topic Re: PIX 501 Help....asap. in Network Security

PIX 501 Help....asap.

homeboarder8 — Mon, 11 Mar 2019 10:54:24 GMT

Ok so here is my config...

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq 53

access-list inbound permit udp any host 78.xxx.xxx.15 eq 53

access-group inbound in interface outside

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.14 eq www

access-group inbound in interface outside

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.15 netmask 255.255.255.255 0 0

Basically I have 2 servers running behind my PIX with the external IP addresses of 78.xxx.xxx.15 and 78.xxx.xxx.14. I can ping the inside interfaces but I can not ping the outside interface of the PIX, let alone the gateway which is at 78.xxx.xxx.18. I need to have this up and running ASAP, so any suggestions would be great!

Thanks!

Re: PIX 501 Help....asap.

srue — Tue, 07 Aug 2007 02:09:43 GMT

you can't ping the outside interface from the inside, and vice versa...

you need to add the following to permit icmp replies from the gw....

access-list inbound permit icmp any any echo-reply

access-list inbound permit icmp host 78.x.x.18 any echo-reply

you get the idea...

Re: PIX 501 Help....asap.

homeboarder8 — Tue, 07 Aug 2007 15:37:56 GMT

Thanks for the repay srue. I guess I should have elaborated a little further... I am not even able to access the internet, that is my main goal. Any advice?

Re: PIX 501 Help....asap.

acomiskey — Tue, 07 Aug 2007 16:07:47 GMT

Can you ping the gateway from the pix?

Re: PIX 501 Help....asap.

shahkamrah — Tue, 07 Aug 2007 16:23:36 GMT

What is understand for the problem it seems like you are trying the ping the outside interface from the inside,If i am understanding correctly ..

By design you will not be able to ping the outside interface ..and if you are trying to ping the outside interface from the outside world then please check if its getting denied by ICMP command ..

show ICMP

Re: PIX 501 Help....asap.

shahkamrah — Tue, 07 Aug 2007 16:27:37 GMT

Let us know if you are able to ping the gateway ip address and also let me know if you are trying to access internet from these 2 servers only..But if you are trying to access from other workstations then you need the make the use of nat and global command..

nat (inside) 1 0 0

global (outside) 1 interface

Re: PIX 501 Help....asap.

mightymouse2045 — Tue, 07 Aug 2007 16:35:52 GMT

Please post the full config of your firewall then we can help easily

Cheers,

P.S. Don't forget to rate replies 😉

Re: PIX 501 Help....asap.

homeboarder8 — Tue, 07 Aug 2007 20:47:46 GMT

Here is the running config of the pix...

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq domain

access-list inbound permit udp any host 78.xxx.xxx.15 eq domain

access-list inbound permit tcp any host 78.xxx.xxx.15 eq pptp

access-list inbound permit tcp any host 78.xxx.xxx.14 eq pptp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 78.xxx.xxx.15

global (outside) 2 78.xxx.xxx.14

nat (inside) 1 10.xxx.xxx.83 255.255.255.255 0 0

nat (inside) 2 10.xxx.xxx.85 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

It is just the two servers accessing the internet, and yes I found that I can ping the gateway. I'm still stumped with this whole thing so keep the help come'n guys...

Thanks!

Re: PIX 501 Help....asap.

mightymouse2045 — Tue, 07 Aug 2007 21:03:02 GMT

ok you don't do a global and then a static nat that way. All you need to define is a global for the other clients behind the gateway to the interface of your PIX, and then statics for the servers. changes as follows:

Remove these:

global (outside) 1 78.xxx.xxx.15

global (outside) 2 78.xxx.xxx.14

nat (inside) 1 10.xxx.xxx.83 255.255.255.255 0 0

nat (inside) 2 10.xxx.xxx.85 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

Add this:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 255.0.0.0 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

also create an access list for outbound access and put deny ip any any log at the end of boths lists for monitoring purposes etc

Cheers,

Re: PIX 501 Help....asap.

mightymouse2045 — Tue, 07 Aug 2007 21:04:31 GMT

sorry that nat (inside) command should read:

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

Re: PIX 501 Help....asap.

homeboarder8 — Tue, 07 Aug 2007 21:17:02 GMT

mightymouse2045, thanks for the quick responce.

Okay so I changed the config, but now I'm beginning to think I have something with the internal IP addresses wrong. I should have been more clear about what I said before... I can ping the gateway from the PIX, but not from the server. I'm thinking it has something to do with the netmask, my internal is 255.0.0.0 and my external is 255.255.255.248. Although I thought that nat was soposto take care of that?

Thanks!

Re: PIX 501 Help....asap.

homeboarder8 — Tue, 07 Aug 2007 21:25:18 GMT

If this helps clarify things:

Gateway - 78.xxx.xxx.18

PIX internal - 10.xxx.xxx.81

PIX external - 78.xxx.xxx.16

Server 1 internal - 10.xxx.xxx.83

Server 2 internal - 10.xxx.xxx.85

Server 1 external - 78.xxx.xxx.15

Server 2 external - 78.xxx.xxx.14

Thanks!

Re: PIX 501 Help....asap.

mightymouse2045 — Tue, 07 Aug 2007 21:31:38 GMT

by default pings are not allowed through PIX's so you have to enable that by adding in the permit ICMP into your access lists:

So add this into your inbound\outbound access lists:

access-list name permit icmp any any

Once you've added these in try and ping and let me know how you go. Also to restrict the ping on the outside interface you should only really add in specific ping responses like echo-reply, time-out etc do a help on the command for possible responses

Re: PIX 501 Help....asap.

homeboarder8 — Tue, 07 Aug 2007 21:34:57 GMT

Okay I just added those access-lists and I and still not able to ping the gateway. But this time I do get a 'Request timed out' as a responce...

Re: PIX 501 Help....asap.

mightymouse2045 — Tue, 07 Aug 2007 21:37:11 GMT

ok can you try pinging www.google.com and see if you can resolve it and ping it - if yes then you know your working.

If not I'll have another browse through your config - can you post the updated config again too

Re: PIX 501 Help....asap.

homeboarder8 — Tue, 07 Aug 2007 21:44:03 GMT

Okay I can ping google's IP address (64.233.161.104) from the PIX, but not from the server. Once again here are all of the IP addresses I am using:

Gateway - 78.xxx.xxx.18

PIX internal - 10.xxx.xxx.81

PIX external - 78.xxx.xxx.16

Server 1 internal - 10.xxx.xxx.83

Server 2 internal - 10.xxx.xxx.85

Server 1 external - 78.xxx.xxx.15

Server 2 external - 78.xxx.xxx.14

These are web servers, so server 1 has to have the external IP of .15 and server 2 has to have the external IP of .14.

Thanks again for your help!

Re: PIX 501 Help....asap.

mightymouse2045 — Tue, 07 Aug 2007 21:51:24 GMT

yep which was achieved with the other commands i told you to add in.

Can you post your updated config as it appears now?

Re: PIX 501 Help....asap.

homeboarder8 — Tue, 07 Aug 2007 22:03:11 GMT

Hey I actually entered in one of the commands wrong that you gave me, I corrected it any am now able to ping google's IP. I am still having a DNS issue though, I cannot ping www.google.com, just the IP. Also here is my updated config... and suggestions for security?

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inbound permit icmp any any

access-list inbound permit tcp any host 78.xxx.xxx.15 eq www

access-list inbound permit tcp any host 78.xxx.xxx.15 eq domain

access-list inbound permit udp any host 78.xxx.xxx.15 eq domain

access-list inbound permit tcp any host 78.xxx.xxx.15 eq pptp

access-list inbound permit tcp any host 78.xxx.xxx.14 eq pptp

access-list outbound permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 78.xxx.xxx.16 255.255.255.248

ip address inside 10.xxx.xxx.81 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 78.xxx.xxx.15 10.xxx.xxx.83 netmask 255.255.255.255 0 0

static (inside,outside) 78.xxx.xxx.14 10.xxx.xxx.85 netmask 255.255.255.255 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 78.xxx.xxx.18 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

Thanks again 2040!

Re: PIX 501 Help....asap.

mightymouse2045 — Tue, 07 Aug 2007 22:12:08 GMT

ok you need to apply the outbound access list to the inside interface:

access-group outbound in interface inside

Also where are your DNS servers? Are you running DNS on your internal servers, or you have your internal clients\servers all pointing to your external DNS servers?

Let me know which one and I'll tell you the rules to add in to allow the DNS traffic. Also what access do you want internal servers\clients to have to the internet - or is it purely to allow external clients to access web services and pptp on the internal servers?

Cheers,

Re: PIX 501 Help....asap.

homeboarder8 — Tue, 07 Aug 2007 22:17:57 GMT

Okay the DNS servers are currently external, but once everything is configured I will be running them on the internal servers. As far as access is concern, I would like everything to be as secure as possible, the internal servers must be able to access the internet, infact I really have no need to restrict anything on them. Outside should only be able to view the web data on the servers. I have the pptp ports open to configure the servers remotely.

Thanks!