Solved: Re: creating rules on cisco pix

par13 · ‎04-07-2010

Could anyone help me to create a few basic rules that will allow this traffic to flow thru the cisco pix firewall?

internal networks:

192.168.1.0/24

192.168.2.0/24

both needs to be able to search internet websites, browse, and connect to other remote networks (ex. 10.5.1.0/24)

On the other hand, a remote network (ex. 10.5.1.0/24) needs to have access to internal network 192.168.1.0/24

Can you provide an example?

Thanks

Federico Coto Fajardo · ‎04-07-2010

Just remove the previous rules typing the same command again with the keyword ''no'' in front.

Try to get Internet access from the internal networks.

I saw the diagram, just out of curiosity, why do you have public IP addresses in your internal networks?

Federico.

View solution in original post

Federico Coto Fajardo · ‎04-07-2010

Hi,

These are the basic Firewall rules:

The traffic flow through interfaces based on the security level.

Security level ranges from (0-100)

When communicating from a higher security interface to a lower security interface (inside to outside), you need a STATIC NAT and ACL permiting the traffic.

When communicating from a lower security interface to a higher security interface (outside to inside), you just need NAT.

In your example:

To allow

192.168.1.0/24

192.168.2.0/24

to get to the Internet, you should have:

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 2 192.168.2.0 255.255.255.0

global (outside) 1 interface

global (outside) 2 interface

To allow communication TO servers in the internal network 192.168.1.0/24 from the Internet, for example to 192.168.1.8

static (in,out) public_IP 192.168.1.8

access-list OUTSIDE permit ip any host public_IP

access-group OUTSIDE in interface outside

Federico.

par13 · ‎04-07-2010

hi federico,

I created the rules base on your instructions, but, the internal network can not access any outside websites.

The 192.168.1.0/24 and 192.168.2.0/24 do not have any servers to offer to the public. Instead, the internal networks are computers that needs to access resources outside of the firewall.

Federico Coto Fajardo · ‎04-07-2010

Ok,

What you're missing is the routing.

The internal networks should have a route to the Internet pointing to the ASA (or have the ASA as their default gateway).

The ASA as well should have a default gateway:

route outside 0 0 x.x.x.x

In this case x.x.x.x represents the IP of the next-hop (next device) in the path to the Internet from the ASA.

Check it out and let us know.

Federico.

par13 · ‎04-07-2010

ok, let me send you my temporary configuration.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password DAyT8Zy5o1YlaDcM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname LVCLC-FW

domain-name lv.psu.edu

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service webservices tcp

port-object eq www

port-object eq https

port-object eq ftp

port-object eq telnet

port-object eq ssh

object-group icmp-type icmp-allowed

icmp-object echo

icmp-object time-exceeded

object-group protocol tcpudp

protocol-object udp

protocol-object tcp

protocol-object esp

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 172.31.53.100 255.255.255.0

ip address inside 146.186.174.129 255.255.255.192

ip address intf2 128.118.6.129 255.255.255.128

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

route inside 0.0.0.0 0.0.0.0 172.31.53.100 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 146.186.174.128 255.255.255.192 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Federico Coto Fajardo · ‎04-07-2010

I see some problems.

The PIX has no clue as to where networks 192.168.1.0/24 and 192.168.2.0/24 are (there are no routes)

Are those networks reachable via which interface on the ASA?

The default route on the PIX is set to the inside interface. Is this the interface connected to the Internet?

Federico.

par13 · ‎04-07-2010

on the configuration file, the two internal networks are:

146.186.174.128 255.255.255.192

128.118.6.128 255.255.255.128

The external (public address) is 172.31.53.0/24 or 172.31.53.100/24

Both internal networks needs to go out. These are just computers that will access resources (servers, webserservers, etc.) to public network.

Take a look at the attach file.|

Federico Coto Fajardo · ‎04-07-2010

nat (inside) 1 146.186.174.128 255.255.255.129
nat (intf2) 1 128.118.6.128 255.255.255.128
global (outside) 1 interface

access-list inside permit ip any any

Make sure that both internal networks have the ASA as the default gateway.

Federico.

par13 · ‎04-07-2010

what should I do with the other rules created? should I have them removed?

On my last submission, I uploaded a diagram for you to comment on.

Federico Coto Fajardo · ‎04-07-2010

Just remove the previous rules typing the same command again with the keyword ''no'' in front.

Try to get Internet access from the internal networks.

I saw the diagram, just out of curiosity, why do you have public IP addresses in your internal networks?

Federico.

par13 · ‎04-07-2010

these are testing ip address, until we get the firewall correctly working..

par13 · ‎04-07-2010

Before uploading the new config, is this sound much better?

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password DAyT8Zy5o1YlaDcM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname LVCLC-FW

domain-name lv.psu.edu

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service webservices tcp

port-object eq www

port-object eq https

port-object eq ftp

port-object eq telnet

port-object eq ssh

object-group icmp-type icmp-allowed

icmp-object echo

icmp-object time-exceeded

object-group protocol tcpudp

protocol-object udp

protocol-object tcp

protocol-object esp

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 172.31.53.100 255.255.255.0

ip address inside 146.186.174.129 255.255.255.192

ip address intf2 128.118.6.129 255.255.255.128

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

nat (inside) 1 146.186.174.128 255.255.255.129
nat (intf2) 1 128.118.6.128 255.255.255.128
global (outside) 1 interface

access-list inside permit ip any any
route inside 0.0.0.0 0.0.0.0 172.31.53.100 1
timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 146.186.174.128 255.255.255.192 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Jennifer Halim · ‎04-07-2010

This route is incorrect: route inside 0.0.0.0 0.0.0.0 172.31.53.100 1

172.31.53.100 is your outside interface ip address. You can't route the default gateway back to your inside.

The default route should say: route outside 0.0.0.0 0.0.0.0 172.31.53.x

172.31.53.x should the next hop router ip address connected to the PIX outside interface.

and please remove the "route inside" command.

par13 · ‎04-07-2010

ok, thanks for the suggestion..

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password DAyT8Zy5o1YlaDcM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname LVCLC-FW

domain-name lv.psu.edu

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service webservices tcp

port-object eq www

port-object eq https

port-object eq ftp

port-object eq telnet

port-object eq ssh

object-group icmp-type icmp-allowed

icmp-object echo

icmp-object time-exceeded

object-group protocol tcpudp

protocol-object udp

protocol-object tcp

protocol-object esp

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 172.31.53.100 255.255.255.0

ip address inside 146.186.174.129 255.255.255.192

ip address intf2 128.118.6.129 255.255.255.128

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

nat (inside) 1 146.186.174.128 255.255.255.129
nat (intf2) 1 128.118.6.128 255.255.255.128
global (outside) 1 interface

access-list inside permit ip any any
route outside 0.0.0.0 0.0.0.0 172.31.53.100 172.31.53.106

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 146.186.174.128 255.255.255.192 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Federico Coto Fajardo · ‎04-07-2010

Have you tried it already?

Federico.