topic Re: PIX 515e Install in Network Security

PIX 515e Install

r.lent — Fri, 21 Feb 2020 06:18:35 GMT

I am in the process of installing a PIX 515e to an ADSL router. I have all the IP addresses for the router etc. I am trying to connect this to a network on the internal interface of the PIX. (Please bare with me as I am new to firewalls!!)

I can ping the firewall from the network but I can not get any access to the internet. The initial setup documentation for the PIX implies that by default there is access out form the firewall but non in! I am obviously missing something here, i.e. teeling the network to route interent requests through the firewall!!! ???

Sorry to be so simplistic but I am learning all the time!

Thanks for any help.

Robin

Re: PIX 515e Install

steve.barlow — Thu, 17 Oct 2002 16:09:07 GMT

For your internal LAN to be able to go out, you need to enable or disable NAT.

To enable NAT (ie translate your internal IPs to a public IP):

-nat (inside) 1 0 0 (allows all your internal IPs to be NATed, Substitute 0 0 with the IPs you want to allow to be NATed)

-global (outside) 1 x.x.x.x netmask 255.255.255.0 (where x.x.x.x is the NATed public IP)

To disable NAT (ie let your internal IPs appear as they are, untranslated, on the internet):

-nat (inside) 0 0 0

This will allow your inside to go out, and for the outside to reply to your requests. This doesn't allow the outside to start connections inbound to you. For that you need static and access-list commands.

See link for config examples: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

Hope it helps.

Steve

Re: PIX 515e Install

r.lent — Fri, 18 Oct 2002 12:10:38 GMT

Thanks for your advice Steve. I may have messed things up on the firewall though it seems. Is there a way to return the PIX to it's default configuration?

Also, a very novice question here, do I need to define a router on my internal network or will it automatically route averything through the firewall??

Thanks

Robin

Re: PIX 515e Install

steve.barlow — Fri, 18 Oct 2002 12:43:02 GMT

"Clear configure" will reset command parameters in the configuration to their default values.

You can have a router on the inside send packets to your PIX or you can have your PCs have the default gateway to the PIX. Depends on the size of your LAN/company. Both work, but the router model will scale better.

Steve

Re: PIX 515e Install

steve.barlow — Fri, 18 Oct 2002 13:15:34 GMT

Re-read your last post (misread the first time), yes you will need a route on your router to point to the PIX as it's default gateway (eg ip route 0.0.0.0 0.0.0.0 x.x.x.x - where x is your PIX internal IP).

Steve

Re: PIX 515e Install

r.lent — Fri, 18 Oct 2002 15:43:07 GMT

Thanks again Steve.

I think you were right with your first response. I do not have a router currently on the network. I realise that if the network grows this may become a neccesity but at the moment I was hoping to do with out one.

I have now reconfigured the PIX from scratch, in theory allowing outbound traffic but can still not connect to the internet. Would this have anything to do with the firewall being plugged into a Cisco Switch?? I can ping the firewall, use PDM form my workstation but not get any internet connection. I am using Windows 2000 Pro on the Workstation and this is connected to a Windows 2000 Server network using active directory. this means that there is a DNS and DHCP server running on the internal network. Would this confuse the path to the internet?

I have set a gateway address of the internal interface to the firewall on the workstation but it still does not get through.

Thanks again for your help on this.

Robin.

Re: PIX 515e Install

steve.barlow — Fri, 18 Oct 2002 17:45:36 GMT

You need to setup the NAT and global commands (are they correct?). You also need a route to the internet on the PIX, use the command "route outside 0.0.0.0 0.0.0.0 x.x.x.x" (where x.x.x.x is the external router outside the PIX - provided by your ISP). I assume your internal routing is working as the PIX can connect to your internal hosts. If this is routing is configured and still doesn't work:

-Can the PIX ping the ISP router?

-Do you have any access-lists applied?

-Does the web page resolve to a IP (thereby eliminating DNS as an issue)

Posting your config may save time (minus public IPs, passwords etc. to protect the guilty).

Steve

Re: PIX 515e Install

r.lent — Mon, 21 Oct 2002 11:29:15 GMT

Steve, I can't thank you enough for your help on this matter.

The following is a breakdown of our setup:

Internal network running Windows2000. IP addressing scheme that must have been made up as it is 192.168.0.0 with a sub-net mask of 255.255.0.0.

