topic Help with Pix config in Network Security

Help with Pix config

iamininfosec — Fri, 21 Feb 2020 07:57:14 GMT

I have a PIX 501 that is setup at home behind a dsl router. I can get to the internet fine, but I want to allow outside traffic to my internal web server. I setup a translation and an access-list, but when I try to connect to the outside interface of the pix, I don't see any hits on the acl that pertains to allowing port 80. I do see in the logs, however, that icmp type 3 from source 10.21.1.1 is being denied. My internal addresses are assigned from the pix and they are using an 192.168.1.0 pool. Where is the 10.1.21.1 address coming from? I know it is me because each time I try to connect via a web browser, the deny's in the log keep appearing. I am attaching my config, maybe something is messed up. Also below is the logg message:

106023: Deny icmp src outside:10.21.1.1 dst inside:x.x.x.x(type 3, code 13) by access-g

roup "outside_in

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx encrypted

passwd xxxx encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_in permit tcp any any eq www

pager lines 25

logging on

logging timestamp

logging monitor debugging

logging buffered warnings

logging trap debugging

logging host inside 192.168.1.101

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (inside,outside) tcp interface www 192.168.1.102 www netmask 255.255.255.255 0 0

access-group outside_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group DSL request dialout pppoe

vpdn group DSL localname username

vpdn group DSL ppp authentication pap

vpdn username xxxxx password *********

dhcpd address 192.168.1.101-192.168.1.120 inside

dhcpd dns x.x.x.x x.x.x.x

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

"Deny icmp src outside:10.21.1.1 dst inside:64.x.x.249 (type 3, code 13) by access-g

roup "outside_in

Re: Help with Pix config

Patrick Iseli — Sun, 13 Feb 2005 18:42:44 GMT

Config is fine ! Might be better to change it like that:

access-list outside_in permit tcp any interface outside eq www

no access-list outside_in permit tcp any any eq www

clear xlate

Are you sure that your ISP allows port 80 from the Internet ? This port is often blocked !!!

How do you do your tests for the web site?

sincerely

Patrick

Re: Help with Pix config

iamininfosec — Sun, 13 Feb 2005 19:59:03 GMT

good idea on the access-list modification. Thanks!

Maybe it is blocked at the ISP, I didnn't realize it was typical. Its just a default web site at the moment, more for testing than anything. How do people with dynamically assigned ip's from their ISP run web services if the ISP blocks it?

And what is the 10.21.1.1 icmp denies when I try connecting to the outside interface on the pix via my browser? why is it doing icmp and what is the 10.21.1.1 address?

Re: Help with Pix config

Patrick Iseli — Sun, 13 Feb 2005 20:15:42 GMT

You can use a Dyndns service that will redirect your url !

http://www.dyndns.org/

WebHopSM - Get rid of that ugly http://home.yourisp.com/~someuser/ web address with redirection on one of our domains, free for up to 5 hostnames.

MyWebHop® - Redirect from any hostname to a URL of your choice - it's all up to you.

Normaly you will choose just another port tha 80 (www) to use for your WebServer. Or better use 443 with SSL that is normaly not bloqed !

sincerely

Patrick

Re: Help with Pix config

mhussein — Tue, 15 Feb 2005 06:01:11 GMT

Do a show xlate to see whether 10.21.1.1 is actually a translation of an 192.168.1.x internal ip or not (i.e, 10.21.1.1 is possibly your own internal 192.168.1.x as it appears on the outside interface!!!).

Also do a show interface and show route and look for the outside ip interface and the default gateway (aka 0.0.0.0 0.0.0.0 route).

If any of the above shows ip addresses in subnet 10.x.x.x, then your ISP is assigning you that 10.21.1.1 private address via PPPoE. Unfortunately, that is a private ip address and can not be used for a public web server.

In other words, even if you use dynamic dns services, nobody would be able to get to your web server because it is using a private ip address as opposed to a publicly routable ip address.

Other than contacting your ISP and asking for a public ip address, I am not sure if there is a workaround.

Please post the output of the above "show" commands, but for privacy and security concerns, make sure to remove/mask/alter public ip addresses -if any.

HTH

Mustafa