01-07-2010 08:42 PM - edited 03-11-2019 09:54 AM
Hello,
I am using a PIX 501 with IOS 6.3 (1) installed.
My issue is that I am attempting to configure my PIX to direct HTTP traffic to a local computer that is running a program to share files. I am able to access the program from a browser on another workstation. Therefore, the program is working.
However, when I attempt to access the program from outside the PIX – I cannot.
Here are the steps I took to set up my configuration:
Needed to configure the Interfaces
ip address outside ***.***.***.18 255.255.255.248
ip address inside 172.20.1.241 255.255.0.0
Needed to apply an access-list:
This allows Https traffic through the PIX.
access-list 101; 1 elements
access-list 101 line 1 permit tcp any interface outside eq http
Created a Static route:
This is a route that will direct traffic directly to the SSL Concentrator (172.20.1.225)
static (inside,outside) tcp interface http 172.20.1.101 http netmask 255.255.255.255 0 0
Verified the routes:
outside 0.0.0.0 0.0.0.0 ***.***.***.81 1 OTHER static
outside ***.***.***.16 255.255.255.248 ***.***.***.18 1 CONNECT static
inside 172.20.0.0 255.255.0.0 172.20.1.241 1 CONNECT static
NAT
global (outside) 1 interface
nat (inside) 1 172.20.0.0 255.255.0.0 0 0
01-19-2010 08:26 PM
Yes, currently I am permitting anything in an effort to get it to work
first and then tighten it down (once I can verify it works). My understanding of the PIX is that all information from the inside can go out unless it has been denied?
This is when you do not have any access-list configured on interfaces. In your case the missing part may be an access-list on inside interface that permits http traffic from your internal web server to internet.
access-list 102 permit tcp host 172.20.1.101 any eq http
access-list 102 permit tcp host 172.20.1.101 any eq https
access-group 102 in interface inside
Also make sure that you have proper DNS resolution for internet access.
Dileep
01-21-2010 06:54 PM
Hello,
I got my PIX working…however…
After over analyzing the issue, I decided to isolate the problem and remove the PIX from my network. I plugged another node directly to the hub ports in the back of the PIX and it worked (after allowing nearly full access).
On the network, the node I was attempting to reach was not directly plugged into the hub of the PIX. But, I was able to ping the inside port of the PIX and the PIX was able to ping the node. Therefore, I did not believe that to be an issue?
Anyway, now my problem is with ACL’s. I basically had to allow anything in and out because when I applied the suggested ACL’s (the Access-list 102 suggestion) – I do not gain access.
This is what I have currently applied:
access-list 101; 1 elements
access-list 101 line 1 permit ip any any (hitcnt=1167)
access-list 102; 2 elements
access-list 102 line 1 permit tcp any any eq www (hitcnt=0)
access-list 102 line 2 permit tcp any any eq https (hitcnt=0)
Log information (Note: The public address is the assign DNS server. I transferred the application to my lab workstation which is 172.20.1.103):
106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.250/53 by access-group "102"
106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.252/53 by access-group "102"
106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.250/53 by access-group "102"
710005: UDP request discarded from 172.20.1.81/138 to inside:172.20.255.255/netbios-dgm
106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.250/53 by access-group "102"
106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.252/53 by access-group "102"
710005: UDP request discarded from 172.20.1.11/137 to inside:172.20.255.255/netb ios-ns
710005: UDP request discarded from 172.20.1.78/138 to inside:172.20.255.255/netb ios-dgm
106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.250/53 by access-group "102"
106023: Deny udp src inside:172.20.1.103/54674 dst outside:64.105.132.252/53 by access-group "102"
What can I do to tighten my ACL’s while still allowing traffic to pass back and forth?
01-21-2010 08:31 PM
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password cPlBJP0wS8qSVcsh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname hufcorairwall
domain-name hufcorairwall.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list 101 permit tcp any interface outside eq http
access-list 102 permit tcp 172.20.0.0 255.255.0.0 any eq http
access-list 102 permit tcp 172.20.0.0 255.255.0.0 any eq https
access-list 102 permit udp 172.20.0.0 255.255.0.0 any eq dns
pager lines 24
logging console debugging
logging buffered informational
logging trap debugging
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside ***.***.***.84 255.255.255.248
ip address inside 172.20.1.243 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool1 192.168.221.1-192.168.221.23
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) tcp interface www 172.20.1.101 www netmask 255.255.255.255 0 0
nat (inside) 1 172.20.0.0 255.255.0.0 0 0
access-group 101 in interface outside
access-group 102 in interface inside
route outside 0.0.0.0 0.0.0.0 ***.***.***.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set TransSet1 esp-des esp-md5-hmac
crypto dynamic-map DynMap1 10 set transform-set TransSet1
crypto map CryptMap1 10 ipsec-isakmp dynamic DynMap1
crypto map CryptMap1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup GroupVpn1 address-pool ippool1
vpngroup GroupVpn1 idle-time 1800
vpngroup GroupVpn1 password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:1225e257808d8147151d8fd06b471c3a
: end
I have pasted your config , edited lines are highlighted
Dileep
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide