topic Re: Pix 501 configuring.... in Network Security

Pix 501 configuring....

mikentosh — Mon, 11 Mar 2019 17:26:59 GMT

My client has recently purchased a fiber line. The ISP provided th following information:

IP routes:

Interface IP 216.x.x.x

Gateway IP 216.x.x.x

Mask 255.255.255.252

and DNS servers

They also provided "Routed Network Info", which is confusing to me.

Subnet is 24.x.x.x/29 with 6 usable IPs

Gateway 24.x.x.x

Mask 255.255.255.248

My first task is to try to configure a Pix 501 for insdie - out internet access

Second task is to set up the RDP access to individual computers on the LAN. I had done this before using DD-WRT port forwarding on a router where I could give the client the public IP with a port number (public:1234) and configure a forwarding table to relay each assigned port to their computer IP on port 3389. Now that I am introducing the Pix and the additional routing info from ISP I am way confused. Any help would be appreciated. I would settle for getting internet access from the inside at this point.

I will try to get what I have configured (but not tested) posted soon.

Thanks!

Re: Pix 501 configuring....

mikentosh — Mon, 29 Mar 2010 18:09:36 GMT

To make matters worse (for me) I am having to do everything in the console. Here is the configuration (sans sensitive info):

HELP> login
Username: admin
Password: **********
HELP# conf term
HELP(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname HELP
domain-name HELP.org
clock timezone EST -5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any interface outside eq 3389
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 216.x.x.x 255.255.255.252
ip address inside 192.168.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 24.x.x.x
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 216.x.x.x 3389 192.168.1.253 3389 netmask 255.255.255.255 0 0
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.x.x.x 1 <------Gateway IP
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.1.4 source inside
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username admin password .xxxxxxxxxxxxxxx encrypted privilege 15
terminal width 90
Cryptochecksum:eb81abfdc7e2b02e12b91a8836670df1
: end
HELP(config)#

Re: Pix 501 configuring....

Jon Marshall — Mon, 29 Mar 2010 20:24:58 GMT

Mike

They also provided "Routed Network Info", which is confusing to me.

Subnet is 24.x.x.x/29 with 6 usable IPs

Gateway 24.x.x.x

Mask 255.255.255.248

This is an IP range that the ISP will route to you so you can use it to present internal/dmz servers to the internet eg.

static (inside,outside) 24.x.x.1 192.168.5.10 netmask 255.255.255.255

would present the inside server of 192.168.5.10 as 24.x.x.1 to the outside. You can also be more specific and use ports eg.

static (inside,outside) tcp 24.x.x.1 80 192.168.5.10 80 netmask 255.255.255.255

would present just port 80 for 192.168.5.10 as 24.x.x.1 on port 80 so you can use the same public IP for different ports and private IPs.

Your config looks fine to test with. Most people NAT the internal addresses to the outside interface IP but it looks like you have used one of your 24.x.x.x addresses. Nothing wrong with what you have done.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Re: Pix 501 configuring....

JORGE RODRIGUEZ — Mon, 29 Mar 2010 20:37:31 GMT

Hi Mike, I know Jon will never get mad by adding additional info.. just wrote the answer but Jon's speed of light reply always takes me off guard 🙂

Should be straight forward what you need to accomplish, and you have come to the right place here for us to help.

First lets star to understand what ISP has giving you, it is always good to ask ISP when in doubt.

1 - IP routes:

Interface IP 216.x.x.x

Gateway IP 216.x.x.x

Mask 255.255.255.252

and DNS servers

Above information is provided for your PIX interface facing ISP configuration ,and looking at your PIX configuration
it looks like you have already acomplish that with outside interface IP address and default route for your PIX gateway.
DNS servers info will be for your inside hosts in the event that you do not have local DNS server.

2- "Routed Network Info",

Subnet is 24.x.x.x/29 with 6 usable IPs

Gateway 24.x.x.x

Mask 255.255.255.248

Routed network in your ISP case simply means that they have provided you with a /29 public IP block , they will
route the the /29 block towards your oustide PIX interface IP, meaning that you may use those /29 IP addresses as NAT
address or NAT pool addresses etc as John indicated . Since it is expected ISP to route this block back to your PIX you do not need
to do anything other than, again, using those addresses for one-to-one NAT translations or global Pools as ilustrated by Jon.

