Re: Pix Access-list 101 denies unix trafic

cweatherford · ‎07-16-2002

Has anyone ever seen unix trafic (vai reflections or telnet) be denied when thew following line is in your config:

access-list 101 permit ip any any

When the line bellow is in unix is ok but MSN messenger and other such programs need no authentication:

access-list 101 permit tcp any any eq www

Do I have a routing problem?

Thanks!

gfullage · ‎07-16-2002

We need way more information than this. Where are the Unix servers, and where are the clients located (what PIX interface)? Do you see anything in the PIX syslog when the connection is denied to indicate the traffic is dropped? Can you forward the PIX config (remove any password lines and change IP addresses if you like) and then detail exactly what isn't working?

Is access-list 101 used for authentication, or for allowing access through the PIX?

cweatherford · ‎07-17-2002

a

cweatherford · ‎07-17-2002

Pix 520 6.2(1)

The Unix server and clients are inside the firewall. The clients have host files but all of the ip's are internal. When I change this line I see the following in the syslog- "2002-07-16 00:54:16 UTC,Local0.Error,10.***.***.***,Jul 15 2002 18:49:40: %PIX-3-109013: User must authenticate before using this service.

As soon as I change this line: access-list 101 permit tcp any any eq www (which only asks for authentication through browsers)

to: access-list 101 permit ip any any (which will ask for authenication for anything passing through the pix)

Yes, we have everyone authenticate before going out to the internet.

PIX Version 6.2(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 ras security50

nameif ethernet3 dmz security10

enable password encrypted

passwd encrypted

hostname pix

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no names

access-list 101 deny tcp host 10. any

access-list 101 deny tcp host 10.any

access-list 101 deny tcp host 10. any

access-list 101 deny tcp host 10.110 any

access-list 101 deny tcp host 10.110any

access-list 101 deny tcp host 10.110 any

access-list 101 permit tcp any any eq www

pager lines 23

logging on

logging timestamp

logging buffered debugging

logging trap errors

logging facility 16

logging host inside

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

mtu outside 1500

mtu inside 1500

mtu ras 1500

mtu dmz 1500

ip address outside 255.255.255.224

ip address inside 255.0.0.0

ip address ras 255.255.0.0

ip address dmz 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address ras 0.0.0.0

failover ip address dmz 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 netmask 255.255.255.224

global (ras) 1 netmask 255.255.0.0

global (dmz) 1 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (ras) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) netmask 255.255.255.255 0 0

static (inside,ras) netmask 255.255.255.0 0 0

static (inside,ras) netmask 255.255.255.255 0 0

static (inside,dmz) 192.netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp any 172. 255.255.0.0

conduit permit udp host 12. eq dnsix any

conduit permit tcp host 12. eq domain any

conduit permit udp host 12 eq domain any

conduit permit tcp host 12.eq smtp any

conduit permit tcp host 12.q smtp any

conduit permit tcp host 12.eq domain any

conduit permit udp host 12.eq domain any

conduit permit udp host 12.eq dnsix any

conduit permit udp host 12.eq nameserver any

conduit permit icmp any any echo-reply

conduit permit icmp any any unreachable

conduit permit icmp any any time-exceeded

conduit permit icmp any any parameter-problem

conduit permit icmp any any echo

conduit permit tcp host 192 eq smtp host 192.

conduit permit tcp host 192. eq smtp host 192.

route outside 0.0.0.0 0.0.0.0 12.28.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:00:00 absolute uauth 1:00:00 inactivity

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 10. timeout 5

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server attack protocol tacacs+

aaa-server attack (inside) host 10. timeout 5

aaa authentication match 101 inside attack

aaa authorization match 101 inside attack

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 10.\

floodguard enable

no sysopt route dnat

auth-prompt prompt "Company Access"

telnet 10..0.0.0 inside

telnet 10.0.0.0 ras

telnet 10..0.0.0 dmz

telnet timeout 15

ssh timeout 5

terminal width 80

Cryptochecksum:

: end

[OK]

pixfirewall#