The internal interface of the PIX is 192.168.0.xx. T.

The external interface of the PIX is one of the address assigned me by our ISP. his has a mask of 255.255.255.248

If I run the 'Show Route' command on the PIX I get the following:

-outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1 OTHER static (where xx is the IP of the Router provided by our ISP.)

-outside xx.xxx.xxx.x 255.255.255.248 xx.xxx.xxx.x 1 CONNECT static (where the first xx number is one address below the external interface number. I did not give this number but it is refered to in my ISP documentation as the 'network' address. The second xx number is the external interface of the PIX)

-inside 192.168.0.0 255.255.0.0 192.168.0.xx 1 CONNECT static (where xx is the internal interface of the PIX)

I CAN ping the PIX form my workstation.

I CAN use PDM form my workstation.

I can NOT access a website from my workstation.

I can NOT resolve a website IP address form my workstation.

The PIX CAN ping the above website using it's IP address.

The PIX CAN ping the ISP router.

I can NOT ping the external interface of the PIX from my workstation.

The PIX was cleared and rebuilt form scratch to acheive the above as I thought is would be the easiest way.

Thanks again for your help on this matter.

Regards,

Robin.

Re: PIX 515e Install

steve.barlow — Mon, 21 Oct 2002 12:11:16 GMT

Robin,

Here is a sample of the commands you need to allow access outbound:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

domain-name ......

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol smtp 25

interface ethernet0 10baset

interface ethernet1 10full

ip address outside x.x.x.x 255.255.255.248

ip address inside 192.168.0.x 255.255.0.0

global (outside) 1 interface (or IP address)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 x.x.x.y 1

logging on

logging buffered warnings

logging timestamp

logging host inside 192.168.0.z

To let users ping through the PIX, add the "access-list 101 permit icmp any host x.x.x.x echo-reply" (where x.x.x.x is your NAT IP) command to the configuration and bind it to each interface you want to test with the access-group command (eg access-group 101 in interface outside). This lets pings go outbound and allows the reply back in. You aren't allowed to ping the PIX external IP from the inside (PIX isn't a router).

Is your DNS set-up correctly and working? Can you do nslookups? You aren't using access-lists right?

Do a show log to see what is happening when you try to open a web page.

Steve

Re: PIX 515e Install

r.lent — Mon, 21 Oct 2002 13:00:14 GMT

Steve,

All of the commands as you listed them were entered but I still can not connect to the internet.

I am now worried about DNS as you mention it. Windows 2000 Active Directory uses DNS for the internal network. Therefore our ficticious domain is none existent on the internet and the root DNS server is completely internal. Is this what is causing my problems??

Robin.

Re: PIX 515e Install

steve.barlow — Mon, 21 Oct 2002 15:50:07 GMT

After you enter the acl to permit ping, can you ping now?

Does show log reveal anything?

For DNS and testing, create a static on the PIX for your DNS server. For example "static (inside,outside) x.x.x.x 192.168.0.x netmask 255.255.255.255" where x.x.x.x is a public IP and 192.168.0.x is your dns server. Then allow dns from the outside to your DNS server - "access-list 101 permit udp/tcp host z.z.z.z host x.x.x.x eq 53" where z.z.z.z is a public dns server (or use any for testing) and x.x.x.x is your dns server's NAT'ed IP. See what happens, look at your log.

What version of PIX are you running.

Let use know.

Steve

Re: PIX 515e Install

r.lent — Tue, 22 Oct 2002 08:32:34 GMT

Steve,

Even after entering the acl to permit ping I can NOT get past the firewall. I tried the static route for DNS also but this had no effect.

Using 'show log' revealed that logging was enabled but there were no messages.

I am begining to think that either I am totally stupid or there is something wrong with the firewall. I have downloaded and used each and every command you have kindly sent me to no avail. I have also done this with a sample configuration from the Cisco site following every ste bit by bit, again it does not work.

Even using the simple 'wizard' setup in PDM to allow all outbound traffic does not work.

The version of PIX is 6.1(4)

Thanks for all your help.

Robin.

Re: PIX 515e Install

steve.barlow — Tue, 22 Oct 2002 11:16:14 GMT

I think there are 2 options left:

1) post the all the config as is (minus public IPs and passwords only)

2) upgrade the OS to 6.2.