Regards

Re: Pix 501 configuring....

mikentosh — Mon, 29 Mar 2010 21:53:20 GMT

I am grateful to both of you. I will hopefully be able to test it tonight. I will let you know what happens. Thanks again!

Re: Pix 501 configuring....

mikentosh — Tue, 30 Mar 2010 12:11:27 GMT

Darn! It didn't work......... Not even the first task (getting internet access). Here's the rundown:

I connected the ISP ethernet line (from fiber box) to Pix WAN, connected Pix to laptop with ethernet, successfully pinged Pix (192.168.1.2), got "hardware error" when pinging outside.

I know I am doing something wrong. Would probably be much easier if I could get the PDM interface to work, but that is another story. I am posting the config again hoping someone can tell me where I am screwing up.

Note- the ANYRDP acl was just to test if I could access a specific inside system by using 24.x.x.33:1000 for a sort of one-to-one mapping of outside access in via RDP.

Again, any help is greatly appreciated...........

>>The ISP provided information:

>>IP routes:

>>Interface IP 216.x.x.230

>>Gateway IP 216.x.x.229

>>Mask 255.255.255.252

>>and DNS servers

>>They also provided "Routed Network Info", which is confusing to me.

>>Subnet is 24.x.x.33/29 with 6 usable IPs

>>Gateway 24.x.x.33

>>Mask 255.255.255.248

>>My first task is to try to configure a Pix 501 for inside - out internet access

>>Second task is to set up the RDP access to individual computers on the LAN. I had done this before using DD-WRT port >>forwarding on a router where I could give the client the public IP with a port number (public:1234) and configure a >>forwarding table to relay each assigned port to their computer IP on port 3389. Now that I am introducing the Pix and >>the additional routing info from ISP I am way confused. Any help would be appreciated. I would settle for getting >>internet access from the inside at this point.

CISCO SYSTEMS PIX-501
Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08
Compiled by morlee
16 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 00 00   1022   3000 Host Bridge
00 11 00   8086   1209 Ethernet           9
00 12 00   8086   1209 Ethernet           10

Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001
Platform PIX-501
Flash=E28F640J3 @ 0x3000000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 1974784 bytes of image from flash.
#################################################################################################################
16MB RAM
mcwa i82559 Ethernet at irq 9 MAC: xxxx.xxxx.xxxx
mcwa i82559 Ethernet at irq 10 MAC: xxxx.xxxx.xxxx
Flash=E28F640J3 @ 0x3000000
BIOS Flash=E28F640J3 @ 0xD8000

Cisco PIX Firewall

Cisco PIX Firewall Version 6.3(5)
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                10
Throughput:                  Unlimited
IKE peers:                   10

This PIX has a Restricted (R) license.

Global 24.x.x.33 will be Port Address Translated
.
Cryptochecksum(unchanged): 398d5ff2 fcb99bb7 0cdd07ce ba58c30b

Cannot select private keyType help or '?' for a list of available commands.
JMSBC> login
Username: admin
Password: *************
%Login failed
Username: admin
Password: **********
JMSBC# conf t
JMSBC(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname JMSBC
domain-name JMSBC.org
clock timezone EST -5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any interface outside eq 3389
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list ANYRDP permit tcp any interface outside eq 1000
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 216.x.x.230 255.255.255.252
ip address inside 192.168.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 24.x.x.33
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 192.168.1.55 3389 netmask 255.255.255.255 0 0
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.x.x.229 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.1.4 source inside
http server enable
http 192.168.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username admin password xxxxxxxxxxxxxxxx encrypted privilege 15
terminal width 90
Cryptochecksum:398d5ff2fcb99bb70cdd07ceba58c30b
: end
JMSBC(config)#

Re: Pix 501 configuring....

Jon Marshall — Tue, 30 Mar 2010 12:22:43 GMT

Mike

Can you post output of "sh interface" from the pix ?

Can you ping the ISP default-gateway from the pix ?

Jon

Re: Pix 501 configuring....

mikentosh — Tue, 30 Mar 2010 14:18:31 GMT

Yes, I iwll post as soon as I can. I have to go there in the evenings after my "primary" job. I will get it tonight (hopefully). Do both of these commands require the pix to be connected to the outside (I know ping would). I have the Pix with me but am nowhere near the site. I can run sh interface, but probably wont be any results you are looking to see.

Thanks for taking the time to help me!

Re: Pix 501 configuring....

JORGE RODRIGUEZ — Tue, 30 Mar 2010 21:04:38 GMT

In addition after you verify pinging the ISP gateway from the PIX itself what Jon have suggested take note of following configuration to be corrected after you have confirmed ISP gateway is ICMP reachable from the pix.

Secondly :
You have two different access list for inbound access (outside_in) and(ANYRDP) and have not yet being applied to outside interface.
For consistancy in access-list naming try using one access list for specified interface, as it will be much easier down the road to reference them per interface as suppose to different/many acl names per interfaces.

Based on your static NAT translation you have these two acl statements shown bellow , for the tcp port 1000 use the same acl name as the first one you have for port 3389

access-list outside_in permit tcp any interface outside eq 3389
access-list ANYRDP permit tcp any interface outside eq 1000

Above acls should appear as:

access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 1000

apply the outside_in access-list to outside interface by adding bellow statement

access-group outside_in in interface outside

After you have corrected these above ensure the servers 192.168.1.253 and 192.168.1.55 are indeed listening on RDP , then test them from outside internet.

Regards

Re: Pix 501 configuring....

mikentosh — Wed, 31 Mar 2010 11:39:58 GMT

Still can't get out.....

Ping results are hardware errors.

Here is the sh interface results:

JMSBC(config)# sh interface
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0012.0059.dd6b
IP address 216.x.x.230, subnet mask 255.255.255.252
MTU 1500 bytes, BW 100000 Kbit full duplex
        9 packets input, 564 bytes, 0 no buffer
        Received 1 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        2 packets output, 120 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        1 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/3)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0012.0059.dd6c
IP address 192.168.1.2, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
        41 packets input, 2852 bytes, 0 no buffer
        Received 37 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        70 packets output, 4256 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/3)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
JMSBC(config)#

Any ideas??

Current config:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxx encrypted
hostname JMSBC
domain-name JMSBC.org
clock timezone EST -5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any interface outside eq 3389
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list outbound permit icmp 192.168.1.0 255.255.255.0 any
access-list ANYRDP permit tcp any interface outside eq 1000
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 216.x.x.230 255.255.255.252
ip address inside 192.168.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 192.168.1.55 3389 netmask 255.255.255.255 0 0
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.x.x.229 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.1.4 source inside
http server enable
http 192.168.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username admin password .xxxxxxxxxxxxxxxxx encrypted privilege 15
terminal width 90
Cryptochecksum:1adc46e73a8c32004d2b3d81143476ed
: end

Thanks for any help!!!

Re: Pix 501 configuring....

JORGE RODRIGUEZ — Wed, 31 Mar 2010 14:33:26 GMT

Hi Mike,

by default from the pix itself you should be able to ping the ISP router gateway , however plese add to your config ( icmp permit any outside) for ping test to ISP gateway from the PIX itself.

Also if you are trying to ping from a PC in the LAN you need to allow the replies back in in firewall.

access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any source-quench
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded

access-group outside_in in interface outside

With these above you can ping by IP address , try pinging this opened public IP 4.2.2.2 either from PIX firewall or PC , post results.

Re: Pix 501 configuring....

mikentosh — Wed, 31 Mar 2010 18:14:56 GMT

Thanks for your patience! Yes, I was trying to ping from an internal PC, I couldn't connect to any known IPs either. Forgive me for being so ignorant about the PIX firewall, but can I ping from the console? The sh interface results I posted earlier were from the PC. Am I using the right gateway? Again this is what the ISP provided:

Interface IP: 216.x.x.230

Gateway IP: 216.x.x.229

Subnetmask: 255.255.255.252

DNS Servers: 69.1.30.18 and .19

Routed Network Information:

Subnet is: 24.x.x.32/29 with 6 usable IPs

Usable IP Range: 24.x.x.33 - 24.x.x.38

Gateway: 24.x.x.33

Subnetmask: 255.255.255.248

I must be plugging something in wrong because I just cannot get out. Does it look right to you where I have the GWs/IPs?

I will try what you suggested.

Thanks again!

Re: Pix 501 configuring....

JORGE RODRIGUEZ — Wed, 31 Mar 2010 21:14:42 GMT

Mike, you posted output of show interface which looks interfaces are up for both inside and outside, from the PIX console can you post the output of "show arp" pix#show arp

Again you can ping the ISP gateway from PIX console

PIX#ping 216.x.x.229 <-- can you ping the gateway from pix? if you can ping gateway , also try other public IP like the one posted , ping 4.2.2.2 from the PIX console, if you can ping these addresse form PIX you have connectivity to internet, then move onto next task but please first confirm you can reach ISP gateway and 4.2.2.2 IP.

Regards

Re: Pix 501 configuring....

mikentosh — Thu, 01 Apr 2010 00:12:15 GMT

jorgemcse,

Here is what I got when I did the ping test with the last configuration I revealed:

JMSBC(config)# ping 4.2.2.2
        4.2.2.2 response received -- 10ms
        4.2.2.2 response received -- 0ms
        4.2.2.2 response received -- 0ms
JMSBC(config)# ping 216.x.x.230
        216.x.x.230 response received -- 0ms
        216.x.x.230 response received -- 0ms
        216.x.x.230 response received -- 0ms
JMSBC(config)# ping 216.x.x.229
        216.x.x.229 response received -- 0ms
        216.x.x.229 response received -- 0ms
        216.x.x.229 response received -- 0ms
JMSBC(config)# ping 24.x.x.33
        24.x.x.33 NO response received -- 1000ms
        24.x.x.33 NO response received -- 1000ms
        24.x.x.33 NO response received -- 1000ms
JMSBC(config)# ping 24.x.x.32
        24.x.x.32 NO response received -- 1000ms
        24.x.x.32 NO response received -- 1000ms
        24.x.x.32 NO response received -- 1000ms
JMSBC(config)# ping 24.x.x.34
        24.x.x.34 NO response received -- 1000ms
        24.x.x.34 NO response received -- 1000ms
        24.x.x.34 NO response received -- 1000ms

I have since added the following line to the configuration:

access-list outbound permit ip any any

After adding this, the pings went through from the PC. As I write this I am using the firewall connection to do so.

What did this command do? Is it ok to use it without vulnerabilities?

Dare I try to move on to remoting in???

Thanks for your assistance and patience!

Re: Pix 501 configuring....

mikentosh — Thu, 01 Apr 2010 02:52:22 GMT

My TERMSERV ACL is good for RDP. I can get in using 216.x.x.230:1000 and it routes to 3389 on the designated internal PC. Now what I need to do (if possible) is set a range of 20 individual connections similar. Is there a way to designate say incoming 1000-1020 to an internal router where I can do the port forwarding?

By the way in my excitement (and some tweaking) I lost the ability to ping out from the PC again. Connection works to internet, but can't ping out (can ping in though). Can you identify the error in the configuration below:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxx encrypted

hostname JMSBC

domain-name JMSBC.org

clock timezone EST -5

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_in permit icmp any any time-exceeded

access-list outside_in permit tcp any interface outside eq 3389

access-list outside_in permit icmp any any echo-reply

access-list outside_in permit icmp any any unreachable

access-list outside_in permit icmp any any source-quench

access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data

access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp

access-list outbound permit ip any any

access-list TERMSERV permit tcp any interface outside eq 1000

pager lines 24

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 216.x.x.230 255.255.255.252

ip address inside 192.168.1.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1000 192.168.1.55 3389 netmask 255.255.255.255 0 0

access-group TERMSERV in interface outside

access-group outbound in interface inside

route outside 0.0.0.0 0.0.0.0 216.x.x.229 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

ntp server 192.168.1.4 source inside

http server enable

http 192.168.1.3 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

username admin password .xxxxxxxxxxxxxxx encrypted privilege 15

terminal width 90

Cryptochecksum:8f7d937a3d6ce0bceb6c332114927321

: end

Re: Pix 501 configuring....

mikentosh — Thu, 01 Apr 2010 12:06:06 GMT

ok i'm pinging again. figured out i was missing the access-group outside_in. now for the rdp problems.... and did i mention i would be setting up a site to site vpn?

Re: Pix 501 configuring....

JORGE RODRIGUEZ — Thu, 01 Apr 2010 15:07:04 GMT

Hi Mike, good that you are making progress.

The access-list outbound permit ip any any applied to inside interface s fine and you can leave it, simply it allows TCP/UDP outbound from any inside hosts, so you do not need these .

These three lines ca be removed - as long you leave access-list outbound permit ip any any applied to inside interface.
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp

As for not being unable to ping the ISP gateway it most likely is that ISP blocking icmps , but you have confirmed internet connectivity to 4.2.2.2 from pix and inside hosts after you added outside permit ip any any to inside interface.

