topic Re: PIX 506E PROBLEM in Network Security

PIX 506E PROBLEM

godzilla0 — Wed, 13 Mar 2019 00:57:49 GMT

I'm at job configuring a Cisco PIX 506E, and I have a problem.

The outside interface can't reach the router wich bring the local net to the internet. I don't want anything by now but to reach the internet and do some port forwarding for some local servers. I don't care about any other aspect of the PIX as a firewall because it's a spare and we want it only to replace an old router. Then we want to do IPSEC tunneling but that's another history. By now I only want the PIX to do the same function as the old router. It could be interesting to erase everything and start from scratch . . . this is my configuration data on the old router:

ROUTER IP ADDRESS: 192.169.7.100 netmask 255.255.255.0 ( 192.169.7.0 is the local subnet )

INTERNET IP ADDRESS: 213.x.x.202 netmask 255.0.0.0

GATEWAY: 213.x.178.29

Ok. This is my actual PIX configuration:

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name work.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol http 80-88

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list ping-acl remark allow pings on the outside

access-list ping-acl permit icmp any any

access-list inbound permit icmp any any

access-list inbound permit tcp any any eq www

access-list permit_icmp permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 213.x.x.202 255.0.0.0

ip address inside 192.169.7.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.169.7.0 255.255.255.0 0 0

access-group permit_icmp in interface outside

conduit permit tcp host 0.0.0.0 eq 81 host 192.169.7.2

route outside 0.0.0.0 0.0.0.0 213.229.178.29 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 192.169.1.0 255.255.255.0 inside

ssh 192.169.7.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

So I can reach the PIX but I can't get out of it to the inet. I don't know why, If you can answer this one, then it would be interesting to know how to make 1 port forwarding from the inet to an specific server of the local subnet on port, for example 8080. Thank you so much.

Re: PIX 506E PROBLEM

Collin Clark — Tue, 15 Jul 2008 12:29:40 GMT

You need a NAT translation,

static (inside,outside) tcp [public IP] 8080 [private IP] 8080

don't forget to add the port & protocol in your outside ACL too.

Hope that helps.

Re: PIX 506E PROBLEM

godzilla0 — Tue, 15 Jul 2008 12:35:13 GMT

Thank you for the NAT translation hint, but I need to know why I can't access the internet with this configuration. Thanks.

Re: PIX 506E PROBLEM

Collin Clark — Tue, 15 Jul 2008 12:36:40 GMT

Can you ping the ISP router? If yes, can you ping an internet address (4.2.2.2)?

Re: PIX 506E PROBLEM

dhananjoy chowdhury — Tue, 15 Jul 2008 12:37:07 GMT

Hi,

Try to access some website on the Internet and then, issue this command on the PIX, to see whether NAT is happening or not.

"show xlate"

Then do " clear xlate" and again try to access.

-------------------------------

Now suppose you want to forward connections on the Outside IP of PIX on port 8080 to the server inside(suppose 192.169.7.100) on 8080 from Internet :

static(inside,outside) tcp interface 8080 192.169.7.100 8080 netmask 255.255.255.255

access-list out-in permit tcp any interface outside eq 8080

Re: PIX 506E PROBLEM

godzilla0 — Tue, 15 Jul 2008 12:43:04 GMT

Hello, no . . I can't ping the ISP router. That's the main problem. I think I must connect the inside iface with the external iface ???

OUTPUT:

pixfirewall# ping 213.229.178.29

213.229.178.29 NO response received -- 1000ms

pixfirewall# ping 4.2.2.2

4.2.2.2 NO response received -- 1000ms

Thanks !

EDIT: ( BOTH INTERFACES ARE UP )

Re: PIX 506E PROBLEM

godzilla0 — Tue, 15 Jul 2008 12:43:57 GMT

Hi thank you for your help ! No, this is the output for the show xlate:

pixfirewall# show xlate

55 in use, 177 most used

PAT Global 213.27.252.202(1576) Local 192.169.7.240(36315)

PAT Global 213.27.252.202(1577) Local 192.169.7.240(47101)

PAT Global 213.27.252.202(1578) Local 192.169.7.240(56852)

PAT Global 213.27.252.202(1579) Local 192.169.7.4(49151)

PAT Global 213.27.252.202(1580) Local 192.169.7.240(45379)

PAT Global 213.27.252.202(1581) Local 192.169.7.240(53988)

PAT Global 213.27.252.202(1582) Local 192.169.7.1(34708)

PAT Global 213.27.252.202(1583) Local 192.169.7.240(55006)

PAT Global 213.27.252.202(1568) Local 192.169.7.240(53147)

PAT Global 213.27.252.202(1569) Local 192.169.7.4(49147)

PAT Global 213.27.252.202(1570) Local 192.169.7.240(54975)

PAT Global 213.27.252.202(1571) Local 192.169.7.4(49149)

PAT Global 213.27.252.202(1572) Local 192.169.7.240(35676)

PAT Global 213.27.252.202(1573) Local 192.169.7.240(33532)

PAT Global 213.27.252.202(1574) Local 192.169.7.4(49150)

PAT Global 213.27.252.202(1575) Local 192.169.7.240(34880)

PAT Global 213.27.252.202(1592) Local 192.169.7.240(49059)

PAT Global 213.27.252.202(1593) Local 192.169.7.4(49155)

PAT Global 213.27.252.202(1594) Local 192.169.7.240(46846)

PAT Global 213.27.252.202(1595) Local 192.169.7.4(49156)

PAT Global 213.27.252.202(1584) Local 192.169.7.4(49152)

PAT Global 213.27.252.202(1585) Local 192.169.7.240(42149)

PAT Global 213.27.252.202(1586) Local 192.169.7.1(34709)

PAT Global 213.27.252.202(1587) Local 192.169.7.4(49153)

PAT Global 213.27.252.202(1588) Local 192.169.7.240(53754)

PAT Global 213.27.252.202(1589) Local 192.169.7.4(49154)

PAT Global 213.27.252.202(1590) Local 192.169.7.1(34710)

PAT Global 213.27.252.202(1591) Local 192.169.7.240(38344)

PAT Global 213.27.252.202(1544) Local 192.169.7.4(49140)

PAT Global 213.27.252.202(1545) Local 192.169.7.4(49141)

PAT Global 213.27.252.202(1546) Local 192.169.7.240(38441)

PAT Global 213.27.252.202(1547) Local 192.169.7.240(43015)

PAT Global 213.27.252.202(1548) Local 192.169.7.240(46285)

PAT Global 213.27.252.202(1549) Local 192.169.7.240(53807)

PAT Global 213.27.252.202(1550) Local 192.169.7.240(50523)

PAT Global 213.27.252.202(1551) Local 192.169.7.240(59858)

PAT Global 213.27.252.202(1543) Local 192.169.7.1(34707)

PAT Global 213.27.252.202(1560) Local 192.169.7.240(60751)

PAT Global 213.27.252.202(1561) Local 192.169.7.240(39161)

PAT Global 213.27.252.202(1562) Local 192.169.7.4(49144)

PAT Global 213.27.252.202(1563) Local 192.169.7.240(33474)

PAT Global 213.27.252.202(1564) Local 192.169.7.240(56606)

PAT Global 213.27.252.202(1565) Local 192.169.7.240(37736)

PAT Global 213.27.252.202(1566) Local 192.169.7.4(49146)

PAT Global 213.27.252.202(1567) Local 192.169.7.240(43717)

PAT Global 213.27.252.202(1552) Local 192.169.7.4(49142)

PAT Global 213.27.252.202(1553) Local 192.169.7.240(46145)

PAT Global 213.27.252.202(1554) Local 192.169.7.240(46275)

PAT Global 213.27.252.202(1555) Local 192.169.7.240(44372)

PAT Global 213.27.252.202(1556) Local 192.169.7.240(35713)

PAT Global 213.27.252.202(1557) Local 192.169.7.240(49242)

PAT Global 213.27.252.202(1558) Local 192.169.7.240(42007)

PAT Global 213.27.252.202(1559) Local 192.169.7.4(49143)

PAT Global 213.27.252.202(1085) Local 192.169.7.2(45939)

PAT Global 213.27.252.202(1086) Local 192.169.7.240(38588)

Re: PIX 506E PROBLEM

jmia — Tue, 15 Jul 2008 12:54:00 GMT

what type of cable do you have connected from the port of the PIX to the ISP router? is it cross-over or straight through??

