Re: Problems with an internal - internal PIX deployment

geustace · ‎01-16-2005

We have put in a PIX 506E with a small community of internal users isolated behind it. The small community will still use the corporate lan to access the internet so I have the small part on inside and the corporate lan on outside.

I have added an 'ip all all' on the outside interface to try to get things working but no go so far. I can ping from the PIX to outside hosts but config tftp fails as do snmp polls from the outside.

debug shows no packet activity for tftp, only the inbound packet for snmp.

msdesai · ‎01-16-2005

Hi

Can you please post your config?

Do have Static NAT configured?

MD

geustace · ‎01-16-2005

PIX Version 6.3(4)

interface ethernet0 10full

interface ethernet1 100full

nameif ethernet0 massey security10

nameif ethernet1 inside security100

enable password ********* encrypted

passwd ******* encrypted

hostname mu-firewall-4

domain-name massey.ac.nz

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

no fixup protocol http 80

no fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

no fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list compiled

access-list massey permit udp any host 192.168.101.14 eq snmp

access-list massey permit ip any any

pager lines 24

logging on

logging timestamp

logging console warnings

logging monitor warnings

logging buffered warnings

logging trap warnings

logging host inside 130.123.128.69

mtu massey 1500

mtu inside 1500

ip address massey 192.168.101.14 255.255.255.252

ip address inside 192.168.67.2 255.255.255.252

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

static (inside,massey) 130.123.224.0 130.123.224.0 netmask 255.255.255.0 0 0

static (inside,massey) 210.55.12.10 210.55.12.10 netmask 255.255.255.255 0 0

static (inside,massey) 210.55.12.11 210.55.12.11 netmask 255.255.255.255 0 0

access-group massey in interface massey

route massey 0.0.0.0 0.0.0.0 192.168.101.13 1

route inside 130.123.224.0 255.255.255.0 192.168.67.1 1

route inside 210.55.12.10 255.255.255.255 192.168.67.1 1

route inside 210.55.12.11 255.255.255.255 192.168.67.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server radius-authport 1812

aaa-server radius-acctport 1813

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server RADIUS (inside) host 130.123.225.71 CiscoRadiusServer timeout 10

aaa-server RADIUS (inside) host 130.123.128.32 CiscoRadiusServer timeout 10

aaa-server LOCAL protocol local

snmp-server host inside 130.123.128.2

snmp-server location ALB QBA B10

snmp-server contact ITS - ISS

snmp-server community public

snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

sysopt noproxyarp massey

sysopt noproxyarp inside

telnet 130.x.x.x.255.0.0 inside

telnet 130.x.x.x.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:xxxx

: end

msdesai · ‎01-16-2005

Hi,

By looking at config:

snmp-server host inside 130.123.128.2

IP address 130.123.128.2 of the host allowed to poll

!--- and where to send traps

so you need to added below nat 0 statement:

nat (inside) 0 130.123.128.2 255.255.255.255

or nat (inside) 0 130.123.128.0 255.255.255.0

Let me know if you have any questions.,

HTH

MD

geustace · ‎01-17-2005

Most of the 130.123 network is on the 'massey' side. Only 130.123.224/24 is on the inside. I don't want to use NAT and have tried

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

but that doesn't seem to make any difference.

From 130.123.128.1 I can ping 192.168.101.14 and get a reply but when 130.123.128.1 sends snmp packets, the pix receives them but doesn't reply.

NB: We have multiple servers running SNMP, 130.123.128.2 is the primary trap receiver.

msdesai · ‎01-17-2005

In order for you to use 130.123.128.1 or 130.123.128.2, you need to added below Statements:

snmp-server host outside 130.123.128.1

snmp-server host outside 130.123.128.2

MD

msdesai · ‎01-17-2005

In order for you to use 130.123.128.1 or 130.123.128.2, you need to added below Statements:

snmp-server host massey 130.123.128.1

snmp-server host massey 130.123.128.2

MD

geustace · ‎01-17-2005

snmp-server has no impact on 130.123.128.1 as it is polling, it isn't being sent traps.

But the issue is why does tftp not work but ping does ?

I have heard that there are a bunch of implicit rules associated with a sec0 interface and that may been the cause e.g. no telnet unless over ipsec.

geustace · ‎01-18-2005

The biggest hurdle has been crossed.

By adding tftp-server massey a.b.c.d xxxx

I can now get at any tftp server on the massey side. That achieved I have uploaded various ACLs which seem to have now got most things working the way I want.

My conclusion has been that a PIX is probably not the best solution for an internal deployment.