Re: My pix has a hole !!!

tauseef · ‎12-18-2001

Hi,

I have a small problem with the PIX firewall and it is a small one

just want to see if I can get your grey cells to work along with

mine to resolve this small issue.

I have a Windows 2000 server which is also a oracle server for one of our clients. The live IP address of the server is 194.219.44.195 mapped to static internal 192.168.0.3 . This is for sql access from the outside.

What happens is , if I am using the internt connection from say

my home R any where else outside,and I click on Start > Run and then

type in the Open box //194.219.44.195 and click on open,after some time it comes out with No Network Connection found.This is the same with Windows 95, R windows 98 R windows NT workstation.

If I try the same with another windows 2000 professional R windows 2000 server which has internet connection, Then surprisingly

the shared folders of the server open up !!!! Amazingly the server is just open.

Could you please let me know any such issues whith windows 2000 what is to be done on the server side , what ports to be blocked R anything that will resolve this issue with my client , R he will have me for Lunch this week end :).

Thanx

Tauseef

delvidubai@yahoo.com

config :

nameif ethernet0 outside security0

nameif ethernet1 inside security100

interface ethernet0 auto

interface ethernet1 auto

ip address outside 194.219.44.196 255.255.255.192

ip address inside 192.168.0.1 255.255.255.0

arp timeout 14400

mtu outside 1500

mtu inside 1500

nat (inside) 1 192.168.0.0 255.255.255.0

global (outside) 1 194.219.44.200-194.219.44.205

global (outside) 1 194.219.44.206

logging on

logging timestamp

no logging standby

logging console debugging

logging monitor debugging

logging buffered debugging

logging trap debugging

no logging history

logging facility 23

logging queue 512

access-list acl_in permit icmp any any

access-list acl_in permit tcp any any eq www

access-list acl_out permit icmp any any

access-list acl_out permit tcp any host 194.219.44.194 eq smtp

access-list acl_out permit tcp any host 194.219.44.194 eq pop3

access-list acl_out permit tcp any host 194.219.44.194 eq domain

access-list acl_out permit tcp any host 194.219.44.195 eq sqlnet

route outside 0 0 194.219.44.193 1

static (inside, outside) 194.219.44.194 192.168.0.2 netmask

255.255.255.255 0 0

static (inside, outside) 194.219.44.195 192.168.0.3 netmask

255.255.255.255 0 0

access-group acl_in interface inside

access-group acl_out in interface outside

candv · ‎12-18-2001

don't know a lot of how win2k trys to access shared drives, win95 etc use udp ports eg 138,139 netbios etc. Try taking out the

access-list acl_in permit tcp any any eq www

command. That should only allow an outside host to ping the inside host. Nothing else should be allow in.

Also don't know if it grammatical or just an error

but your access group statement is wrong it should have an "in" statement. Otherwise it won't be applied to the interface. (I think)

hope it helps

tauseef · ‎12-18-2001

Thanx candy,

but the "in" was just missing in the config put up , but it is implemented there in , in the real scenario.Well the access-list acl_in permit tcp any any eq www was essential to allow the internal LAN computers to browse any web site outside using only port 80,well that is essential for the LAN computers to be able to browse the internet,right....

well IM still on the run for this solution,but am sure will get it and will post it when I get the right fix for the solution,Till then take care,and have a nice time.

bye

tauseef

rrbleeker · ‎12-20-2001

You shouldn't allow your internal servers to initiate a www sesion with anything on the outside. Change your access list to only allow clients to initiate http traffic.