12-29-2004 11:24 AM - edited 02-20-2020 11:50 PM
I'm trying to impliment this exact senario that Cisco lays out in this article. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094763.shtml
Document ID: 15244
The problem is, I can't get it to work. I have a PIX535, and 2 7206 routers. I've put in the commands exactly as seen here, with the exception of a few commands that arn't correct. i.e. they left out a few things in some of the access list commands. One command i'm not sure what to replace. Like this one: access-list 110 permit udp host 10.10.250.5 0.0.0.255 this command appears to be quite messed up or from an older version of IOS. Anyway, what it comes down to is the PIX config works fine, but once I add in the access-lists to the routers, all communication through, inside and out, stops. According to the logs, all internal traffic going outside is denided by the internal router's access list. I like the concept here and I would like to get it to work right. I'm not an access-list wiz so i'm unsure where to go from here.
Thanks
Chris Allen
12-29-2004 04:38 PM
it seems like the access-list is incorrect. we need to see the access-list that you have configured and the ip addresses. infact the complete configs (hide external IP addresses)
thanks
Nadeem
12-30-2004 10:59 AM
Ok, here are my configs.
It goes, outside router, PIX, inside router.
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname rtr1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret xxxx
enable password xxxx
!
username admin password xxxx
aaa new-model
!
!
aaa authentication login local_auth local
aaa session-id common
ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
no ip bootp server
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
ip address 131.1.x.x.x.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/3
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface POS5/0
ip address XX.XX.XX.XX XX.XX.XX.XX (Outside IP Hidden)
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-group 110 in
encapsulation ppp
crc 32
pos scramble-atm
pos flag c2 22
!
router rip
redistribute connected
network 4.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX (IP HIDDEN)
ip route 10.1.4.0 255.255.255.0 131.1.23.2
no ip http server
!
!
!
logging trap debugging
logging 131.1.23.11
access-list compiled
access-list 10 permit 131.1.23.11
access-list 110 deny ip 131.1.23.0 0.0.0.255 any log
access-list 110 deny ip any host 131.1.23.2 log
access-list 110 permit tcp any 131.1.23.0 0.0.0.255 established
access-list 110 deny ip any host 131.1.23.3 log
access-list 110 permit ip any 131.x.x.x.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport preferred all
transport output telnet
stopbits 1
line aux 0
login authentication local_auth
transport preferred all
transport output telnet
stopbits 1
line vty 0 4
access-class 10 in
password xxx
login authentication local_auth
transport preferred all
transport input telnet
transport output all
!
!
!
end
Continued on the next message.
Thanks
12-30-2004 11:01 AM
Here is the PIX
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxxx
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit udp host 131.1.23.1 host 131.1.23.11 eq syslog
pager lines 24
logging on
logging buffered debugging
logging history debugging
logging host inside 10.1.4.250
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 131.1.x.x.x.255.224
ip address inside 10.10.254.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.1.4.250 255.255.255.255 inside
pdm location 10.1.4.0 255.255.255.0 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 131.x.x.1.4.250 netmask 255.255.255.255 0 0
route outside 0.0.0.0 x.x.x.x.1.23.1 1
route inside 10.1.4.0 255.255.255.0 10.10.254.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.4.250 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.1.4.250 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password xxxxx
privilege 15
terminal width 80
Cryptochecksum:xxxxx
: end
[OK]
Continued on next message
12-30-2004 11:17 AM
we focus on PIX config, i dont see any access-list applied. What access-list you are applying ? and what is getting blocked. Please provide breif problem description.
thanks
Nadeem
12-30-2004 11:32 AM
Weel, like I said in my first message, The senario is one of the sample pix configs with 2 routers setup to protect it. The pix config alone works fine, but once I apply the access lists to the 2 routers, It doesn't work like the documents says it should. No traffic is allowed in or out.
12-30-2004 11:03 AM
Ok, here is the inside router
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname rtr2
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret xxxx
enable password xxxx
!
username admin password xxxx
aaa new-model
!