This will rule out a config issue, may be a bug or faultly hardware. But if you post the config, we can eliminate the config as the issue. If you change the OS to 6.2 we can eliminate a bug. That would only leave a hardware issue, which you can RMA for a new one. But at this point I don't think it's HW.

Steve

Re: PIX 515e Install

r.lent — Tue, 22 Oct 2002 11:49:20 GMT

Steve,

Here is the Config.

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password N51JqWodsWmI5V9u encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name wolverhamptoncitycouncil.gov.uk

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10full

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 62.190.xxx.x 255.255.255.248

ip address inside 192.168.0.30 255.255.0.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.142 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 62.190.xxx.xxx-62.190.xxx.xxx netmask 255.255.255.248

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 62.190.xxx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.0.142 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

service resetoutside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:b132dd7fd4f5964b79a1474b97c67b19

: end

I hope this helps. I agree that Hardware is probably not the problem. Just me!!!

Robin.

Re: PIX 515e Install

steve.barlow — Tue, 22 Oct 2002 17:33:08 GMT

Obvious point here but make sure the first global IP doesn't overlap with the outside interface of the PIX (which is covered by the second global command).

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password N51JqWodsWmI5V9u encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name wolverhamptoncitycouncil.gov.uk

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit icmp any 62.190.x.x 255.255.255.248 echo-reply

access-list 101 permit icmp any host 62.190.x.x echo-reply

pager lines 24

logging on

logging timestamp

logging buffered debugging

logging host inside x.x.x.x

interface ethernet0 10baset

interface ethernet1 10full

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 62.190.xxx.x 255.255.255.248

ip address inside 192.168.0.30 255.255.0.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.142 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 62.190.xxx.xxx-62.190.xxx.xxx netmask 255.255.255.248

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 62.190.xxx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.0.142 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community xxxxx

no snmp-server enable traps

floodguard enable

no sysopt route dnat

service resetoutside

telnet timeout 5

ssh timeout 5

terminal width 80

I added a few small changes, "Wr mem" it, reload.

You should be able to ping to and through the PIX from the inside. You should be able to surf. Enable logging as above and do a show log if any fails. Show conn (eg show conn local x.x.x.x or show conn for x.x.x.x) and show xlate may help as well.

If a no go I would change the OS as everything should be working.

Steve

Re: PIX 515e Install

r.lent — Wed, 23 Oct 2002 09:26:35 GMT

Steve,

Progress at last!!

I can now Ping external sites form my workstation, microsoft, our own web site at Pipex, but not get to them form the browser.

I did get an error message on the first access-list command. It said that the address and mask were an unmatched pair!! These are the IP address given me by the ISP so I can not use any other.

The browser returns the usual DNS error. As I can ping the sites I asume that this is to do with the internal DNS server! Do I need to use the DNS IP address given me by the ISP anywhere?? On the PIX maybe?

Thanks for all your help.

Robin.

Re: PIX 515e Install

steve.barlow — Wed, 23 Oct 2002 11:00:26 GMT

Have your DHCP server hand out the ISP DNS server IP or your internal DNS server IP to your users (see which works - would be best if your users point to your internal DNS server and your DNS server goes to the ISP DNS server). Check a users' PC to make sure they have a DNS server IP (from dos prompt: ipconfig /all) and that they can do nslookups. At this point it is probably only a DNS issue.

I am not suggesting to do this now but your PIX can be a DHCP server as well, just thought I would point it out to you.

If that DNS doesn't work I would remove "global (outside) 1 62.190.xxx.xxx-62.190.xxx.xxx netmask 255.255.255.248" and only use " global (outside) 1 interface". If you do this also remove "access-list 101 permit icmp any 62.190.x.x 255.255.255.248 echo-reply". But that is up to you, I prefer using 1 public IP for users going to the internet. Keep your other public IPs in reserve in case you need to allow access from the outside into your network (need static command and a public IP) or for other important things.

Hope it helps.

Steve

Re: PIX 515e Install

r.lent — Thu, 24 Oct 2002 09:05:36 GMT

Steve,

Many, many thanks.

I found the root of the dns problem. This is now configured to forward requests to the ISP dns servers and I can get out to the internet from the network.

I am sure I would not have got here without your help.

Thanks Again,

Robin.