cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
740
Views
0
Helpful
11
Replies

pix 501 config for small business 1 internal network - UK

You'd think it was easy to configure such a small company - well not so it seems!

Please can you help with this, the scenario is as follows:

internal ip address allocation:

192.168.1.1 - internal pix

192.168.1.2 - file server (2k domain)

192.168.1.3 - exchange server 2k - SMTP

192.168.1.3 - Outlook web access

192.168.1.7 - ftp server (allow incoming connections)

External address range:

80.168.XXX.16 - 22

16 - unallocated

17 - BT ADSL Router

18 - PIX external Wan

19 - SMTP

20 - OWA

21 - FTP

I thought I had to pat or nat whatever the term is - all the different ip addresses to point to the internal servers.

I need a stealthy firewall configuration, but need HTTP/HTTPS - web browsing and incoming OWA, SMTP Mail from ISP, FTP both directions for downloading and for external connecting into our ftp, and VPN connections by a group of external users, they need to connect to an internal workstation running PC Anywhere client software - waiting for connection/listening, it has a static IP address, I need to know the command line and I will complete the static ip address later, i can't remember what it is at the moment.

we just need to access the outside world normally and prevent any unwanted traffic or snoopers in.

Here is the current config and I can't get the internet at the moment neither am I getting a response from smtp ip address 19, from within the pix or from external, however I am getting ping internal and external for pix for 17 - adsl router and 18 pix external wan, i can also ping from internal pix to internal lan and internal lan interface for pix. I can't ping outbound from in the lan and can't get the internet.

If you can help, please just list the no statements then the add statements, exactly as I need to type them in configuration mode.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxx encrypted

passwd xxxxxxx encrypted

hostname PIX

domain-name xxxxx.co.uk

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outsidein permit tcp any host 80.168.xxx.19 eq smtp

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.10.11.0 255.255.255.0

access-list outside permit tcp any host 80.168.xxx.21 eq ftp

access-list insideout permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 80.168.xxx.18 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 10.10.11.1-10.10.11.20

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 80.168.xxx.22 netmask 255.255.255.248

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 80.168.xxx.19 192.168.1.3 netmask 255.255.255.255 0 0

static (inside,outside) 80.168.xxx.21 192.168.1.7 netmask 255.255.255.255 0 0

access-group outsidein in interface outside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 80.168.xxx.17 1

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.1.2 255.255.255.254 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set vianat esp-des esp-md5-hmac

crypto dynamic-map LANvpn 1 set transform-set vianat

crypto map dyn-map 20 ipsec-isakmp dynamic LANvpn

crypto map dyn-map client configuration address initiate

crypto map dyn-map client configuration address respond

crypto map dyn-map interface outside

isakmp enable outside

isakmp enable inside

isakmp client configuration address-pool local vpnpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup LANvpn address-pool vpnpool

vpngroup LANvpn dns-server 192.168.1.2

vpngroup LANvpn wins-server 192.168.1.2

vpngroup LANvpn default-domain xxxxx.co.uk

vpngroup LANvpn idle-time 1800

vpngroup LANvpn password ********

telnet 192.168.1.2 255.255.255.254 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:370a92bcea68cbb6a8e7266b842075c6

: end

11 Replies 11

tyagi.v
Beginner
Beginner

Hi,

Firstly u you should either use Conduit or Access-list.

You have not applied access-list :access-list outside permit tcp any host 80.168.xxx.21 eq ftp

Anywhere .

Make All the access-list with the same name , to which you have to apply on the outside interface.

Also try this configuration:--

access-list outsidein permit tcp any host 80.168.xxx.19 eq smtp

access-list outsidein permit icmp any any

access-list outsidein permit tcp any host 80.168.xxx.21 eq ftp

Why are you using this (big security hole): access-list insideout permit ip 192.168.1.0 255.255.255.0 any

ip address outside 80.168.xxx.18 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 80.168.xxx.22

no nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 80.168.xxx.19 192.168.1.3 netmask 255.255.255.255 0 0

static (inside,outside) 80.168.xxx.21 192.168.1.7 netmask 255.255.255.255 0 0

access-group outsidein in interface outside

no conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 80.168.xxx.17 1

Also if you are having Problem in VPN than remove all the VPN Configuration & configura VPN through PDM.

If it dosen't work than for the time being add the access-list:-

access-list outsidein permit ip any any(only for the time being to check if some ports are blocking for particulay application & after testing remove this access-list)

Thanks

Vijay

Hiah Vijay

I am studying CCNA and got out of my depth with Pix config, but am capable of typing in the stuff and connect it all up.

I got a so called Pix specialist in who was useless, so am tackling this on my own.

I had a list of things to do - two were rejected with errors:

access-list and static for ftp and owa, one would not add because the no 3 server is used for smtp and I can't remember now why the ftp would not add as I left the paper work in the office. shall let you know later on that one.