Also, I would clear up your PIX configuration, to be honest I would start from scratch - you can set the PIX to its factory default configuration - if your box is running version 6.2 or above.

Let us know...

Re: PIX 506E PROBLEM

dhananjoy chowdhury — Tue, 15 Jul 2008 13:07:27 GMT

is your setup like this ?

((ISP))---z---(Internet-Router)----<>--LAN

If , yes then what Jay has said could be a point... check the connectivity between the PIX and the Internet Router.

Re: PIX 506E PROBLEM

godzilla0 — Tue, 15 Jul 2008 13:10:56 GMT

The cable it's crossover, but I changed it to a plain one nad the results are the same.

Can you tell me how to wipe out the config ?

Thanks.

Re: PIX 506E PROBLEM

godzilla0 — Tue, 15 Jul 2008 13:13:47 GMT

From my side the setup is like this:

LAN-------PIX-----ISP ( a router probably )

so: Inside-> 192.169.7.100

Outside-> 213.27.252.202

Default route (ispgateway)->213.229.178.29

Re: PIX 506E PROBLEM

jmia — Tue, 15 Jul 2008 13:20:18 GMT

Ok... keep the cross-over cable and ask your ISP to clear the router ARP cache for you. You can reset the PIX to factory default configuration by issuing (in config mode)..

configure factory-default

After the reset - rebuild your configuration but this time with no ACLs just the basics i.e. outside IP address with correct mask address and inside ip address and correct mask plus corret default gateway to the ISP router.

We can then troubleshoot the problem further and build your PIX configuration up further.

But I am little confused as you mention 'router probably on your post' is it a router or modem??

Speak soon...

Re: PIX 506E PROBLEM

godzilla0 — Tue, 15 Jul 2008 13:23:17 GMT

Thanks for your help ! I'm sure the ISP device it's a router. I'm at a datacenter and I'm sure there are no modem connections for the costumers. Ok right now I'm wiping the config. I'll post again some minutes later.

Thanks.

Re: PIX 506E PROBLEM

godzilla0 — Tue, 15 Jul 2008 13:46:32 GMT

Ok, I did conf term, then configure factory-default 192.169.7.100 255.255.255.0, the process goes on but then if I do show conf the configurations remains the same. I even tryed to do it and then reboot the PIX but the configuration doesn't go away. Any comments ?

EDIT: Ok I'm sorry I only needed to do write mem to visualize the changes made. Now it's clear.

Re: PIX 506E PROBLEM

jmia — Tue, 15 Jul 2008 13:51:30 GMT

Which version is on your 506 is it above 6.2 code? Did you issue write mem??

Re: PIX 506E PROBLEM

godzilla0 — Tue, 15 Jul 2008 13:55:15 GMT

Yes, it's done now. I edited last post to include that. Ok. Now, can I erase all the DHCP stuff that comes by default ? I don't need it. As all the servers on this subnet are using static ip addressing.

Re: PIX 506E PROBLEM

jmia — Tue, 15 Jul 2008 14:00:45 GMT

Good... yes you can erase the DHCP, do (in config mode)

clear dhcpd

save with - wr m

And then we can carry on....

Re: PIX 506E PROBLEM

godzilla0 — Tue, 15 Jul 2008 14:05:00 GMT

Ok now that's done. First warning.

I did: ip address inside 192.169.7.100 255.255.255.0, no problem.

But then I did ip address outside 213.27.252.202 255.0.0.0

And the following warning appear:

WARNING: unable to add route to OSPF RIB.

Re: PIX 506E PROBLEM

jmia — Tue, 15 Jul 2008 14:10:35 GMT

Is that the correct MASK for that IP? It should be in the form...

213.27.252.202 255.255.255.x

So my next question is.. how many public IP addresses has been assigned to you by your ISP?

Re: PIX 506E PROBLEM

godzilla0 — Tue, 15 Jul 2008 14:16:47 GMT

Ok now we are going the good way. I can ping the ISP router and the google's IP. But if I ping to the google IP from any of the servers on the local subnet I can't reach anything.

The successful ping are executed from the router's CLI. Thanks !