topic Re: mapping network drive via PIX in Network Security

mapping network drive via PIX

wesleykuk — Fri, 21 Feb 2020 07:24:23 GMT

I have a linux box running as my gateway to my network, then the second layer of protection is served by PIX 501. i need to access my shared drive located on Linux(running samba) from my internal host (win2k) via pix. Do i use static mapping? or access-list permitting TCP ports 135 & 139 and UDP ports 137 & 138. any help is appreciated.

Re: mapping network drive via PIX

ehirsel — Wed, 19 May 2004 17:12:07 GMT

Is this your topology:

user---pix---Linux

that is the pix is in between the user and the Linux host?

If that is the case, and the user sits on the inside interface and the Linux is on the outside then if you have an acl applied to the inside interface you need to open up tcp ports 137 and 139 as well as udp port 138. I am not sure of port 135. However, I do recommend that the pix and linux be swapped in relationship.

Re: mapping network drive via PIX

wesleykuk — Wed, 19 May 2004 18:01:34 GMT

yes, the pix is between the user and the linux server. The reason for this from my understanding the pix does not support dynamic DNS on the outside interface. I would need a static ip to access my internal resources. With linux my DNS record is updated automatically upon the ip address change. Is there any other alternative to that on pix?

Now, back to the question. Why is it that I don't need an ACL on the internal interface to access Internet, but it's required for file sharing? I guess port 80 is enabled by default without the need for acl?

Re: mapping network drive via PIX

thiland — Wed, 19 May 2004 18:27:14 GMT

User-->Linux(w/DynDNS updater)-->PIX-->Internet

The PIX 501 does support DHCP client on the outside interface. That means you can hook it directly up to a cable modem/DSL/wireless/etc. link and get an address.

Why don't you run the Dynamic DNS updater on your Linux box? Most updaters check your public IP address via an external website anyway, so I doesn't matter where your NAT box is (i.e. DynDNS.org or DtDNS.com)

Now, then there is your question of the static map. On the PIX (version 6.2+ I think) you can use a keyword called "interface" instead of using your outside IP address. For example:

Old way (static IP):

static (inside,outside) 200.1.1.1 80 192.168.1.10 80

Changes into the new way (dynamic IP):

static (inside,outside) interface 80 192.168.1.10 80

Basically, the "interface" keyword is replaced with whatever IP address is assigned to your outside interface.

By default, the PIX will *PERMIT* all connections from the inside to the outside. No need to add an ACL on the inside interface. You will however need a STATIC *and* an ACL on the outside interface allowing:

UDP/137

UDP/138

TCP/139

For security reasons however, it is usually not a good idea to do CIFS/Samba across the internet. Your PIX is capable of doing an IPSec VPN or a PPTP VPN. I'd set that up so you can take advantage of encryption.

Re: mapping network drive via PIX

wesleykuk — Wed, 19 May 2004 18:49:19 GMT

Ok, I will try to follow your advise and swap the topology setup.

However, if i were to leave the setup the way it is Linux--pix--host, then according to your initial response you suggest to apply the ACL to the INSIDE interface? Why, shouldn't it be applied to the outside int since by default everything is permited on the inside?

Re: mapping network drive via PIX

thiland — Wed, 19 May 2004 23:58:43 GMT

That wasn't my initial post.

You are correct. The ACL would be applied to the outside interface.

Re: mapping network drive via PIX

wesleykuk — Thu, 20 May 2004 11:43:14 GMT

I've applied the acl to the outside interface even with permit ip any any and the host still could not see the network drive on the Linux server. I believe it's because the pix is performing PAT. All addresses on the inside are translated to the outside interface of the pix. Would that cause the mapping not to work? If that's the case, then i would disable PAT but I am affraid that the inside host would not connect to the Internet anymore?

Re: mapping network drive via PIX

thiland — Thu, 20 May 2004 12:50:41 GMT

Can you post your PIX config, minus passwords, etc.?

Can you also supply the IP addressing scheme you are using for the Linux box?

Have you tested to see if a host can connect to the outside interface of the Linux box directly (just to make sure the PIX is the problem)?

Re: mapping network drive via PIX

wesleykuk — Thu, 20 May 2004 13:10:02 GMT

I will post my PIX config tonight when i get home.

In the meanwhile, here is my addressing scheme of the network:

INTERNET -- (dynamic IP)LINUX(192.168.0.1) -- (192.168.0.2)PIX(192.168.1.1) -- (192.168.1.2)WIN2K

I can connect to the Internet from the host no problem.

Re: mapping network drive via PIX

wesleykuk — Thu, 20 May 2004 20:51:14 GMT

here is a copy of my PIX config.

PIX Version 6.3(3)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxx encrypted

passwd xxxxx encrypted

hostname pix501

domain-name somename.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list Let-Traffic-In permit ip any any

pager lines 24

icmp permit any echo outside

icmp permit any echo-reply outside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.0.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.1 255.255.255.255 outside

pdm location 192.168.1.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group Let-Traffic-In in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.1.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxxx

: end

[OK]

Re: mapping network drive via PIX

wesleykuk — Mon, 24 May 2004 21:34:43 GMT

I got this resolved.

As the matter of fact i was able to map the drive all along. This does not even require to create openings in the acl on the outside interface. I simply tried to map the network drive via ip address as opposed to the bios name. When i specify the Ip address of the linux host followed by the share it works beautifully well. The only outgoing connection recorded on the pix is tcp port 445. Now, to enable this connection share by name i think it needs host file properley configured. Anyhow, Thanks for all your help.

Wesley