Re: PIX 525 Help

james.brockman · ‎08-20-2003

I'm trying to get access for a server (Webserv3) in a DMZ from the internet. This is the first server I'm trying to get to from the outside. Also I'm trying to limit some of the PC's on inside networks from the internet. I think the problem is with the ACL but I'm not sure. Please respond here I'm not near my mail much.

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 100full

interface ethernet5 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ1 security30

nameif ethernet3 DMZ2 security40

nameif ethernet4 Failover security25

nameif ethernet5 State security20

enable password encrypted

passwd encrypted

hostname Pix1(Primary)

domain-name dandh.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 1.0.0.253 Exchange

name 192.168.1.203 Webapp2

name 192.168.1.202 Webapp1

name 192.168.1.102 Webserv1

name 192.168.1.103 Webserv2

name 192.168.1.222 Message

name 192.168.1.204 Webapp3

name 192.168.1.104 Webserv3

object-group network Webappservers

description Web App Servers on DMZ2

network-object Webapp1 255.255.255.255

network-object Webapp2 255.255.255.255

network-object Webapp3 255.255.255.255

object-group service Mail tcp

description Mail Protocols

port-object eq pop3

port-object eq smtp

object-group service FTPGroup tcp

port-object eq ftp-data

port-object eq ftp

object-group network Webservers

description Web Servers on DMZ1

network-object Webserv1 255.255.255.255

network-object Webserv2 255.255.255.255

network-object Webserv3 255.255.255.255

object-group service RPCFlaw tcp-udp

description Microsoft RPC flaw

port-object eq 4444

port-object eq 69

port-object eq 445

port-object range 135 139

object-group service Web_Access tcp-udp

port-object eq 80

access-list outside_access_in deny tcp xxx.xxx.xxx.32 255.255.255.224 object-group

RPCFlaw 1.0.0.0 255.0.0.0 object-group RPCFlaw

access-list outside_access_in permit tcp any host Message eq smtp

access-list outside_access_in permit tcp any host Message eq pop3

access-list outside_access_in permit tcp any host Webserv1 eq ftp

access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp any host xx.xx.xx.55

access-list outside_access_in2DMZ1 permit tcp any host xx.xx.xx.55

access-list 101 permit ip 1.0.0.0 255.0.0.0 1.150.150.0 255.255.255.0

access-list 101 permit ip 1.0.0.0 255.0.0.0 1.150.151.0 255.255.255.0

access-list outside_cryptomap_dyn_30 permit ip any 1.150.150.0 255.255.255.0

access-list outside_cryptomap_dyn_30 permit ip any 1.150.151.0 255.255.255.0

access-list inside_access_out permit ip host 172.21.1.1 any

access-list inside_access_out permit ip 172.21.29.0 255.255.255.0 any

access-list inside_access_out deny ip 172.21.0.0 255.255.0.0 any

access-list inside_access_out permit ip host 172.24.1.1 any

access-list inside_access_out permit ip 172.24.29.0 255.255.255.0 any

access-list inside_access_out deny ip 172.24.0.0 255.255.0.0 any

access-list inside_access_out permit ip host 172.28.1.1 any

access-list inside_access_out permit ip 172.28.29.0 255.255.255.0 any

access-list inside_access_out deny ip 172.28.0.0 255.255.0.0 any

access-list inside_access_out permit ip host 172.29.1.1 any

access-list inside_access_out permit ip 172.29.29.0 255.255.255.0 any

access-list inside_access_out deny ip 172.29.0.0 255.255.0.0 any

access-list inside_access_out permit ip host 172.30.1.1 any

access-list inside_access_out permit ip 172.30.29.0 255.255.255.0 any

access-list inside_access_out deny ip 172.30.0.0 255.255.0.0 any

access-list inside_access_out permit ip host 172.36.1.1 any

access-list inside_access_out permit ip 172.36.29.0 255.255.255.0 any

access-list inside_access_out permit ip 1.0.0.0 255.0.0.0 any

access-list inside_access_out permit ip host 192.168.5.1 any

access-list inside_access_out permit ip 192.168.5.0 255.255.255.192 any

access-list inside_access_out deny ip 192.168.5.0 255.255.255.0 any

access-list inside_access_out permit ip host Webserv3 any

access-list inside_access_out permit icmp any any

access-list inside_access_out deny ip 172.36.0.0 255.255.0.0 any

access-list inside_access_out_DMZ1 permit icmp any any

access-list inside_access_out_DMZ1 permit tcp any host xx.xx.xx.55

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

mtu DMZ1 1500

mtu DMZ2 1500

mtu Failover 1500

mtu State 1500

ip address outside xx.xxx.xx.50 255.255.255.224

ip address inside 1.0.1.254 255.0.0.0

ip address DMZ1 192.168.1.100 255.255.255.240

ip address DMZ2 192.168.1.200 255.255.255.240

ip address Failover 192.168.2.100 255.255.255.248

ip address State 192.168.2.202 255.255.255.248

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool1 1.150.150.1-1.150.150.254

