topic Re: Basic PIX Setup (Student) in Network Security

Basic PIX Setup (Student)

mattpociask — Fri, 21 Feb 2020 08:29:20 GMT

I am only a CCNA student, so please be gental...

I am trying to configure a Cisco PIX firewall version 5.3.

Here is my current setup:

PC <-- x-over cable --> firewall <--- router ----> Internet

The inside interface has an IP of 10.27.164.254, and the outside interface has an IP on the same subnet as my router. From console, I can ping other hosts on the wan. I can also ping the PC connected directly to the inside interface.

The pc cannot get on the net. What am I missing here? Thank you.

Re: Basic PIX Setup (Student)

flopez — Wed, 26 Oct 2005 20:48:07 GMT

Do you have a cable between firwall <> Router <> Internet? What kind? Light's on the outside interface of the PIX? Is it blinking/Passing traffic?

Can you ping a publig ip from the pix via console? like 4.2.2.2?

I am sure the PC does not get reply from pinging 4.2.2.2?

If all of these are true, you may need a route on the pix to route traffic to the gateway (router).

Re: Basic PIX Setup (Student)

mattpociask — Wed, 26 Oct 2005 21:07:09 GMT

Thanks for the reply.

I have a straight through cable from the outside interface, into a hub. There is another cable from the hub to the router (straight thru). I can ping public IPs from the console of the firewall. I can also ping the PC on the inside interface from the firewall console, but the PC (on the inside) cannot ping public IPs.

Re: Basic PIX Setup (Student)

flopez — Thu, 27 Oct 2005 00:29:29 GMT

Its possible that you are missing a route from your inside network to the outside. It looks like you are not passing network traffic to the gateway of the PIX. For example,

ip route inside_network network_mask gateway_ip

for example routing 192.168.1.0 network to the gateway of the internet

i.e. IP ROUTE 192.168.1.0 255.255.255.0 55.35.4.1

I hope this makes sense.

Re: Basic PIX Setup (Student)

Patrick Iseli — Thu, 27 Oct 2005 00:52:21 GMT

Might be good to post your config, guessing without a config or error message is very dificult.

example config:

ip address outside YOUR-PUB-IP-X 255.255.255.xxx

ip address inside 10.27.164.254 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 RouterIP 1

Questions:

1.) Do you have access-lists, please post it ?

2.) Where are you doing the NAT on the PIX or on the Router ?

3.) Can you telnet to the outside router.

Note: If you want to ping to the Router from the PC you need to add an access-list.

Ping is not a stateful protocol. To allow pings from the inside to the outside interface you need to create an access-list. If you want to ping the same interface that you are physicly connected you need to configure the "icmp" command.

example:

See: Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

examples:

Traveroute

Microsoft:

access-group outside in interface outside

access-list outside permit icmp any host YourPublicIP unreachable

access-list outside permit icmp any host YourPublicIP time-exceeded

access-list outside permit icmp any host YourPublicIP echo-reply

And finaly after changing the NAT statement you need to reset the translation table otherwise this will not work.

clear xlate

Take also a look on this whitepaper:

Establishing Connectivity

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

sincerely

Patrick

Re: Basic PIX Setup (Student)

mattpociask — Thu, 27 Oct 2005 12:33:50 GMT

Thanks for the replys. I do not have a route from the inside to the outside. I will apply that route to the gateway. If that doesn't work, I am going to assume that I need an access list.

I will post my progress here. Thanks.

Re: Basic PIX Setup (Student)

mattpociask — Thu, 27 Oct 2005 19:04:39 GMT

I set up those ACLs exactly as they were posted, with both outside and inside interfaces as parameters with no luck. How can I view the running-config so I can post it here?

Re: Basic PIX Setup (Student)

Patrick Iseli — Thu, 27 Oct 2005 19:36:53 GMT

Connect the blue console cable and use a terminal emulation software to connect to the Cisco PIX console.

Set 9600/8/N/1

When you have the prompt type:

enable

write terminal => Display current configuration on the terminal.

sincerely

Patrick

Re: Basic PIX Setup (Student)

mattpociask — Thu, 27 Oct 2005 20:06:04 GMT

My running-config:

PIX Version 5.3(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

names

access-list outside permit icmp any host MY.PUBLIC.IP unreachable

access-list outside permit icmp any host MY.PUBLIC.IP time-exceeded

access-list outside permit icmp any host MY.PUBLIC.IP echo-reply

access-list inside permit icmp any host MY.PUBLIC.IP echo-reply

access-list inside permit icmp any host MY.PUBLIC.IP time-exceeded

access-list inside permit icmp any host MY.PUBLIC.IP unreachable

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

no logging buffered

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside IP.OF.OUTSIDE.INT 255.255.255.248

ip address inside 10.27.164.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

arp timeout 14400

access-group outside in interface outside

access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 MY.PUBLIC.IP 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

isakmp identity hostname

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:1822fe6c04d66d7d676575872736e2c4

: end

[OK]

Re: Basic PIX Setup (Student)

jackko — Fri, 28 Oct 2005 02:45:26 GMT

1. the current acl inside is going to block all outbound traffic. since you've got the identical acl applied on the outside interface, there is no need to apply another one on the inside interface.

2. no nat/global. pix v6.x (or eariler) will not forward any traffic without nat/global statement.

e.g.

global (outside) 1 interface

nat (inside) 1 0 0

with the sample above, the pix will pat all outbound traffic by using the pix outside interface ip.

in case you don't want pix to perform nat/pat, then:

nat (inside) 0 0 0

Re: Basic PIX Setup (Student)

mattpociask — Fri, 28 Oct 2005 16:39:32 GMT

I exhausted all of your suggestions and I am still having trouble with the firewall.

I want to reset it to factory defaults and start again. What is the procedure? On a 2500 router it would be:

Set configure reg. to 0x2142

reboot

copy run start

set conf. reg to 0x2102

reboot.

What is the PIX equivelant? Thanks.

Re: Basic PIX Setup (Student)

Patrick Iseli — Fri, 28 Oct 2005 18:37:08 GMT

Just go in enable mode and:

write erase

reload

sincerely

Patrick

Re: Basic PIX Setup (Student)

lexiainfo — Sat, 29 Oct 2005 01:27:01 GMT

Lets start from the begining step by step procedure. Firstly your below setup is incorrect.

"Here is my current setup:

PC <-- x-over cable --> firewall <--- router ----> Internet"

MAKE IT TO

1. Connect Straight cable from PC into PIX 1 port

2. Connect X over cable from Modem into PIX 0 port

3. Dont forget to plugin pstn line into modem.

4. Plug console cable into pix and pc to configure pix.

=====================================================

Now its time to configure your PIX

=====================================================

Erase your current configuration by typing

wr erase (press enter)

Reload (press enter)

=====================================================

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname PIX

domain-name mattpociask.com

ip address outside pppoe setroute

ip address inside 192.168.2.2 255.255.255.0

pdm history enable

global (outside) 1 interface

nat (inside) 1 192.168.2.0 255.255.255.0 0 0

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.2.2 255.255.255.255 inside

http 0.0.0.0 0.0.0.0 inside

vpdn group Internet request dialout pppoe

vpdn group Internet localname (isp username)

vpdn group Internet ppp authentication chap

vpdn username (isp username) password (ISP Password)

PIX#

=====================================================

Please note: Use the above config if your ISP require PPPOE Authentication otherwise use the below config

=====================================================

vpdn group VPN accept dialin pptp

vpdn group VPN ppp authentication mschap

vpdn group VPN ppp encryption mppe 40

vpdn group VPN client configuration address local VPNPool

vpdn group VPN pptp echo 60

vpdn group VPN client authentication local

vpdn username vpn password (ISP Password)

vpdn enable outside

=====================================================

Re: Basic PIX Setup (Student)

mattpociask — Sat, 29 Oct 2005 12:08:41 GMT

I very much appreciate your post! It is indeed well thoughout and structured information, however, I need my connection to come from a router (T1 line), not a modem.