I'll give all that above a go, it is starting to make sense now.

can you tell me the no commands to remove all the occurences of the old vpn and the new lump of commands for the new vpn.

thanks very much, you are a brilliant person helping me

HI,

To remove VPN configuration Copy & Paste this:--

no access-list nonat permit ip 192.168.1.0 255.255.255.0 10.10.11.0 255.255.255.0

no ip local pool vpnpool 10.10.11.1-10.10.11.20

no nat (inside) 0 access-list nonat

no sysopt connection permit-ipsec

no sysopt route dnat

no crypto ipsec transform-set vianat esp-des esp-md5-hmac

no crypto dynamic-map LANvpn 1 set transform-set vianat

no crypto map dyn-map

no isakmp enable outside

no isakmp enable inside

no isakmp client configuration address-pool local vpnpool outside

no isakmp policy 10

no isakmp policy 20

no vpngroup LANvpn

If any thing left remove it manually.

Thanks

Vijay

Hiah

that is lovely information, can you tell me what the lines are to add vpn for pdm style access.

thanks so much

Julie-Ellen

hiah

just another thought...

what is the line to add owa for external ip 20 to internal server ip 3, if I try to add a line pointing to server ip 3 it has an error, saying it already has an entry to this server, which is the smtp external ip 19 to internal server ip 3, can the smtp line from 19 external ip to internal server ip 3 be edited in any way to have multifunction capabilities or is there another way?

Also on the first reply you gave me a global outside line, I already had one on the original with the subnet mask, are you suggesting I remove the line I have with subnet mask and include yours without the subnet mask ie see below

no global (outside) 1 80.168.157.22 netmask 255.255.255.248

global (outside) 1 80.168.157.22

I am having a go at this config after work tonight - in 7 hours time - UK..

thanks again

Julie-Ellen

HI,

For PDM type these commands:--

Suppose you are accessing PDM from machine ip address 192.168.1.100 255.255.255.0

pdm location 192.168.1.100 255.255.255.255 inside

http server enable

http 192.168.1.100 255.255.255.255 inside

Than in the web browser type :--

https:192.168.1.1(PIX INSIDE INTERFACE ADDRESS)

when username & password windows open:MENTION ONLY THE PIX ENABLE PASSWORD IN THE PASSWORD FIELD & THE USER NAME WILL BE BLANK)

By the way can't you change the Ip address of the machine which is using OWA.

Thanks

Vijay

Hiah

the machine with OWA is the same as the exchange server, it has the IIS running on it for OWA http interface, we are only a small company with 3 servers.

I am trying to understand how the pdm line you show as an example works.

pdm location 192.168.1.100 255.255.255.255 inside, do you mean that internally there is a machine with that address going outbound. I need to enable a group of people access to one machine from externally to internally running pc anywhere (it is in listening mode internally), let's say the address is 192.168.1.50 for arguments sake.

By the way, my web admin does not work, neither if I set it up for device manager wizard - for web admin it page not found on me (probably because it is not up and running, but how could you configure it if not able to get in there in the first place) and device manager I followed the instructions in the book - wired it up exactly with x over cables etc, set dhcp on the machine I connected it to and it just hangs.

I have not even looked at the vpn client software - I hope it is straight forward and obvious what the configuration is. How do I have a preshared password or key with pdm, are you saying I set that up in the web admin by leaving username blank and then just having a password - it would be so much easier if I had seen the configuration page in advance, then I would know what you are trying to get me to do.

thanks

d-garnett
Participant
Participant

All you need to do is use Port Redirection

instead of

static (inside,outside) 80.168.xxx.19 192.168.1.3 netmask 255.255.255.255 0 0

static (inside,outside) 80.168.xxx.21 192.168.1.7 netmask 255.255.255.255 0 0

use..........

static (inside,outside) tcp 80.168.xxx.19 25 192.168.1.3 25 netmask 255.255.255.255 0 0

static (inside,outside) tcp 80.168.xxx.21 21 192.168.1.7 21 netmask 255.255.255.255 0 0

static (inside,outside) tcp 80.168.xxx.21 20 192.168.1.7 20 netmask 255.255.255.255 0 0

when you know the IP's and ports, do the same thing for OWA and PCAnywhere

access-list outsidein permit tcp any host 80.168.xxx.19 eq smtp

access-list outsidein permit tcp any host 80.168.xxx.21 eq ftp

access-list outsidein permit tcp any host 80.168.xxx.19 eq ftp-data

do the same thing for OWA and PCAnywhere

and for the time being for pinging....(this may be a little off but...)

icmp permit any any echo

icmp permit any any echo-reply

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

the story so far is:

pinging these gets the following results

internal network - ok

internal pix interface - ok

80.168.XXX.17 - Router ok

80.168.XXX.18 - Pix external ok

80.168.XXX.19 - SMTP *NO*

80.168.XXX.20 - OWA *NO*

80.168.XXX.21 - FTP *NO*

80.168.XXX.22 - Global *NO*

I can ping external dns server on the internet 212.42.162.2 - YES OK

Can't browse the internet - changed the network card gateway to internal pix ip, also changed the lan settings in internet explorer options to internal pix interface on port 80.

