Solved: Re: PIX 506E PROBLEM - Page 2

godzilla0 · ‎07-15-2008

I'm at job configuring a Cisco PIX 506E, and I have a problem.

The outside interface can't reach the router wich bring the local net to the internet. I don't want anything by now but to reach the internet and do some port forwarding for some local servers. I don't care about any other aspect of the PIX as a firewall because it's a spare and we want it only to replace an old router. Then we want to do IPSEC tunneling but that's another history. By now I only want the PIX to do the same function as the old router. It could be interesting to erase everything and start from scratch . . . this is my configuration data on the old router:

ROUTER IP ADDRESS: 192.169.7.100 netmask 255.255.255.0 ( 192.169.7.0 is the local subnet )

INTERNET IP ADDRESS: 213.x.x.202 netmask 255.0.0.0

GATEWAY: 213.x.178.29

Ok. This is my actual PIX configuration:

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name work.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol http 80-88

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list ping-acl remark allow pings on the outside

access-list ping-acl permit icmp any any

access-list inbound permit icmp any any

access-list inbound permit tcp any any eq www

access-list permit_icmp permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 213.x.x.202 255.0.0.0

ip address inside 192.169.7.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.169.7.0 255.255.255.0 0 0

access-group permit_icmp in interface outside

conduit permit tcp host 0.0.0.0 eq 81 host 192.169.7.2

route outside 0.0.0.0 0.0.0.0 213.229.178.29 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 192.169.1.0 255.255.255.0 inside

ssh 192.169.7.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

So I can reach the PIX but I can't get out of it to the inet. I don't know why, If you can answer this one, then it would be interesting to know how to make 1 port forwarding from the inet to an specific server of the local subnet on port, for example 8080. Thank you so much.

godzilla0 · ‎07-15-2008

Yes, it's done now. I edited last post to include that. Ok. Now, can I erase all the DHCP stuff that comes by default ? I don't need it. As all the servers on this subnet are using static ip addressing.

jmia · ‎07-15-2008

Good... yes you can erase the DHCP, do (in config mode)

clear dhcpd

save with - wr m

And then we can carry on....

godzilla0 · ‎07-15-2008

Ok now that's done. First warning.

I did: ip address inside 192.169.7.100 255.255.255.0, no problem.

But then I did ip address outside 213.27.252.202 255.0.0.0

And the following warning appear:

WARNING: unable to add route to OSPF RIB.

jmia · ‎07-15-2008

Is that the correct MASK for that IP? It should be in the form...

213.27.252.202 255.255.255.x

So my next question is.. how many public IP addresses has been assigned to you by your ISP?

godzilla0 · ‎07-15-2008

Yes that's the correct mask. Now we must get the servers to reach the inet.

godzilla0 · ‎07-15-2008

Ok now we are going the good way. I can ping the ISP router and the google's IP. But if I ping to the google IP from any of the servers on the local subnet I can't reach anything.

The successful ping are executed from the router's CLI. Thanks !

jmia · ‎07-15-2008

Good to hear it's going the correct way, ok now add the following into your PIX configuration (in config mode)... (I have named this ACL outside-in)

access-list outside-in permit icmp any any echo-reply

access-list outside-in icmp any any unreachable

access-list outside-in icmp any any time-exceeded

access-group outside-in in interface outside

Save with: wr m and try pinging IP 4.2.2.2 from one of the LAN servers, I presume your LAN servers have a default gateway of the PIX?

......

godzilla0 · ‎07-15-2008

Let's see . . I can input the first line of your acl configuration but none of the rest.

The CLI dump the command syntax after I try to input them.

Thanks !

jmia · ‎07-15-2008

Now that's strange... I have the same setup on my lab PIX with no problem.

If you take out what you have already setup i.e. in config mode issue..

clear access-list outside-in

and save with wr m

After the above, copy the config that I have posted onto notepad and then copy back to the PIX in config mode i.e. all of the config in one go rather than line by line.

godzilla0 · ‎07-15-2008

Doing it like you said, I was able to put this two lines, pasting on a linux console :

access-list outside-in permit icmp any any echo-reply AND

access-group outside-in in interface outside

Now I can access the inet from only 1 host, the host where I'm working. It's a laptop. The rest of the servers can't ping out yet. But we are close. . . .

godzilla0 · ‎07-15-2008

Sorry, with those 2 lines now all of they are getting out. Now . . I don't know if the other 2 access-list rules are necessary. I think the only thing I need now is to do the port forwarding. But I'm interested in to know how those 2 access-list rules are working, I want to understand it and if possible, could you point me to a good piece of info about the PIX 506E ? I want to take advantage of all features it can give me.

Waiting for answer, thanks.

jmia · ‎07-15-2008

Hello Xavier,

Are you saying that all your servers are getting to the internet?

I am happy to hear that you want to learn more about the PIX and its configurations etc, of course you can obtain the nesessary information by either purchasing or reading material from (I would recommend a book by David Hucaby) here...

http://www.ciscopress.com/bookstore/product.asp?isbn=158705485X

Or you can look up lots of configuration details from Cisco TechNotes here...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

Regards

Jay

godzilla0 · ‎07-15-2008

Yes, all the servers are getting out. But now I need the final touch. I need to do some port forwarding. I need, for example, that all the port 8080 from outside go to an specific host.

Then I do:

static (inside,outside) tcp [public IP] 8080 [private IP] 8080

But It does not work. Is there something more I must add to get the port forwarding working ?

Collin Clark · ‎07-15-2008

Are you using the interface IP or a separate public IP? Also do you have the port open in your ACL?

godzilla0 · ‎07-15-2008

I'm using the outside interface ip, It's my public IP also. Sorry but I don't know how to include the ports on to the ACL. I give you five stars for your support !

PIX 506E PROBLEM

ハードウェア交換 (RMA): サービスリクエストのオープン時に選択する問題の領域 (Problem Code)

Cisco NGFW: do PIX ao Firewall Threat Defense

Cisco Wireless Phone 840 および 860 で Problem Report Tool (PRT) ログ取得する方法

AnyConnect(Windows) インストール時のエラー (There is a problem with this Windows Installer package.)

VG202 FAX Problem