ip local pool vpnpool 1.150.151.0-1.150.151.255

failover

failover timeout 0:00:00

failover poll 15

failover replication http

failover ip address outside xx.xx.xx.51

failover ip address inside 1.0.3.254

failover ip address DMZ1 192.168.1.101

failover ip address DMZ2 192.168.1.201

failover ip address Failover 192.168.2.101

failover ip address State 192.168.2.201

failover link Failover

failover lan unit primary

failover lan interface Failover

failover lan key ********

failover lan enable

pdm location 1.10.4.167 255.255.255.255 inside

< Some PDM Stuff Deleted>

pdm group Webservers DMZ1

pdm logging critical 100

pdm history enable

arp timeout 14400

global (outside) 4 xx.xx.xx.36

global (outside) 5 xx.xx.xx.60

global (outside) 6 xx.xx.xx.61

global (outside) 1 xx.xx.xx.52

global (outside) 5 xx.xx.xx.55

global (DMZ1) 3 192.168.1.101-192.168.1.122 netmask 255.255.255.224

global (DMZ2) 2 192.168.1.201-Message netmask 255.255.255.224

nat (inside) 0 access-list 101

nat (inside) 1 192.168.5.0 255.255.255.192 0 0

nat (inside) 1 172.21.0.0 255.255.0.0 0 0

nat (inside) 1 172.24.0.0 255.255.0.0 0 0

nat (inside) 1 172.28.0.0 255.255.0.0 0 0

nat (inside) 1 172.29.0.0 255.255.0.0 0 0

nat (inside) 1 172.30.0.0 255.255.0.0 0 0

nat (inside) 1 1.0.0.0 255.0.0.0 0 0

nat (DMZ1) 4 Webserv1 255.255.255.255 0 0

nat (DMZ1) 6 Webserv2 255.255.255.255 0 0

nat (DMZ1) 5 Webserv3 255.255.255.255 0 0

nat (DMZ2) 0 192.168.1.210 255.255.255.255 0 0

nat (DMZ2) 7 Message 255.255.255.255 0 0

static (DMZ2,DMZ1) Webapp1 Webapp1 netmask 255.255.255.255 0 0

static (DMZ2,DMZ1) Webapp2 Webapp2 netmask 255.255.255.255 0 0

static (inside,outside) xx.xx.xx.49 Message netmask 255.255.255.255 0 0

static (DMZ2,outside) xx.xx.xx.56 Message netmask 255.255.255.255 0 0

static (inside,DMZ1) xx.xx.xx.55 Webserv3 netmask 255.255.255.255 0 0

static (inside,outside) xx.xx.xx.55 Webserv3 netmask 255.255.255.255 0 0

static (DMZ1,outside) xx.xx.xx.55 Webserv3 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_out in interface inside

access-group inside_access_out_DMZ1 in interface DMZ1

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.35 1

route DMZ1 Webserv3 255.255.255.255 xx.xx.xx.35 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 1.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnwvr address-pool vpnpool

vpngroup vpnwvr dns-server xx.xx.xx.72

vpngroup vpnwvr wins-server 1.4.1.1

vpngroup vpnwvr idle-time 1800

vpngroup vpnwvr password ********

vpngroup dandh address-pool vpnpool1

vpngroup dandh dns-server xx.xx.xx.72

vpngroup dandh wins-server 1.4.1.1

vpngroup dandh default-domain D-H_Domain

vpngroup dandh idle-time 1800

vpngroup dandh password ********

telnet 1.0.0.0 255.0.0.0 inside

telnet timeout 20

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

terminal width 80

banner login "Warning: Unauthorized access to this system is forbidden and will

be prosecuted by law. By accessing this system, you agree that your actions may

be monitored if unauthorized usage is suspected."

Cryptochecksum:

: end

Pix1(Primary)(config)#

mostiguy · ‎08-20-2003

in your acl outside access in, you only allow ftp to webserv3. add a line for tcp port 80 to allow web traffic. does it run a ftp daemon? have you been able to connect to it from the outside?

james.brockman · ‎08-20-2003

I have a ACL

access-list outside_access_in permit tcp any host XX.XX.XX.55

that references the server I'm trying to get to from the outside. I have not been able to get to it from outside but I can see it from inside.

jmia · ‎08-20-2003

Hello James -

Please check this URL(page 5).

http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/tech/pixcg_cg.pdf

Thanks -

james.brockman · ‎08-20-2003

Thanks for the reply.

This example uses conduits instead of access lists I thought conduits were replaced with access lists? Is there an updated artical? Should I use conduits?

James

mostiguy · ‎08-20-2003

access-lists are the future. conduits still work, but might be unsupported in a future version. you access-list look fine - I missed that permit tcp any line.

Aha - try this - I think your access-list applied to the dmz is wrong. Try removing it. I think your source is any, destination is xxxxxx.55, and it needs to be flipped - you want to allow source of xxxx.55, with destination any

PIX 525 Help

Cisco PIX 525 Not Booting

Cisco NGFW: do PIX ao Firewall Threat Defense

PIX 525 Configuration help

How to install the PIX 525 Firewall

PIX 525 Login