit tcp host 192.168.1.10 any object-group RDP

access-list Outside_access_in_1 remark RDP

access-list Outside_access_in_1 extended permit tcp any any eq 3389

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu inside 1500

ip local pool pool1 192.168.1.20-192.168.1.29 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

icmp permit any inside

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (Outside) 0 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (Outside,inside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255

access-group Outside_access_in_1 in interface Outside

route Outside 0.0.0.0 0.0.0.0 ##### 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authorization command LOCAL

aaa local authentication attempts max-fail 10

http server enable

http 192.168.1.100 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA1 esp-des esp-sha-hmac

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set transform-set ESP-DES-SHA1 ESP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set myset

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn PIX-515E-1

subject-name CN=PIX-515E-1

no client-types

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

fqdn PIX-515E-1

subject-name CN=PIX-515E-1

keypair ####

no client-types

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate e93c7a4f

quit

crypto ca certificate chain ASDM_TrustPoint1

certificate 083d7a4f

quit

crypto isakmp enable Outside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication rsa-sig

encryption des

hash md5

group 2

lifetime 86400

no vpn-addr-assign aaa

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Outside

ssh 0.0.0.0 0.0.0.0 inside

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy GroupPolicy1 internal

group-policy 51 internal

group-policy 51 attributes

dns-server value 192.168.1.10 167.102.160.34

vpn-tunnel-protocol IPSec

default-domain value #####

group-policy VPN1 internal

group-policy VPN1 attributes

dns-server value 192.168.1.10 167.102.160.34

vpn-tunnel-protocol IPSec

default-domain value #####

username ##### password ##### encrypted privilege 15

username ##### attributes

vpn-group-policy GroupPolicy1

username ##### password #### encrypted privilege 15

username admin attributes

service-type admin

tunnel-group TunnelGroup1 type remote-access

tunnel-group TunnelGroup1 general-attributes

authentication-server-group (Outside) LOCAL

authorization-server-group LOCAL

tunnel-group TunnelGroup1 ipsec-attributes

pre-shared-key *

peer-id-validate cert

chain

trust-point ASDM_TrustPoint0

tunnel-group VPN1 type remote-access

tunnel-group VPN1 general-attributes

address-pool pool1

default-group-policy VPN1

tunnel-group VPN1 ipsec-attributes

pre-shared-key *

tunnel-group 51 type remote-access

tunnel-group 51 general-attributes

address-pool pool1

default-group-policy 51

tunnel-group 51 ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

Cryptochecksum:c367f64420d2281a8d2a2d51d23cf852

: end

Re: PIX 515e help!

Jouni Forss — Tue, 03 Apr 2012 20:29:03 GMT

Hi,

Your NAT configurations source and destination interface are the wrong way.

static (Outside,inside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255

Should be

static (inside,Outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255

Please rate if this helped

- Jouni

Re: PIX 515e help!

Jouni Forss — Tue, 03 Apr 2012 20:33:52 GMT

Regarding the VPN Client connection

If possible please change the VPN pool to something else than the LAN network

ip local pool pool1 192.168.1.20-192.168.1.29 mask 255.255.255.0

for example

ip local pool pool1 192.168.100.1-192.168.100.254 mask 255.255.255.0

Also you could change the NAT0 configurations for the VPN Client Pool the following way

no nat (Outside) 0 192.168.1.0 255.255.255.0

access-list NO-NAT-INSIDE permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list NO-NAT-INSIDE

And do the NAT for VPN users Internet traffic the following way

nat (Outside) 1 192.168.100.0 255.255.255.0

- Jouni

Re: PIX 515e help!

Jouni Forss — Tue, 03 Apr 2012 20:36:01 GMT

Regarding the ICMP problem

Please add the following configuration:

policy-map global_policy

class inspection_default

inspect icmp

- Jouni

Re: PIX 515e help!

Robert Ansell — Wed, 04 Apr 2012 01:22:30 GMT

Ok. I tried the commands for the RDP, and now I'm getting this when I try to remote in from the outside.

2 Apr 03 2012 21:19:40 106001 xxxx xxxx Inbound TCP connection denied from x.x.x.x/3335 to x.x.x.x/3389 flags SYN on interface Outside

I'm still working with the VPN.

Re: PIX 515e help!

Jouni Forss — Wed, 04 Apr 2012 06:48:46 GMT

Hi,

To be hones I'm not sure whats causing the problem with the NAT. I have configured the same type of port forward before. Though its not common in our environments.

Even the syslog message description for that message is a bit vague for me.

Isn't SYN supposed to be the only flag set when a remote host initiates a TCP connection through the firewall to a local host.

Can you check if theres any mention of the NAT in the xlate table with "show xlate"

Can you also try to change the "static" command so that the "interface" is replaced with the actual IP address of the Outside interface.

- Jouni