PIX Config help

abruso · ‎08-25-2003

This past weekend, I tried implementing a PIX into our existing network. After getting everything hooked up, and my config entered into the pix, I had some issues.

Sitting on the PIX, I could ping any host I wanted.

Sitting on a host in the Internal network, I could ping the Internal PIX interface, but I could not ping the Outside, or DMZ interfaces or any hosts connected to those interfaces.

Sitting on a host in the DMZ, I could ping the DMZ interface on the PIX, but I could not ping the other two interfaces or any hosts connected tot hose interfaces. Sitting on a host on the outside, I could ping the outside interface of the PIX, but I could not ping the other two interfaces or any hosts connected to them.

Here is the config:

PIX Version 6.3(2)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

enable password

hostname xxxxx

domain-name xxxxxx

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

names

object-group network pcanywhere

network-object host 10.0.0.30 255.255.255.0

network-object host 10.0.0.31 255.255.255.0

network-object host 10.0.0.32 255.255.255.0

network-object host 10.0.0.33 255.255.255.0

network-object host 10.0.0.34 255.255.255.0

network-object host 10.0.0.35 255.255.255.0

network-object host 10.0.0.36 255.255.255.0

network-object host 10.0.0.37 255.255.255.0

network-object host 10.0.0.38 255.255.255.0

network-object host 10.0.0.39 255.255.255.0

network-object host 10.0.0.40 255.255.255.0

network-object host 10.0.0.41 255.255.255.0

network-object host 10.0.0.42 255.255.255.0

network-object host 10.0.0.43 255.255.255.0

network-object host 10.0.0.44 255.255.255.0

network-object host 10.0.0.45 255.255.255.0

network-object host 10.0.0.46 255.255.255.0

network-object host 10.0.0.47 255.255.255.0

network-object host 10.0.0.48 255.255.255.0

network-object host 10.0.0.49 255.255.255.0

network-object host 10.0.0.50 255.255.255.0

network-object host 10.0.0.51 255.255.255.0

network-object host 10.0.0.52 255.255.255.0

network-object host 10.0.0.53 255.255.255.0

network-object host 10.0.0.54 255.255.255.0

network-object host 10.0.0.55 255.255.255.0

network-object host 10.0.0.56 255.255.255.0

network-object host 10.0.0.57 255.255.255.0

network-object host 10.0.0.58 255.255.255.0

network-object host 10.0.0.59 255.255.255.0

network-object host 10.0.0.60 255.255.255.0

network-object host 10.0.0.61 255.255.255.0

network-object host 10.0.0.62 255.255.255.0

network-object host 10.0.0.63 255.255.255.0

network-object host 10.0.0.64 255.255.255.0

network-object host 10.0.0.65 255.255.255.0

network-object host 10.0.0.66 255.255.255.0

network-object host 10.0.0.67 255.255.255.0

network-object host 10.0.0.68 255.255.255.0

network-object host 10.0.0.69 255.255.255.0

network-object host 10.0.0.70 255.255.255.0

network-object host 10.0.0.71 255.255.255.0

network-object host 10.0.0.72 255.255.255.0

network-object host 10.0.0.73 255.255.255.0

network-object host 10.0.0.74 255.255.255.0

network-object host 10.0.0.75 255.255.255.0

network-object host 10.0.0.76 255.255.255.0

network-object host 10.0.0.77 255.255.255.0

network-object host 10.0.0.78 255.255.255.0

network-object host 10.0.0.79 255.255.255.0

network-object host 10.0.0.80 255.255.255.0

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit tcp any host 216.27.xxx.xxx eq www

access-list outside_access_in permit tcp host 216.27.xxx host 216.27.xxx.xxx eq smtp

access-list outside_access_in permit tcp any host 216.27.xxx.xxx eq syslog

access-list outside_access_in permit tcp any host 216.27.xxx.xxx eq 443

access-list outside_access_in permit tcp any object-group pcanywhere eq 5631

access-list outside_access_in permit udp any object-group pcanywhere eq 5632

pager lines 24

logging on

logging timestamp

logging monitor debugging

logging buffered errors

logging trap debugging

logging history errors

logging host dmz 192.168.0.5

mtu outside 1500

mtu inside 1500

mtu State-Fail 1500

ip address outside 216.27.xxx.xxx 255.255.255.240

ip address inside 10.0.0.1 255.255.255.0

ip address DMZ 192.168.0.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 3

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (inside) 0 10.0.0.0 255.255.255.0

static (dmz,outside) 216.27.xxx.xxx 192.168.0.100 netmask 255.255.255.255 0 0

static (dmz,outside) 216.27.xxx.xxx 192.168.0.5 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 216.27.224.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

no floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt noproxyarp outside

sysopt noproxyarp inside

telnet 10.0.0.0 255.255.0.0 inside

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 5

console timeout 0

vpdn enable outside

vpdn enable inside

terminal width 80

I'm guessing it's a problem with the NAT translations in the PIX, but I have no idea what it is. I am pretty new at this stuff. Any help would be appreciated. Thanks.

gfullage · ‎08-25-2003

First thing, you won't be able to ping a PIX interface from a host on another PIX interface, so don't even bother trying that. To test connectivity you need to ping from a host on one interface to a host on another.

Now, to go from a higher security int to a lower security int (inside -> outside, inside -> dmz or dmz -> outside), you need a nat/global pair for those two interfaces. For example, to go from an inside host to a dmz host you need the following:

> nat (inside) 2 10.0.0.0 255.255.255.0

> global (dmz) 2 interface

Note the "2", this pairs up the nat and the global statement, the number can be anything, but as long as you have at least one of each statement you'll be good to go.

So, to go from inside to outside do the following:

> nat (inside) 3 10.0.0.0 255.255.255.0

> global (outside) 3 interface

and to go from dmx to outside do:

> nat (dmz) 4 192.168.0.0 255.255.255.0

> global (outside) 4 interface

One more thing, in your config you have a "nat 0" statement for the inside, "0" is a special number which means DON'T NAT this traffic. With your config all traffic from the inside network would not have been NAT'd ("nat 0" takes precedence over "nat "), so your packets would have gone out the Internet sourced with a 10.x.x.x address and not be able to come back. Get rid of this "nat 0" statement otherwise nothing will still work.

abruso · ‎08-25-2003

Ok, I think the reason I did the Nat (inside) 0 line was because I thought I needed that in order to get my network-object to work right. Is my network-object set up right in order to get PcAnywhere to work with NAT for that Internal block (10.0.0.30-80)?

I did try pinging from hosts on one interface to hosts on another when I tried to install this thing, and I didn't get any response.

Any other recommendations, or does anybody see anything else that might cause me some problems?