As for Site to Site VPN go to this link and reference in mid page down Site to Site VPN (L2L) with PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

Don't forget to reate helpful posts

Regards

Re: Pix 501 configuring....

mikentosh — Mon, 05 Apr 2010 14:22:16 GMT

jorgemcse,

Thanks for the link to Site to Site VPN, I will look at that next. I will also remove the lines you specified for www, ftp & ftp-data.

As for the RDP access, I currently have configured to allow 3389 acces to the internal Terminal Server as follows:

access-list outside_in permit tcp any interface outside eq 3389

static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255 0 0

Am I missing the "access-group outside_in in interface outside" to allow the above configuration to work?

I currently have the additional routing to a specific internal workstation for a user set as follows:

access-list RDPUSER permit tcp any interface outside eq 1000

static (inside,outside) tcp interface 1000 192.168.1.55 3389 netmask 255.255.255.255 0 0

access-group RDPUSER in interface outside

Can I add more of these one to one configurations, such as 1001 to x.x.x.56? Will the following work?

access-list RDPUSER permit tcp any interface outside eq 1001

static (inside,outside) tcp interface 1000 192.168.1.56 3389 netmask 255.255.255.255 0 0

access-list RDPUSER permit tcp any interface outside eq 1002

static (inside,outside) tcp interface 1000 192.168.1.57 3389 netmask 255.255.255.255 0 0

access-list RDPUSER permit tcp any interface outside eq 1003

static (inside,outside) tcp interface 1000 192.168.1.58 3389 netmask 255.255.255.255 0 0

Will they all use the access-group RDPUSER in interface outside?

I know I'm asking many questions here, but I just want to provide a solution for the port forwarding we used to do in the router.....at the perimeter (Pix) now. I don't want to go the VPN route for fear of trashing the office network with home computer bugs.

Please let me know if you think this is feasible and my configuration examples are proper (albeit unorthodox).

As always, Thanks for your time and help!

Re: Pix 501 configuring....

JORGE RODRIGUEZ — Mon, 05 Apr 2010 18:43:07 GMT

Hi Mike, thanks for rating .. using rating system will also allow Cisco to contributing $1 to help Haiti earthquake victims .

For bellow scenario you cannot do it this way using same port 1000 forwarding based on the static PAT translation, you
will get error on duplicate existing NAT, I think you probably meant tcp ports 1001,1002 etc.. based on your acl.

access-list RDPUSER permit tcp any interface outside eq 1001
static (inside,outside) tcp interface 1000 192.168.1.56 3389 netmask 255.255.255.255 0 0
access-list RDPUSER permit tcp any interface outside eq 1002
static (inside,outside) tcp interface 1000 192.168.1.57 3389 netmask 255.255.255.255 0 0
access-list RDPUSER permit tcp any interface outside eq 1003
static (inside,outside) tcp interface 1000 192.168.1.58 3389 netmask 255.255.255.255 0 0

So it will look like this bellow , using different ports

static (inside,outside) tcp interface 1001 192.168.1.56 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1002 192.168.1.57 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1003 192.168.1.58 3389 netmask 255.255.255.255 0 0

access-list RDPUSER permit tcp any interface outside eq 1001
access-list RDPUSER permit tcp any interface outside eq 1002
access-list RDPUSER permit tcp any interface outside eq 1003

As for the RDP access, I currently have configured to allow 3389 acces to the internal Terminal Server as follows:
access-list outside_in permit tcp any interface outside eq 3389
static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255 0 0

The access-list and static nat above is fine, bu the acl named ( outside_in ) needs to be applied to outside interface.
Use one access-list ( naming ) per interface like I said before. Elimimate the RDPUSER access list, or the other one (outside_access_in)
and stick with one acl for outside interface.

So your ultimate configuration for your inbound rules to these systems would be like this bellow, consolidate the access-list rules in one acl for outside interface.

static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 1001 192.168.1.56 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 1002 192.168.1.57 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 1003 192.168.1.58 3389 netmask 255.255.255.255

access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 1001
access-list outside_in permit tcp any interface outside eq 1002
access-list outside_in permit tcp any interface outside eq 1003

Remove access-group RDPUSER from outside interface

no access-group RDPUSER in interface outside

and apply new access-list to it

access-group outside_in in interface outside

Regards

Re: Pix 501 configuring....

mikentosh — Tue, 06 Apr 2010 11:42:09 GMT

jorgemcse,

Once again, thank you. I will try the suggested configuration and let you know the results later this week. Thanks!