I wondered if I am supposed to insert some kind of record/ptr or similar on my internal DNS server (Active Directory integrated W2K Domain), if I do have to insert something on DNS, can somebody please hold my hand on this because I don't know anything about DNS records...

is there supposed to be a fixup protocol https 443?

Anyway here is the latest config - what else can I do to make it work - I have not included VPN for the time being - let's just get the normal firewall services working first.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXX encrypted

hostname PIX

domain-name XXXXXXXX.co.uk

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit icmp any any

access-list 101 permit tcp any host 80.168.XXX.18 eq www

access-list 101 permit tcp any host 80.168.XXX.18 eq https

access-list 101 permit tcp any host 80.168.XXX.19 eq smtp

access-list 101 permit tcp any host 80.168.XXX.20 eq www

access-list 101 permit tcp any host 80.168.XXX.21 eq ftp

access-list 101 permit tcp any host 80.168.XXX.21 eq ftp-data

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 80.168.XXX.18 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 10.10.11.1-10.10.11.20

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 80.168.XXX.22 netmask 255.255.255.248

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 80.168.XXX.19 smtp 192.168.1.3 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 80.168.XXX.20 www 192.168.1.3 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 80.168.XXX.21 ftp 192.168.1.7 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp 80.168.XXX.21 ftp-data 192.168.1.7 ftp-data netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 80.168.XXX.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.2 255.255.255.254 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.2 255.255.255.254 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:637073ce656a2c18cfded72fa8327306

: end

thanks all those who can help me - I am posting again on the Pix forum also, because this really belongs on there and it got moved to vpn, also some it might not get looked at here....

Hi Julie

Your config looks around about right - although things are a heck of a lot easier if you can get the HTTPS GUI working.

In terms of browsing the Internet, your machines on the internal LAN will need a default gateway of the PIX inside interface (192.168.1.1). Do NOT configure the PIX as a proxy in IE (LAN Settings -> Proxy) - this will NOT Work.

For DNS, you can either configure your Win2K Server to resolve external names through 212.42.162.2 - done in the Win2K DNS Setup, or for testing purposes, simply change the DNS configuration on a PC (Etherner card properties, TCP/IP Config, DNS Server entry -> Change to 212.42.162.2). Test a PC like this first, get it working and then look at modifying your Win2K server. I'll do some digging and see if I can remember how to do this (I did it once and got it working so it can't be THAT hard!)

Once you've changed the DNS entry on the PC, type in "nslookup" from a DOS command prompt. You should get something like this:

c:\>nslookup

Default Server: ns1.fast.net.uk

Address: 212.42.162.2

>

This means its resolving names. Now try browsing the web - and with a bit of luck it will all work.

For access to your web servers etc, your default gateway on all machines needs to be set to 192.168.1.1. Your NAT and access lists look about right - although it is getting a little late and I've been on the road all day, so I'll take another look tomorrow morning.

One more thing from looking through your config - your DHCP scope seems to be serving our IP addresses that overlaps with your static server IP addresses. Not good - it will slow down the time taken to receive for your internal PCs.

I'm based in the UK myself and am in the office tomorrow. Drop me a line at barry@nettitude.co.uk if you'd like any help with this. If we can get the web browser interface to the PIX working (called PDM) you'll find this a *whole* bunch easier. It may just be that you're missing the PDM image from the PIX. If you do a "Show ver" you should see something like the following as the first couple of lines.

Cisco PIX Firewall Version 6.2(2)

Cisco PIX Device Manager Version 3.0(1)

If you don't see the second line (Cisco PIX Device Manager) then you'll need to load it - takes about 5 mins with the image and a TFTP server.

Best of Luck.

Barry

Barry Hesk

Networking Consultant

Nettitude Limited

FIRST OFF,

test see if you can telnet into any Internet Web server on port 80 from an internal pc.

(for ex. 66.170.168.165)

C:\>telnet 66.170.168.165 80

-if the screen turns black (the PIX is fine (performing the NAT translations) and your DNS is bad)

-if you get a 'Can Not Connect error msg', then it's probably your PIX. (did you apply for a business DSL account? does your ISP do filtering?)

type in some garbage characters and hit ENTER

if a bunch of stuff flies across your screen then you are good. it is just your DNS that is screwed up

type in..........

C:\> netstat -p tcp -n

TCP 10.1.1.102:3153 66.170.168.165:80 ESTABLISHED

TCP 10.1.1.102:3154 66.170.168.165:80 ESTABLISHED

if yours say established, then your PIX is fine. the translations are taking place. great! proceed.

IF SO.............

set up your dns server to use the ISP's dns server 212.42.162.2 as a forwareder

therefore when clients wish to browse the internet they.......

1. hit the internal dns server first to look for, say........www.google.com

2. the Win2K box doen't know about the google zone so it forwards it to 212.42.162.2.

3. 212.42.162.2 resolves the Query for www.google.com and returns your Internal Win2K DNS server which sends that IP to the internel web client.

4. the internal web client will connect to the web server at port 80.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: