Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
353
Views
0
Helpful
2
Replies

dns/ssh access through pix

SmithKJ
Level 1
Level 1

‎06-14-2005 01:07 PM - edited ‎02-21-2020 12:12 AM

I have a PIX 515-E w/ver. 6.2(2) (asking for a new one for x-mas) - the configuration I inherited included statics and conduits. Yes, I know I'm supposed to convert these to ACL's but unfortunately, I can't get the ok for the down time.

Meanwhile, we're doing a conversion of a system on 'a' dmz-ish - it's a weird setup here - this firewall isn't actually outside, it's between internal network and several wireless networks. We need everything to stay the same, but to be able to pass traffic from the wireless network to the inside and back again, we also need to pass ssh traffic to another server and back again - for the same project.

If I try to hit the server via http to the ip address it works, so I know I'm getting there - if I try to do it with the name - no go.

When I looked at the log, it told me that there was no translation group for udp 53, so I added that as well, with no luck.

Here's some of my antiquated config - as you'll see in the config, the traffic doesn't seem to be hitting the conduit at all... any assistance would be greatly appreciated. Thanks in advance.

static (inside,vlan3) 10.199.66.60 10.195.66.60 netmask 255.255.255.255 0 0

conduit permit tcp 179.254.190.0 255.255.255.0 eq https host 10.199.66.60 (hitcnt=0)

conduit permit tcp host 10.199.66.60 eq https 179.254.190.0 255.255.255.0 (hitcnt=0)

static (inside,vlan3) 10.102.13.10 10.102.13.10 netmask 255.255.255.255 0 0

conduit permit tcp 179.254.190.0 255.255.255.0 eq domain host 10.102.13.10 (hitcnt=0)

conduit permit tcp host 10.102.13.10 eq domain 179.254.190.0 255.255.255.0 (hitcnt=0)

conduit permit udp 179.254.190.0 255.255.255.0 eq domain host 10.102.13.10 (hitcnt=0)

conduit permit udp host 10.102.13.10 eq domain 179.254.190.0 255.255.255.0 (hitcnt=0)

Note:

nameif ethernet0 vlan3 security0

nameif ethernet1 inside security100

Is there a fixup I should be using?

Sign me,

Grasping @ Straws

0 Helpful
2 Replies 2

sachinraja
Level 9
Level 9

‎06-15-2005 01:16 AM

Hello

why dont u try giving conduit permit ip any any and see if all the applications works fine.. by this we can eliminate the working of routing/conduits etc... if this works, then we need to narrow down to the exact port requirements and the conduits to open to access the servers.. basically we need to see what traffic flows and where it reaches...

hope this helps.. let us know the result..

Raj

0 Helpful

SmithKJ
Level 1
Level 1
In response to sachinraja

‎06-15-2005 09:30 AM

I tried that - no dice.

Fortunately, my boss just told me their going a different direction and I won't have to pass DNS. Thanks for the assistance. =)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card