Solved: Re: PIX 515E config question

bhhouston · ‎03-15-2005

I'm an amateur at this so please be patient with me.

One of my users is getting an application that needs to communicate with the vendors host. The vendor tells me that my users workstation needs a public IP to make this work but they have made it work witha NAT'ed IP. That would be my preferred method of commection as giving that user a public IP would be a difficult task.

The question is, how do I go about configuring this users IP address for port 80 and a few other ports (I haven't been given the other ports yet)?

Relevant config info:

>access-list outbound permit ip any any

>ip address outside 170.x.x.242 255.255.255.248

>ip address inside 10.x.x.1 255.255.254.0

>route outside 0.0.0.0 0.0.0.0 170.x.x.241 1

Based on other access rules we have set up for other needs, this is what I'm thinking of adding:

>access-list inbound permit ip any host 170.x.x.246

>static (inside,outside) 170.x.x.246 10.x.x.38 netmask 255.255.255.255 0 0

Would that be correct and if not, what am I missing? If any other information is needed, let me know.

Thanks in advance,

Ben

Patrick Iseli · ‎04-06-2005

Do you have the line:

sysopt connection permit-ipsec

in the configuration ?

If yes thats why you could even remove the command line that permits ESP. As the sysopt opens IPSEC globaly and does not check the access-list on the interfaces.

sincerely

Patrick

View solution in original post

Patrick Iseli · ‎03-15-2005

This would work but would open a backdoor to your network.

Better restrict the access-list to something like this bellow and also restrict the protocol to http !!

>access-list inbound permit tcp host PartnerPublicIP host 170.x.x.246 eq www

>static (inside,outside) 170.x.x.246 10.x.x.38 netmask 255.255.255.255 0 0

sincerely

Patrick

bhhouston · ‎03-15-2005

Thanks Patrick.

Questions:

Can I assume that the PartnerPublicIP is the IP address of the application host? Also, should "host" be included before and after PartnerPublicIP?

And, does eq www take into account the other ports that will need to be opened?

Finally, I'm dealing with an IT person on the other end with limited experience like myself. How would their configuration be set up to correspond with mine?

Thanks again,

Ben

Patrick Iseli · ‎03-15-2005

Hi Ben,

1.) The host statement is before the Public IP.

2.) For each port that your client has to connect to your internal server you have to add a access-list line or you can work with object groups.

example:

PIX(config)# access-list acl-outside permit tcp host PartnerPubIP host MyPublicIP eq 25

PIX(config)# access-list acl-outside permit tcp host PartnerPubIP host MyPublicIP eq 443

PIX(config)# access-list acl-outside permit tcp host PartnerPubIP host MyPublicIP eq 80

PIX(config)# access-list acl-outside permit tcp host PartnerPubIP host MyPublicIP eq 21

PIX(config)# access-group acs-outside in interface outside

static (inside,outside) MyPublicIP 10.0.0.1 netmask 255.255.255.255

Dont forget to do a "clear xlate" after changing / add the static line.

See examples on cisco:

Using and Configuring PIX Object Groups:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

Other examples:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration

sincerely

Patrick

bhhouston · ‎03-31-2005

Patrick,

Just a follow-up to this thread from 2 weeks ago . . .

Once I got all the information I needed from my vendor, these were the commands I added:

>access-list inbound permit esp host 170.x.x.130 host 170.x.x.246

>static (inside,outside) 170.x.x.246 10.x.x.38 netmask 255.255.255.255 0 0

I had a little help from another client who had recently gotten the software and he helped me with the "permit esp" command. I don't quite understand why we used this instead of "permit tcp", though. I was wondering if you might provide a brief explanation.

Thanks again, Ben

Patrick Iseli · ‎03-31-2005

As soon as you have more details who will connect and with what port, tcp etc let me know and I will give you some guidance how to setup your configuration.

The example that you gave (access-list inbound permit esp host 170.x.x.130 host 170.x.x.246) allone will not work, this looks like an incomplete IPSEC excample.

Usually UDP 500 is also required for that.

example:

access-list inbound permit udp host 170.x.x.130 host 170.x.x.246 eq 500

access-list inbound permit esp host 170.x.x.130 host 170.x.x.246

But is it really that that your partner wants to do establish a VPN in the inside of your network or do you establish the connectivity ?

sincerely

Patrick

bhhouston · ‎04-06-2005

Curious.

You say the permit esp command alone will not work but it did, even without the udp 500 command added.

The connection is a VPN to the inside or their network and all tests thus far have been successful. Could that be the reason udp was not necessary?

Thanks, Ben

Patrick Iseli · ‎04-06-2005

Do you have the line:

sysopt connection permit-ipsec

in the configuration ?

If yes thats why you could even remove the command line that permits ESP. As the sysopt opens IPSEC globaly and does not check the access-list on the interfaces.

sincerely

Patrick

bhhouston · ‎04-06-2005

Yes, I have that line in my configuration.

You've been a big help, Patrick.

Thanks for everything.

Ben

Patrick Iseli · ‎04-06-2005

The pleasure is mine.

sincerely

Patrick