!
aaa authentication login local_auth local
aaa session-id common
ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
no ip bootp server
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
ip address 10.10.254.2 255.255.255.0
ip access-group 110 in
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/2
ip address 10.1.4.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 1000
media-type gbic
negotiation auto
!
interface GigabitEthernet0/3
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
media-type gbic
no negotiation auto
!
router rip
redistribute connected
network 10.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.254.1
no ip http server
!
!
!
logging trap debugging
logging facility local2
logging 10.1.4.250
access-list compiled
access-list 10 permit 10.1.4.250
access-list 110 permit udp host 10.10.250.0 0.0.0.255 10.1.4.250 eq 514
access-list 110 deny ip host 10.10.254.1 any log
access-list 110 deny ip 10.10.250.0 0.0.0.255 any
access-list 110 permit ip 10.10.254.0 0.0.0.255 10.10.250.0 0.255.255.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport preferred all
transport output telnet
stopbits 1
line aux 0
login authentication local_auth
transport preferred all
transport output telnet
stopbits 1
line vty 0 4
access-class 10 in
password xxxx
login authentication local_auth
transport preferred all
transport input telnet
transport output all
!
!
!
end
12-30-2004 12:11 PM
I think main thing here is a difference in "GLOBAL" statement on the PIX. Example has:
global (outside) 1 131.1.23.12-131.1.23.254
But your config:
global (outside) 1 interface
Hence second line of ACL 110 on outside router blocks return traffic:
access-list 110 deny ip 131.1.23.0 0.0.0.255 any log
access-list 110 deny ip any host 131.1.23.2 log
access-list 110 permit tcp any 131.1.23.0 0.0.0.255 established
You have 2 options:
1. Change Global on the firewall
2. Change order of lines in ACL 110, switch line 2 with line 3
Regards,
Alexander.
12-30-2004 01:19 PM
i think the problem is with this line in the access-list applied to inside router
access-list 110 permit ip 10.10.254.0 0.0.0.255 10.10.250.0 0.255.255.255
this should be changed to
access-list 110 permit ip any 10.1.4.0 0.0.0.255
just change the access-list 110 on outside router too as follows
acess-list 110 permit ip any host 131.1.23.2
access-list 110 permit ip any host 131.1.23.11
Thanks
Nadeem
12-30-2004 03:30 PM
Ok, I think i have it all working now. I used a combination of the 2 and traffic is flowing now. Just to make sure i'm blockign what I need to be, like spoof attacks and such, do my access-lists look ok now?
OUTSIDE ROUTER
access-list 110 deny ip 131.1.23.0 0.0.0.225 any log
access-list 110 permit tcp any 131.1.23.0 0.0.0.255 established
access-list 110 deny ip any host 131.1.23.1
access-list 110 permit ip any 131.1.23.0 0.0.0.255
INSIDE ROUTER
access-list 110 permit udp host 10.10.250.0 0.0.0.5 10.1.4.250 eq syslog
access-list 110 deny ip host 10.10.254.1 any log
access-list 110 deny ip 10.10.250.0 0.0.0.255 any
access-list 110 permit ip any 10.1.4.0 0.0.0.255
Also, would it be any more beneficial to run the AUTO SECURE command on these routers?
12-30-2004 05:08 PM
oops, Sorry, I had some type-os in there. here are the access lists again.
OUTSIDE ROUTER
access-list 110 deny ip 131.1.23.0 0.0.0.225 any log
access-list 110 permit tcp any 131.1.23.0 0.0.0.255 established
access-list 110 deny ip any host 131.1.23.1
access-list 110 permit ip any 131.1.23.0 0.0.0.255
PIX
access-list 101 permit udp host 131.1.23.1 host 131.1.23.11 eq syslog
INSIDE ROUTER
access-list 110 permit udp host 10.10.254.0 0.0.0.255 10.1.4.250 eq syslog
access-list 110 deny ip host 10.10.254.1 any log
access-list 110 deny ip 10.1.4.0 0.0.0.255 any
access-list 110 permit ip any 10.1.4.0 0.0.0.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide