Re: PIX-Internet Problem

secnas · ‎12-10-2003

Hi ,

My pix is up and internet is fine , but i need only One IP addesss x.x.x.1 to access internet rest other denied, and x.x.x.1 will have ISA server from where i will permit particular users to browse internet , Am using NAT/PAT on PIX , what will be my access-list , coz if i remove from NAT from PIX this will stop the whole internet and email access... Can any one let me know this

i tried this but no success

access-list 111 permit tcp 10.x.x.1 255.255.255.255 any eq www

access-group 111 in interface inside

mostiguy · ‎12-10-2003

That access list is probably blocking the ISA server from being able to make UDP based DNS requests to resolve hostnames to IP addresses. Assuming your dns servers are outside of the PIX, adding this line should allow dns to work

access-list 111 permit udp 10.x.x.1 255.255.255.255 any eq dns

jmia · ‎12-10-2003

I presume what you are saying is that you want all internet connections to go via your ISA server, correct? If so then do the following:

access-list permit tcp host any eq www

access-list deny tcp any any eq www

access-list permit ip any any

access-group in interface inside

Now makesure to save with cmd write memory and also clear translations with cmd clear xlate.

Write you access-list on a notepad first (as above) and then issue a no access-list as the first line, this way when you paste back onto the PIX you'll get a clean config for the access-list mentioned i.e.

In Config mode on PIX:

no access-list

access-list permit tcp host any eq www

access-list deny tcp any any eq www

access-list permit ip any any

access-group in interface inside

Hope this helps and let me know how you get on -

Jay.

secnas · ‎12-10-2003

I did the both suggestions , but still internet is not working ... Error

Web page is not available

-----

----

Can't find DNS server ,

Note: if i remove this access-list applied to inside interface then my internet works fine ... I higly appreicated your response ... hope to see new workarounds ...

Thanks

jmia · ‎12-10-2003

Hi,

Can you post me your full PIX config, either here on the forum or direct to me at jmia@ohgroup.co.uk

Pls remember to change passwords and real IPs - Thanks.

secnas · ‎12-12-2003

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXX encrypted

passwd encrypted

hostname

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 110 permit ip 10.0.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list 120 permit ip 10.0.0.0 255.255.0.0 10.60.0.0 255.255.0.0

access-list 101 permit ip 10.0.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list 101 permit ip 10.0.0.0 255.255.0.0 10.60.0.0 255.255.0.0

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any host X.X.X.X eq www

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside X>X>X> 255.255.255.240

ip address inside 10.0.0.15 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 62.3.X.X

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) X.X.X.X 10.0.0.1 netmask 255.255.255.255 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 62.3.47.130 1

route inside 10.10.0.0 255.255.0.0 10.0.0.109 1

route inside 10.100.0.0 255.255.0.0 10.0.0.109 1

route inside 10.110.0.0 255.255.0.0 10.0.0.109 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set araset esp-3des esp-md5-hmac

crypto map rascomap 20 ipsec-isakmp

crypto map rascomap 20 match address 110

crypto map rascomap 20 set peer

crypto map rascomap 20 set transform-set araset

crypto map rascomap 30 ipsec-isakmp

crypto map rascomap 30 match address 120

crypto map rascomap 30 set peer

crypto map rascomap 30 set transform-set araset

crypto map rascomap interface outside

isakmp enable outside

isakmp key ******** address netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet 10.0.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:77debd4e5bda066901b9f479718fac60

: end

[OK]

mostiguy · ‎12-13-2003

From the outside in, everything is blocked on a pix, so long as it is not part of a connection originated in the outbound direction from the inside interface. Your access list 100 is applied to the outside interface - it will allow some icmp traffic thru, and it will allow people on the internet to access the http port of host x.x.x.x. Is x.x.x.x a web server?

Right now, you have nothing blocking any internal machines from making outbound connections. All internal machines should be able to do just about anything they want. With the above configuration, what does not work?