PIX 501 problems

admin_2 · ‎03-04-2004

Trying to install a 501 on a small business network that is hosted by another company. They currently have it set up with 172.17.xxx.xxx for their internal LAN and have it routed(?) to be 216.201.xxx.xxx on the outside.

I set the inside address to the LAN gateway and the outside interface to the public router IP? correct?

gopal_voip · ‎03-04-2004

randy

the inside IP shall be the LAN PCs gateway and if u have a router after the outside interface , the interface ip of the router connecting to your outside interface will be your Next Hop address, for static routing.

Shukky

Report Inappropriate Content · ‎03-04-2004

How do I add the DNS servers to the equation. it looks like it either cannot find them or cannot get them through the firewall ??

patrick.cannon · ‎03-04-2004

access-list acl_inside permit udp any any eq 53

where acl_inside is the access list on the LAN side of the pix.

Report Inappropriate Content · ‎03-04-2004

Well, i am TOTALLY clueless now. Nothing is working right, so I must be doing something terribly wrong.

I DO NOT have access to the router configurations upstream of me, or of the router within our LAN, all I have is a sheet of paper with this info.....

Local Area Network IP 172.17.2.0 255.255.255.0

Ethernet/Gatway IP 172.17.2.1

Usable IP range 172.17.2.2-172.17.2.254

PUBLIC ip addresses

Network IP 216.201.xxx.32 255.255.255.248

Router Public IP 216.201.xxx.33

Usable IPs 216.201.xxx.34-38

Domain Name Servers

66.196.216.10

66.196.212.10

Here is my PIX setup...what have I done wrong ?

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname pixfirewall

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl permit udp any any eq domain

access-list acl permit tcp any any

access-list acl permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 216.201.xxx.33 255.255.255.248

ip address inside 172.17.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 216.201.xxx.34-216.201.xxx.38 netmask 255.255.255.248

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl in interface inside

conduit permit tcp any any

conduit permit icmp any any

conduit permit ip any any

conduit permit icmp any any echo-reply

route outside 0.0.0.0 0.0.0.0 216.201.xxx.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 172.17.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 66.196.216.10

terminal width 80

cgregg · ‎03-04-2004

I see 1 major problem. The PIX outside interface is 216.201.xxx.33 and you have a default route of "route outside 0.0.0.0 0.0.0.0 216.201.xxx.33 1". This will not work because it is the same interface of the PIX. The default route should point to the device connected on the other end of the outside interface of the PIX, for example the router.

route outside 0.0.0.0 0.0.0.0 216.201.xxx.32 1 should be the PIX's default route to its next hop.

You don't need the dhcpd dns 66.196.216.10

And these statements are basically opening up this firewall:

access-list acl permit udp any any eq domain

access-list acl permit tcp any any

access-list acl permit ip any any

access-group acl in interface inside

This is allowed as soon as you apply the basic commands.. NAT, GLOBAL etc...

conduit permit tcp any any

conduit permit ip any any

These are opening up the pix to the world.

The default configuration of the PIX firewall is NOTHING IN AND NOTHING OUT. You allow inside connections thru the PIX with the NAT, GLOBAL, IP Adderss, Interface Auto etc... But the permit statements you have is allowing all IP all TCP traffic from the outside to the inside networks.

let me know if this helps. I'll watch for your reply.

Curt

Report Inappropriate Content · ‎03-09-2004

Should the PIX's outside interface be THE SAME AS the router ip which the PIX is connected to ????

jmia · ‎03-09-2004

Hi Randy,

Please check the attached document. I have setup the config with your provided IP addresses.

Hope this sorts out your problem, I also included on the config SMTP mail access as well, thats if you require it.

Let me know how you get on -

Regards - Jay.

Report Inappropriate Content · ‎03-09-2004

Thank you, I am trying it now

Report Inappropriate Content · ‎03-09-2004

We got it working! Thanks. We also had to have the ISP provider remove NAT from the router.

jmia · ‎03-10-2004

Hi Randy,

I am glad that it worked, can you please rate the post, as this will help others who may be experiencing the same problem.

Thanks - Jay.