cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2213
Views
0
Helpful
18
Replies

Backup through PIX 501

sebastianvetter
Level 1
Level 1

Hello,

i have a network splittet with a pix. The 192.168.111.0 at the outside interface of the PIX and the 192.168.110.0 at the inside interface.

From the inside interface everything to the extern (192.168.111.0 network) is allowed. But no access from 192.168.111.0 to 192.168.110.0 (internal interface of the PIX) is allowed.

Now i need to backup from network 192.168.111.0 servers who are locatet at the 192.168.110.0 network.

There is a way that the PIX allow the special Ports of the backup program and block rest of the traffic as it do at moment?

The Ports are:

TCP 10000 outgoing

TCP 1025 – 65536 outgoing                 

TCP 445 outgoing

UDP 135 send

Thanks

1 Accepted Solution

Accepted Solutions

Sebastian,

I suggest that instead of this command:

static (inside,outside) 192.168.110.0 192.168.110.0

Just have the static with the correct ports

i.e

static (inside,outside) tcp 192.168.110.10 80 192.168.110.10 80

static (inside,outside) tcp 192.168.110.10 80 192.168.110.10 80

The above commands is to be able to acess server 192.168.110.10 on port 80 and port 3389.

The advantage of doing it like this is that the 192.168.110.x will still have internet access.

Federico.

View solution in original post

18 Replies 18

Hi Sebastian,

To allows those ports:

TCP 10000 outgoing

TCP 1025 – 65536 outgoing                 

TCP 445 outgoing

UDP 135 send

access-list outbound permit tcp 192.168.110.0 255.255.255.0 any range 1025 65536

access-list outbound permit tcp 192.168.110.0 255.255.255.0 any eq 445

access-list outbound permit udp 192.168.110.0 255.255.255.0 any eq 135

access-group outbound in interface inside

WIth the above configuration only those ports are allowed and ALL other traffic is blocked.

Federico.

Hi Federico


if i enter this commands to the CLI and then check in the  Cisco PDM i see that there are 3 new rules from the internal network to outside.

But i need to open this ports at the outside interface to intern!

Else my standard allow all rule from intern to extern is overwritten.

The access rules after the commands at CLI i attached as picture. As i see there the acces rules are from intern to extern.

Sebastian

Sebastian,

On your post you specify the requirements as outgoing (that's why I thought you need to open those ports in an outbound direction).

If you need to open them inbound... then the ACLs are like this:

access-list inbound permit tcp any any range 1025 65536access-list inbound permit udp any any eq 135

access-list inbound permit tcp any any eq 445

access-group inbound in interface outside

Now.... it is important to replace ''any'' with the network addresses to avoid security problems.

Also, remove the previos ACLs though.

Federico.

Thanks!

So if my backupserver have the IP 192.168.111.100 and the server who should be backuped the 192.168.110.100.

I will configure a Static NAT from 192.168.111.100 to 192.168.110.xxx/24

Then:

access-list inbound extended permit tcp 192.168.110.0 255.255.255.0 host 192.168.110.xxx range 1025 65535

access-list inbound extended permit tcp 192.168.110.0 255.255.255.0 host 192.168.110.xxx range eq 445

access-list inbound extended permit udp 192.168.110.0 255.255.255.0 host 192.168.110.xxx range eq 135

access-group inbound in interface inside

Is that ok? Where xxx is always the same IP at 192.168.110.0/24

So i read it at the "Cisco Security Appliance Command Line Configuration Guide" page 277.

Hope that is correct.

Sebastian

Yes,

If you have any problems please post your current configuration.

Federico.

Thanks again!

I will apply this rules tomorrow at customer site.

Another question... iam pretty new to Cisco and configured most things via ASDM.

If i apply this to my Test-ASA i can only see this rules at ASDM under VPN -> Group Policy -> Client Configuration -> Split Tunneling -> Extendet ACL

Should it not be visible at Security Policy -> Access Rules too ?

Sebastian

Yes, you should see the rules under Firewall - Access rules as well.

Federico.

Hi,

i set the access rules to the pix. But backup is still not possible. I installed the remote agend at the Server in 192.168.110.0 site.

At the backupserver 192.168.111.0 site i see the Server in 192.168.110.0 site.

But the backup agend sends data to backup server and from 192.168.110.0 to 192.168.111.0 all is allowed, so it is logical that backup programm see the remote server. But backup still dont work. Cant access to the server and select what i want to backup.

The static NAT route i set to a non used IP in 192.168.110.0 site. Dont know if that works, but so i understood at the Cisco CLI dokumentation.

The new PIX config i have attached.

Sebastian,

Do you need to access the server 192.168.111.100 from the outside of the PIX?
In that case you need to do the following:

no static (outside,inside) 192.168.110.250 WAWI-SBS netmask 255.255.255.255 0 0
static (inside,outside) 192.168.110.250 WAWI-SBS netmask 255.255.255.255 0 0

Also, you can only access the server with its NATed IP 192.168.110.250.
The inbound ACL is applied to the inside interface (you need to make sure the correct ports are allowed in that list).

Another thing,
In order to allow communication from the outside to the inside you require an ACL that is applied to the outside interface.
i.e.
access-list outside permit ip any host 192.168.110.119
access-group outside in interface outside

Note that you can access this server from the outside but not from the Internet since the NATed IP is a private IP.

Let me know what is failing after these changes.

Federico.

Hi Federico

no the server 192.168.111.100 is the backupserver (WAWI-SBS) and is located at the outside interface of the PIX.

I need to access a server in 192.168.110.0 subnet from the outside of the PIX.

I set the static NAT: static (outside,inside) 192.168.110.250 WAWI-SBS netmask 255.255.255.255 0 0

So i need to apply this commands to the PIX?

access-list outside permit ip any host 192.168.110.119
access-group outside in interface outside

I only need to access this server from outside not from internet.

Cant make changes at the PIX now, tomorrow i can do.

Let's say that you need to access server 192.168.110.10 from outside the PIX.

What you do is the following:

static (inside,outside) 192.168.110.10 192.168.110.10

access-list outside permit ip any host 192.168.110.10

access-group outside in interface outside

The above example is assuming that you don't need to NAT the server.

If you need to NAT 192.168.110.10 to 192.168.111.10 for example, you do this:

static (inside,outside) 192.168.111.10 192.168.110.10

access-list outside permit ip any host 192.168.111.10

access-group outside in interface outside

Federico.

Thanks

i attached a picture of the network. The green arrow shows the access i need with the special ports.

Only the 192.168.111.100 should can access to 192.168.110.0 subnet with the special ports.

Sebastian

static (inside,outside) 192.168.110.0 192.168.110.0 netmask 255.255.255.0
access-list outside permit tcp host 192.168.111.100 192.168.110.0 255.255.255.0 eq 80
access-group outside in interface outside

Sebastian,

The above configuration allows communication from outside host 192.168.111.100 to the internal LAN 192.168.110.0/24 only on the
ports that you specify in the ACL outside.
The above ACL is an example to allow port 80 (HTTP), you should include the ports you need to permit.

Federico.

Federico,

i will try this configuration at the PIX today.

But.... static (inside,outside) 192.168.110.0 192.168.110.0 netmask 255.255.255.0

two times 192.168.110.0? Is that ok so?

Sebastian

Review Cisco Networking for a $25 gift card