topic Backup through PIX 501 in Network Security

Backup through PIX 501

sebastianvetter — Mon, 11 Mar 2019 17:51:30 GMT

Hello,

i have a network splittet with a pix. The 192.168.111.0 at the outside interface of the PIX and the 192.168.110.0 at the inside interface.

From the inside interface everything to the extern (192.168.111.0 network) is allowed. But no access from 192.168.111.0 to 192.168.110.0 (internal interface of the PIX) is allowed.

Now i need to backup from network 192.168.111.0 servers who are locatet at the 192.168.110.0 network.

There is a way that the PIX allow the special Ports of the backup program and block rest of the traffic as it do at moment?

The Ports are:

TCP 10000 outgoing

TCP 1025 – 65536 outgoing

TCP 445 outgoing

UDP 135 send

Thanks

Re: Backup through PIX 501

Federico Coto Fajardo — Thu, 27 May 2010 14:32:36 GMT

Hi Sebastian,

To allows those ports:

TCP 10000 outgoing

TCP 1025 – 65536 outgoing

TCP 445 outgoing

UDP 135 send

access-list outbound permit tcp 192.168.110.0 255.255.255.0 any range 1025 65536

access-list outbound permit tcp 192.168.110.0 255.255.255.0 any eq 445

access-list outbound permit udp 192.168.110.0 255.255.255.0 any eq 135

access-group outbound in interface inside

WIth the above configuration only those ports are allowed and ALL other traffic is blocked.

Federico.

Re: Backup through PIX 501

sebastianvetter — Fri, 28 May 2010 12:42:57 GMT

Hi Federico

if i enter this commands to the CLI and then check in the Cisco PDM i see that there are 3 new rules from the internal network to outside.

But i need to open this ports at the outside interface to intern!

Else my standard allow all rule from intern to extern is overwritten.

The access rules after the commands at CLI i attached as picture. As i see there the acces rules are from intern to extern.

Sebastian

Re: Backup through PIX 501

Federico Coto Fajardo — Fri, 28 May 2010 19:43:45 GMT

Sebastian,

On your post you specify the requirements as outgoing (that's why I thought you need to open those ports in an outbound direction).

If you need to open them inbound... then the ACLs are like this:

access-list inbound permit tcp any any range 1025 65536access-list inbound permit udp any any eq 135

access-list inbound permit tcp any any eq 445

access-group inbound in interface outside

Now.... it is important to replace ''any'' with the network addresses to avoid security problems.

Also, remove the previos ACLs though.

Federico.

Re: Backup through PIX 501

sebastianvetter — Mon, 31 May 2010 10:06:35 GMT

Thanks!

So if my backupserver have the IP 192.168.111.100 and the server who should be backuped the 192.168.110.100.

I will configure a Static NAT from 192.168.111.100 to 192.168.110.xxx/24

Then:

access-list inbound extended permit tcp 192.168.110.0 255.255.255.0 host 192.168.110.xxx range 1025 65535

access-list inbound extended permit tcp 192.168.110.0 255.255.255.0 host 192.168.110.xxx range eq 445

access-list inbound extended permit udp 192.168.110.0 255.255.255.0 host 192.168.110.xxx range eq 135

access-group inbound in interface inside

Is that ok? Where xxx is always the same IP at 192.168.110.0/24

So i read it at the "Cisco Security Appliance Command Line Configuration Guide" page 277.

Hope that is correct.

Sebastian

Re: Backup through PIX 501

Federico Coto Fajardo — Mon, 31 May 2010 13:47:59 GMT

Yes,

If you have any problems please post your current configuration.

Federico.

Re: Backup through PIX 501

sebastianvetter — Mon, 31 May 2010 14:11:37 GMT

Thanks again!

I will apply this rules tomorrow at customer site.

Another question... iam pretty new to Cisco and configured most things via ASDM.

If i apply this to my Test-ASA i can only see this rules at ASDM under VPN -> Group Policy -> Client Configuration -> Split Tunneling -> Extendet ACL

Should it not be visible at Security Policy -> Access Rules too ?

Sebastian

Re: Backup through PIX 501

Federico Coto Fajardo — Mon, 31 May 2010 15:11:50 GMT

Yes, you should see the rules under Firewall - Access rules as well.

Federico.

Re: Backup through PIX 501

sebastianvetter — Wed, 02 Jun 2010 12:38:19 GMT

Hi,

i set the access rules to the pix. But backup is still not possible. I installed the remote agend at the Server in 192.168.110.0 site.

At the backupserver 192.168.111.0 site i see the Server in 192.168.110.0 site.

But the backup agend sends data to backup server and from 192.168.110.0 to 192.168.111.0 all is allowed, so it is logical that backup programm see the remote server. But backup still dont work. Cant access to the server and select what i want to backup.

The static NAT route i set to a non used IP in 192.168.110.0 site. Dont know if that works, but so i understood at the Cisco CLI dokumentation.

The new PIX config i have attached.

Re: Backup through PIX 501

Federico Coto Fajardo — Wed, 02 Jun 2010 13:19:15 GMT

Sebastian,

Do you need to access the server 192.168.111.100 from the outside of the PIX?
In that case you need to do the following:

no static (outside,inside) 192.168.110.250 WAWI-SBS netmask 255.255.255.255 0 0
static (inside,outside) 192.168.110.250 WAWI-SBS netmask 255.255.255.255 0 0

Also, you can only access the server with its NATed IP 192.168.110.250.
The inbound ACL is applied to the inside interface (you need to make sure the correct ports are allowed in that list).

Another thing,
In order to allow communication from the outside to the inside you require an ACL that is applied to the outside interface.
i.e.
access-list outside permit ip any host 192.168.110.119
access-group outside in interface outside

Note that you can access this server from the outside but not from the Internet since the NATed IP is a private IP.

Let me know what is failing after these changes.

Federico.

Re: Backup through PIX 501

sebastianvetter — Wed, 02 Jun 2010 13:38:20 GMT

Hi Federico

no the server 192.168.111.100 is the backupserver (WAWI-SBS) and is located at the outside interface of the PIX.

I need to access a server in 192.168.110.0 subnet from the outside of the PIX.

I set the static NAT: static (outside,inside) 192.168.110.250 WAWI-SBS netmask 255.255.255.255 0 0

So i need to apply this commands to the PIX?

access-list outside permit ip any host 192.168.110.119
access-group outside in interface outside

I only need to access this server from outside not from internet.

Cant make changes at the PIX now, tomorrow i can do.

Re: Backup through PIX 501

Federico Coto Fajardo — Wed, 02 Jun 2010 13:54:13 GMT

Let's say that you need to access server 192.168.110.10 from outside the PIX.

What you do is the following:

static (inside,outside) 192.168.110.10 192.168.110.10

access-list outside permit ip any host 192.168.110.10

access-group outside in interface outside

The above example is assuming that you don't need to NAT the server.

If you need to NAT 192.168.110.10 to 192.168.111.10 for example, you do this:

static (inside,outside) 192.168.111.10 192.168.110.10

access-list outside permit ip any host 192.168.111.10

access-group outside in interface outside

Federico.

Re: Backup through PIX 501

sebastianvetter — Wed, 02 Jun 2010 14:05:53 GMT

Thanks

i attached a picture of the network. The green arrow shows the access i need with the special ports.

Only the 192.168.111.100 should can access to 192.168.110.0 subnet with the special ports.

Sebastian

Re: Backup through PIX 501

Federico Coto Fajardo — Wed, 02 Jun 2010 15:28:38 GMT

static (inside,outside) 192.168.110.0 192.168.110.0 netmask 255.255.255.0
access-list outside permit tcp host 192.168.111.100 192.168.110.0 255.255.255.0 eq 80
access-group outside in interface outside

Sebastian,

The above configuration allows communication from outside host 192.168.111.100 to the internal LAN 192.168.110.0/24 only on the
ports that you specify in the ACL outside.
The above ACL is an example to allow port 80 (HTTP), you should include the ports you need to permit.

Federico.

Re: Backup through PIX 501

sebastianvetter — Thu, 03 Jun 2010 07:04:18 GMT

Federico,

i will try this configuration at the PIX today.

But.... static (inside,outside) 192.168.110.0 192.168.110.0 netmask 255.255.255.0

two times 192.168.110.0? Is that ok so?

Sebastian

Re: Backup through PIX 501

Federico Coto Fajardo — Thu, 03 Jun 2010 13:59:52 GMT

Yes this command is correct.

static (inside,outside) 192.168.110.0 192.168.110.0 netmask 255.255.255.0

And it is called static Identity NAT.

You're matching 192.168.110.0/24 against a NAT rule that translates the network to itself.

This is done when you must match a NAT rule to be allowed to pass traffic, but you don't actually want to change the real IP address.

Federico.

Re: Backup through PIX 501

sebastianvetter — Mon, 07 Jun 2010 13:33:13 GMT

Hi Federico,

if i apply your commands i can successfully acces the server at 192.168.110.0 subnet with the backup programm.

But i lose the connection from 192.168.110 subnet to 192.168.111.0.

The 192.168.110.0 subnet dont have any access to internet or other ressources at 192.168.111.0 subnet.

Only IP 192.168.111.100 works.

If i reset the PIX all worked fine. Try to set the commands second time the same issues occour.

I attached the config before the changes (Config1) and after the changes (Config2)

Any idea?

Re: Backup through PIX 501

Federico Coto Fajardo — Tue, 08 Jun 2010 13:04:55 GMT

Sebastian,

I suggest that instead of this command:

static (inside,outside) 192.168.110.0 192.168.110.0

Just have the static with the correct ports

i.e

static (inside,outside) tcp 192.168.110.10 80 192.168.110.10 80

The above commands is to be able to acess server 192.168.110.10 on port 80 and port 3389.

The advantage of doing it like this is that the 192.168.110.x will still have internet access.

Federico.

Re: Backup through PIX 501

sebastianvetter — Mon, 21 Jun 2010 14:04:38 GMT

Hi Federico,

works fine this way

Thanks for your help!

Sebastian