topic Cisco PIX 515 MPLS in Network Security

Cisco PIX 515 MPLS

EricOmnibank — Mon, 11 Mar 2019 21:19:48 GMT

Hi, there

Our ISP provider (AT&T) recently wanted to upgrade our system to WAN MPLS and

failed. The internal connections were tested ok, but the internet connection was failed.

They claimed that it was the firewall PIX 515 that blocks all the internet connection.

The LAN configuration for this small company I worked since less than a month ago is

very simple. There is really nothing in the current firewall configuration to my opinion will

block the outbound traffic. I start to wonder if there is any update of firmwave or software

that I have to patch first to make the machine compatible to the MPLS system.

This firewall was purchased many years ago and there is really no body in the company

knowing anything about the firewall. I have just read through the first three chapters of the

configuration guide and am still reading it.

Any suggestion ?

Thank,

Eric

Cisco PIX 515 MPLS

Maykol Rojas — Fri, 02 Sep 2011 00:23:16 GMT

Hi Eric,

Well, logs and captures can determine if packets were not reaching the internet. Just by simply putting the following lines:

access-list capture permit tcp any any eq 80

capture capin access-list capture interface inside

capture capout access-list capout interface outside

and then doing sh cap capin and show cap capout would definetly tell you if the firewall is blocking any packets.

We can review your config if necessary.

Mike

Cisco PIX 515 MPLS

Maykol Rojas — Fri, 02 Sep 2011 00:23:50 GMT

Just one thing, when the new connection was plugged in, were you able to ping the MPLS router that connected to the internet?

Mike

Cisco PIX 515 MPLS

EricOmnibank — Fri, 02 Sep 2011 01:34:28 GMT

Mike,

Thank you for your reply.

According to the only person who was there when it failed, what they did

then was to open the internet explorer from one of the work stations inside

the office and tried to access to the internet. It didn't work. This company

uses a lot of web-based software and they often use internet explorer to access

the service. They didn't use ping or capture to check the firewall.

Below are the content of the configuration of the firewall. I have taken out the

public ip addresses and passwords for confidential reason. Here is how the

internal network setup. This Cisco PIX 515 has only two interfaces, inside and

outside. Its outside ip address is 56.120.4.2 and inside ip address is 10.100.1.51.

In terms of routing, the only job it needs to do is to route the traffic to all other

branch offices to a gateway router 10.100.1.1. There are four branch offices and

their ip addresses are 10.168.1.0 - 10.168.4.0., as you can see in the route table

section of the configuration. The last entry on the route table, 10.169.0.0 is a mistery

to me. The guy says not to remove it for a reason he can't make clear. This company

is not using any servers for mail or ftp as far as I know.

The internet router ip address is 56.120.4.1 where the firewall uses 56.120.4.2.

The public ip address 56.120.4.3 is used for PAT and 56.120.4.4-7 are used for

NAT. All the pdm location commands are junk, I think. I can't access to the PDM.

So I use telnet to configure the firewall.

That's about it. The people work in the ISP is sure to me that all the public ip addresses

are the same for the new MLPS system. Hopefully, you will have better idea now.

Many thanks,

Eric

====================================================================

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname guard

domain-name domain.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol ftp 22

names

access-list acl_out permit icmp any any

pager lines 24

logging on

logging buffered debugging

logging history alerts

logging facility 16

logging host inside 192.100.10.90

interface ethernet0 10baset

interface ethernet1 auto

icmp deny any echo-reply outside

icmp deny any unreachable outside

icmp deny any echo outside

mtu outside 1500

mtu inside 1500

ip address outside 56.120.4.2 255.255.255.224

ip address inside 10.100.10.51 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.100.10.5 255.255.255.255 inside

