topic Re: PIX 501 port problems in Network Security

PIX 501 port problems

Terry6674 — Fri, 21 Feb 2020 07:26:34 GMT

I have an old PIX 501 that still needs to open ports 80 and 443 for external access to my internal 192.168.1.10 computer. I can't figure out where I'm going wrong, any feedback would be greatly appreciated.

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxx

hostname pixfirewall

domain-name anyplace.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 100 permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list outside permit tcp any host xxx.xxx.xxx.xxx eq www

access-list outside permit udp any host xxx.xxx.xxx.xxx eq 80

pager lines 24

logging on

logging standby

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 10.x.x.x.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool test 172.16.0.1-172.16.0.254

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.10 netmask 255.255.255.255 0 0

access-group outside in interface outside

conduit permit icmp any any

conduit permit esp any any

conduit permit udp any eq isakmp any

route outside 0.0.0.0 0.0.0.0 10.1.10.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 30 set transform-set myset

crypto map newmap 20 ipsec-isakmp dynamic dynmap

crypto map newmap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxx

I have a static IP through a cable modem.

Re: PIX 501 port problems

rais — Fri, 04 Jun 2004 12:06:33 GMT

I assume you have a router in between your modem and the Pix.

On your router, do you have in-bound port 80 traffic, forwarded to your web-server's port 80?

Thanks.

Re: PIX 501 port problems

Terry6674 — Fri, 04 Jun 2004 12:35:41 GMT

I have a Cisco UBR (provided by the ISP) as a modem that connects directly to my 501. The UBR has everything open, as it gives all access control over to the 501.

Re: PIX 501 port problems

rais — Fri, 04 Jun 2004 12:57:50 GMT

What UBR model are you using? Does it have some public IP address?

Has your ISP assigned you one special IP for your web-server?

Try to remove access-lists and see if you are able to connect.

Can you ping your public IP from web? Go to: http://lg.broadwing.net/looking/ and see if you can ping.

Thanks.

Re: PIX 501 port problems

jonathanstevens — Fri, 04 Jun 2004 13:15:40 GMT

There are couple of questions here...

access-list 100 permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.255.0

This access-list includes your internal host (and network)

Then you apply nat 0 to this....

nat (inside) 0 access-list 100

This means your internal network is not translated as it exits the PIX (which I am assuming is connected to the internet on a single IP) when it's going to 172.16 networks (which I suspect your ISP would drop). So I'm not sure why that's there?

Assuming that xxx.xxx.xxx.xxx is your internet interface it looks basically ok.

However, if you internal host is not using DHCP it shouldn't be in the DHCP range you have identified.

If it is using DHCP, you can't guarantee it will always have the right IP address. Which is the case?

If you setup

logging monitor debug

then

term mon

and try a connection from the outside what does the session show?

Re: PIX 501 port problems

mostiguy — Fri, 04 Jun 2004 14:06:53 GMT

if you are using 10.x.x.x on the outside of the pix, then the pix is behind something that is doing NAT. you will need to tell your ISP that you do not want the ubr to do nat most likely

Re: PIX 501 port problems

Terry6674 — Fri, 04 Jun 2004 14:20:36 GMT

OK, My ISP provided me with a uBR905. They questioned my configuration also, and as I am just a newbie, I explained that the management here wanted the VPN capability (which is turned on, I just omitted it from the 'wr t' I posted earlier).

The ISP (Comcast) then opened all the ports on the uBR and let my 501 call all the shots. I can ping my static IP address, but I can't access my File Server (which is static at 192.168.1.10 and uses the ports 80 and 443).

If there is some pruning that needs to take place, great, but I'm not sure what everything is for. I do know that the uBR's outside is the static IP address, the inside is 10.1.10.1. On the PIX, the outside is 10.1.10.2 and the inside is 192.168.1.1

Do you suggest I remove the nat(inside) 0 access-list 100 line?

Re: PIX 501 port problems

rais — Fri, 04 Jun 2004 15:10:01 GMT

This looks like a pretty nice product and supports NAT:

http://www.cisco.com/en/US/products/hw/cable/ps2221/products_configuration_guide_chapter09186a008007cf8f.html#10297

You need to configure NAT statment on your UBR such that port 80 traffic goes to 192.168.1.10. It will be something like:

ip nat inside source static tcp 192.168.1.10 80 w.x.y.z 80

Where your public IP (w.x.y.z) is available here:

http://www.netdept.com/ipandhost.jsp

Also you may be able to use 'interface cable-modem0' instead of IP address. Use '?' in router to get help on ip nat, etc.

Thanks.

Re: PIX 501 port problems

Terry6674 — Mon, 07 Jun 2004 18:35:29 GMT

This is the config:

Internet --- uBR905 ---- PIX501 ----- Fileserver

uBR (outside - w.x.y.z, inside 10.1.10.1)

Pix (outside -10.1.10.2 inside 192.168.1.1)

I bypassed the PIX and went straight through the uBR's port and it worked fine, so I know the uBR's configured to pass 80 & 443 TCP & UDP. This verifies the PIX is the sole holdup.

What lines do I need to modify to allow the PIX to pass (both ways) 80 & 443 to 192.168.1.10?

Re: PIX 501 port problems

rais — Tue, 08 Jun 2004 13:23:36 GMT

You already have the following line in your config:

access-list outside permit tcp any host xxx.xxx.xxx.xxx eq www

Temporarily open it for any host in your network and see if that works. For https simply add another line with 443 instead of www.

HTH.