Re: Cisco Secure PIX Firewall with Two Routers Configuration

dink · ‎12-29-2004

I'm trying to impliment this exact senario that Cisco lays out in this article. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094763.shtml

Document ID: 15244

The problem is, I can't get it to work. I have a PIX535, and 2 7206 routers. I've put in the commands exactly as seen here, with the exception of a few commands that arn't correct. i.e. they left out a few things in some of the access list commands. One command i'm not sure what to replace. Like this one: access-list 110 permit udp host 10.10.250.5 0.0.0.255 this command appears to be quite messed up or from an older version of IOS. Anyway, what it comes down to is the PIX config works fine, but once I add in the access-lists to the routers, all communication through, inside and out, stops. According to the logs, all internal traffic going outside is denided by the internal router's access list. I like the concept here and I would like to get it to work right. I'm not an access-list wiz so i'm unsure where to go from here.

Thanks

Chris Allen

nkhawaja · ‎12-29-2004

it seems like the access-list is incorrect. we need to see the access-list that you have configured and the ip addresses. infact the complete configs (hide external IP addresses)

thanks

Nadeem

dink · ‎12-30-2004

Ok, here are my configs.

It goes, outside router, PIX, inside router.

!

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname rtr1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 10 log

security passwords min-length 6

logging console critical

enable secret xxxx

enable password xxxx

!

username admin password xxxx

aaa new-model

!

aaa authentication login local_auth local

aaa session-id common

ip subnet-zero

no ip source-route

no ip gratuitous-arps

!

ip cef

!

no ip bootp server

!

interface GigabitEthernet0/1

ip address 131.1.x.x.x.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

media-type rj45

no negotiation auto

!

interface GigabitEthernet0/2

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

duplex auto

speed auto

media-type rj45

no negotiation auto

!

interface GigabitEthernet0/3

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

duplex auto

speed auto

media-type rj45

no negotiation auto

!

interface POS5/0

ip address XX.XX.XX.XX XX.XX.XX.XX (Outside IP Hidden)

no ip redirects

no ip unreachables

no ip proxy-arp

ip access-group 110 in

encapsulation ppp

crc 32

pos scramble-atm

pos flag c2 22

!

router rip

redistribute connected

network 4.0.0.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX (IP HIDDEN)

ip route 10.1.4.0 255.255.255.0 131.1.23.2

no ip http server

!

logging trap debugging

logging 131.1.23.11

access-list compiled

access-list 10 permit 131.1.23.11

access-list 110 deny ip 131.1.23.0 0.0.0.255 any log

access-list 110 deny ip any host 131.1.23.2 log

access-list 110 permit tcp any 131.1.23.0 0.0.0.255 established

access-list 110 deny ip any host 131.1.23.3 log

access-list 110 permit ip any 131.x.x.x.0.0.255

dialer-list 1 protocol ip permit

no cdp run

!

gatekeeper

shutdown

!

line con 0

exec-timeout 5 0

login authentication local_auth

transport preferred all

transport output telnet

stopbits 1

line aux 0

login authentication local_auth

transport preferred all

transport output telnet

stopbits 1

line vty 0 4

access-class 10 in

password xxx

login authentication local_auth

transport preferred all

transport input telnet

transport output all

!

end

Continued on the next message.

Thanks

dink · ‎12-30-2004

Here is the PIX

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit udp host 131.1.23.1 host 131.1.23.11 eq syslog

pager lines 24

logging on

logging buffered debugging

logging history debugging

logging host inside 10.1.4.250

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 131.1.x.x.x.255.224

ip address inside 10.10.254.1 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.1.4.250 255.255.255.255 inside

pdm location 10.1.4.0 255.255.255.0 inside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 131.x.x.1.4.250 netmask 255.255.255.255 0 0

route outside 0.0.0.0 x.x.x.x.1.23.1 1

route inside 10.1.4.0 255.255.255.0 10.10.254.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.1.4.250 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.1.4.250 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

username admin password xxxxx

privilege 15

terminal width 80

Cryptochecksum:xxxxx

: end

[OK]

Continued on next message

nkhawaja · ‎12-30-2004

we focus on PIX config, i dont see any access-list applied. What access-list you are applying ? and what is getting blocked. Please provide breif problem description.

thanks

Nadeem

dink · ‎12-30-2004

Weel, like I said in my first message, The senario is one of the sample pix configs with 2 routers setup to protect it. The pix config alone works fine, but once I apply the access lists to the 2 routers, It doesn't work like the documents says it should. No traffic is allowed in or out.

dink · ‎12-30-2004

Ok, here is the inside router

!

