help with PIX-501 example

bbensoncisco · ‎02-20-2009

Hello all,

I'm learning how to configure a PIX 501. The boss said "you can do this right?", "I guess", I said and he said "good, please make it work".

Well I found an example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094ea2.shtml

that has most of what I need but I can only get small things to work.

Currently I have two hosts on the inside network, a linux workstation at IP 1.220 and a linux web server @ 1.4.

I have a Windows PC which I can use to test the connections on the inside network or the outside.

When the PC is on the inside at 1.66, I can get to the web server. I see in the server logs the request from the PC and the responses from the server and I see the page on my browser.

When I move the PC to the outside network @ 10.2.1.201, I see the PIX NAT the destination address of the web server from 10.1.1.3 to 192.168.1.4 as expected but the web server never gets the request.

I can ping the router at 10.1.1.1 and the PIX at 10.1.1.2 from the outside but no farther inside.

The only change I have made to the example was to enable all the ICMP traffic and change the telnet host to 1.220:

pixfirewall(config)# sho icmp

icmp permit any outside

icmp permit any inside

pixfirewall(config)# sho telnet

192.168.1.254 255.255.255.255 inside

192.168.1.220 255.255.255.255 inside

From the PIX logs:

Feb 20 10:01:25 192.168.1.1 %PIX-6-302013: Built inbound TCP connection 11 for outside:10.2.1.201/3897 (10.2.1.201/3897) to inside:192.168.1.4/80 (10.1.1.3/80)

Feb 20 10:03:26 192.168.1.1 %PIX-6-302014: Teardown TCP connection 11 for outside:10.2.1.201/3897 to inside:192.168.1.4/80 duration 0:02:01 bytes 0 SYN Timeout

So I have three questions:

1. Is anyone aware of a bug or typo in the example I used above?

2. Can someone direct me to a manual on how to configure the logging to show what is happening to my packets? NATs, routes used etc.

3. How can I turn my PIX into an expensive router, i.e. turn off all firewall stuff and let everything through from inside to outside and back?

Thanks in advance for any help,

Brian

Ivan Martinon · ‎02-21-2009

So what you are trying to do is to have this webserver reached from the outside? If this is the case you need static translations and access-lists, can you post your pix configuration here?

bbensoncisco · ‎02-22-2009

That is correct.

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any host 10.1.1.3 eq www

access-list 100 permit tcp any host 10.1.1.4 eq smtp

access-list 100 permit tcp any host 10.1.1.5 eq ftp

logging on

logging standby

logging monitor debugging

logging trap debugging

logging host inside 192.168.1.220

icmp permit any outside

icmp permit any inside

ip address outside 10.1.1.2 255.0.0.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 10.1.1.254

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.1.1.3 192.168.1.4 netmask 255.255.255.255 0 0

static (inside,outside) 10.1.1.4 192.168.1.15 netmask 255.255.255.255 0 0

static (inside,outside) 10.1.1.5 192.168.1.10 netmask 255.255.255.255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 10.1.1.1 1

Thanks for your help.

Ivan Martinon · ‎02-23-2009

If the 10.1.1.X is the internal range, then you got these wrong:

static (inside,outside) 10.1.1.3 192.168.1.4 netmask 255.255.255.255 0 0

static (inside,outside) 10.1.1.4 192.168.1.15 netmask 255.255.255.255 0 0

static (inside,outside) 10.1.1.5 192.168.1.10 netmask 255.255.255.255 0 0

They should be

static (inside,outside) 192.168.1.4 10.1.1.3 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.1.15 10.1.1.4 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.1.10 10.1.1.5 netmask 255.255.255.255 0 0

And your ACL statements are wrong too:

access-list 100 permit tcp any host 192.168.1.4 eq www

access-list 100 permit tcp any host 192.168.1.15 eq smtp

access-list 100 permit tcp any host 192.168.1.10 eq ftp

That is how they should look.