pdm location 65.160.32.43 255.255.255.255 outside

pdm location 192.168.0.0 255.255.0.0 inside

pdm location 192.100.10.21 255.255.255.255 inside

pdm location 65.160.32.32 255.255.255.224 outside

pdm location 192.168.2.0 255.255.255.0 inside

pdm location 192.168.3.0 255.255.255.0 inside

pdm location 192.168.4.0 255.255.255.0 inside

pdm location 10.169.228.78 255.255.255.255 inside

pdm location 10.169.231.72 255.255.255.255 inside

pdm location 10.169.232.69 255.255.255.255 inside

pdm location 10.169.0.0 255.255.0.0 inside

pdm location 12.145.39.234 255.255.255.255 outside

pdm location 192.100.10.90 255.255.255.255 inside

pdm logging alerts 100

pdm history enable

arp timeout 14400

global (outside) 1 56.120.4.4-56.120.4.7

global (outside) 1 56.120.4.3

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 56.120.4.1 1

route inside 10.168.1.0 255.255.255.0 10.100.10.1 1

route inside 10.168.2.0 255.255.255.0 10.100.10.1 1

route inside 10.168.3.0 255.255.255.0 10.100.10.1 1

route inside 10.168.4.0 255.255.255.0 10.100.10.1 1

route inside 10.169.0.0 255.255.0.0 10.100.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.100.10.21 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

sysopt route dnat

telnet 10.100.10.21 255.255.255.255 inside

telnet timeout 59

ssh timeout 5

terminal width 80

Re: Cisco PIX 515 MPLS

Kureli Sankar — Fri, 02 Sep 2011 14:36:08 GMT

Eric,

All you need for inside to outside internet access is the folloiwng lines

RTP - Route, Traslation and Permission

global (outside) 1 56.120.4.4-56.120.4.7

global (outside) 1 56.120.4.3

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 56.120.4.1 1

Now, there could have been many reasons for this to have failed.

1. PCs using IE - did they try to ping www.google.com from a command prompt to see if they got name resolution? May be this was a DNS problem.

2. Did they try to put the IP address or google page or yahoo page on the browser to see if it loaded?

3. Did they from that PC ping 56.120.4.1 ? to make sure they are able to cross the FW?

Action plan in the future.

4. In addition to the above pls. also watch what the syslogs say on the FW.

conf t

loggin on

logging buffered 7

exit

sh logg | i x.x.x.x

where x.x.x.x is the IP address of the PC that has trouble reaching the internet through this firewall.

BTW, pdm is restricted to only certain subnets and IPs on the inside. Only hosts in these n/w can access pdm.

pdm location 192.100.10.5 255.255.255.255 inside

pdm location 192.168.0.0 255.255.0.0 inside

pdm location 192.100.10.21 255.255.255.255 inside

pdm location 192.168.2.0 255.255.255.0 inside

pdm location 192.168.3.0 255.255.255.0 inside

pdm location 192.168.4.0 255.255.255.0 inside

pdm location 10.169.228.78 255.255.255.255 inside

pdm location 10.169.231.72 255.255.255.255 inside

pdm location 10.169.232.69 255.255.255.255 inside

pdm location 10.169.0.0 255.255.0.0 inside

pdm location 192.100.10.90 255.255.255.255 inside

-KS

Cisco PIX 515 MPLS

EricOmnibank — Fri, 02 Sep 2011 22:14:46 GMT

Hey, Sankar

Thank you for your reply.

I did have all the RTP - route implemented in the firewall. That's why it is

currently working with the old system. Whey they switched to the new MPLS

system, it didn't work. I am here to response to your reply.

1. No. they didn't ping anybody. They just opened an internet explorer and it failed

to display the webpages. I will definitely try to ping the internet next time we do

the switch. Now, suppose it is the DNS not being translated correctly, what do

suggest me to do ?

3. No they didn't, but I will.

4. I will definitely try this next time I am in the office (I only work part time there)

Thank you for telling me the pdm commands. So, if I need to access the device

manager from, say 10.100.10.21, I would have to put an entry like

pdm location 10.100.10.21 255.255.255.0 inside

By the way, the account manager in the ISP provide also tell me some WAN IP

address, which is different than the public ip addresses that this company has.

Do I need to somehow put this information in the configuration of my firewall ?

Many thanks.

Eric