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname rtr2

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 10 log

security passwords min-length 6

logging console critical

enable secret xxxx

enable password xxxx

!

username admin password xxxx

aaa new-model

!

aaa authentication login local_auth local

aaa session-id common

ip subnet-zero

no ip source-route

no ip gratuitous-arps

!

ip cef

!

no ip bootp server

!

interface GigabitEthernet0/1

ip address 10.10.254.2 255.255.255.0

ip access-group 110 in

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

media-type rj45

no negotiation auto

!

interface GigabitEthernet0/2

ip address 10.1.4.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

duplex full

speed 1000

media-type gbic

negotiation auto

!

interface GigabitEthernet0/3

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

duplex auto

speed auto

media-type gbic

no negotiation auto

!

router rip

redistribute connected

network 10.0.0.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.254.1

no ip http server

!

logging trap debugging

logging facility local2

logging 10.1.4.250

access-list compiled

access-list 10 permit 10.1.4.250

access-list 110 permit udp host 10.10.250.0 0.0.0.255 10.1.4.250 eq 514

access-list 110 deny ip host 10.10.254.1 any log

access-list 110 deny ip 10.10.250.0 0.0.0.255 any

access-list 110 permit ip 10.10.254.0 0.0.0.255 10.10.250.0 0.255.255.255

dialer-list 1 protocol ip permit

no cdp run

!

gatekeeper

shutdown

!

line con 0

exec-timeout 5 0

login authentication local_auth

transport preferred all

transport output telnet

stopbits 1

line aux 0

login authentication local_auth

transport preferred all

transport output telnet

stopbits 1

line vty 0 4

access-class 10 in

password xxxx

login authentication local_auth

transport preferred all

transport input telnet

transport output all

!

end

alutsik · ‎12-30-2004

I think main thing here is a difference in "GLOBAL" statement on the PIX. Example has:

global (outside) 1 131.1.23.12-131.1.23.254

But your config:

global (outside) 1 interface

Hence second line of ACL 110 on outside router blocks return traffic:

access-list 110 deny ip 131.1.23.0 0.0.0.255 any log

access-list 110 deny ip any host 131.1.23.2 log

access-list 110 permit tcp any 131.1.23.0 0.0.0.255 established

You have 2 options:

1. Change Global on the firewall

2. Change order of lines in ACL 110, switch line 2 with line 3

Regards,

Alexander.

nkhawaja · ‎12-30-2004

i think the problem is with this line in the access-list applied to inside router

access-list 110 permit ip 10.10.254.0 0.0.0.255 10.10.250.0 0.255.255.255

this should be changed to

access-list 110 permit ip any 10.1.4.0 0.0.0.255

just change the access-list 110 on outside router too as follows

acess-list 110 permit ip any host 131.1.23.2

access-list 110 permit ip any host 131.1.23.11

Thanks

Nadeem

dink · ‎12-30-2004

Ok, I think i have it all working now. I used a combination of the 2 and traffic is flowing now. Just to make sure i'm blockign what I need to be, like spoof attacks and such, do my access-lists look ok now?

OUTSIDE ROUTER

access-list 110 deny ip 131.1.23.0 0.0.0.225 any log

access-list 110 permit tcp any 131.1.23.0 0.0.0.255 established

access-list 110 deny ip any host 131.1.23.1

access-list 110 permit ip any 131.1.23.0 0.0.0.255

INSIDE ROUTER

access-list 110 permit udp host 10.10.250.0 0.0.0.5 10.1.4.250 eq syslog

access-list 110 deny ip host 10.10.254.1 any log

access-list 110 deny ip 10.10.250.0 0.0.0.255 any

access-list 110 permit ip any 10.1.4.0 0.0.0.255

Also, would it be any more beneficial to run the AUTO SECURE command on these routers?

dink · ‎12-30-2004

oops, Sorry, I had some type-os in there. here are the access lists again.

OUTSIDE ROUTER

access-list 110 deny ip 131.1.23.0 0.0.0.225 any log

access-list 110 permit tcp any 131.1.23.0 0.0.0.255 established

access-list 110 deny ip any host 131.1.23.1

access-list 110 permit ip any 131.1.23.0 0.0.0.255

PIX

access-list 101 permit udp host 131.1.23.1 host 131.1.23.11 eq syslog

INSIDE ROUTER

access-list 110 permit udp host 10.10.254.0 0.0.0.255 10.1.4.250 eq syslog

access-list 110 deny ip host 10.10.254.1 any log

access-list 110 deny ip 10.1.4.0 0.0.0.255 any

access-list 110 permit ip any 10.1.4.0 0.0.0.255