Re: Server Behind PIX Behind Router

slatonisd · ‎04-18-2006

Hello,

My goal is to access tcp port 1723 and GRE (IP 47) on a Windows server inside our LAN from the Internet. I am having trouble connecting through the router and PIX.

Internet > Router > PIX > LAN (Server)

Router External IP (Serial): xx.216.35.242

Router Internal IP (Ethernet): xx.255.89.1

PIX Outside: xx.255.89.2

PIX Inside: 10.34.4.1

Server: 10.34.1.10

Remote Web Filter: xx.48.253.64

-----

Router#show run

Building configuration...

Current configuration : 1570 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

no logging buffered

no logging console

no logging monitor

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx

enable password somepassword

!

ip subnet-zero

!

interface Ethernet0/0

ip address xx.255.89.1 255.255.255.128

ip access-group 101 in

half-duplex

!

interface Serial0/0

ip address xx.216.35.242 255.255.255.252

ip access-group 125 in

ip access-group 125 out

encapsulation frame-relay IETF

service-module t1 clock source internal

service-module t1 timeslots 1-24

!

ip classless

ip route 0.0.0.0 0.0.0.0 xx.216.35.241

ip route xx.48.253.64 255.255.255.224 Ethernet0/0

ip http server

!

no logging trap

access-list 11 permit xx.255.89.0 0.0.0.128

access-list 101 permit ip any host xx.48.244.230

access-list 101 permit ip any host xx.164.1.1

access-list 101 deny tcp any any eq www

access-list 101 permit ip any any

access-list 125 deny udp any any eq tftp

access-list 125 deny tcp any any eq 135

access-list 125 deny udp any any eq 135

access-list 125 deny udp any any eq netbios-ns

access-list 125 deny udp any any eq netbios-dgm

access-list 125 deny tcp any any eq 139

access-list 125 deny udp any any eq netbios-ss

access-list 125 deny tcp any any eq 445

access-list 125 deny tcp any any eq 593

access-list 125 deny tcp any any eq 4444

access-list 125 permit ip any any

snmp-server community public RO

snmp-server enable traps tty

!

line con 0

line aux 0

line vty 0 4

password somepassword

login

!

end

Router#

-----

tholmes · ‎04-18-2006

There's not much info here but to start I'd check remove the ACLs from the interfaces,

Check all your IP addressing and netmasks (server/PIX inside?)

Check your routing and default gateways

Have you mapped a real address for the inside server and allowed those ports through?

Cheers Tony

joneschw1 · ‎04-18-2006

This probably isn't anything with your router. THis is probably a configuration issue with your PIX. Post your pix config. P.S., your pix can do the vpn and use radius to authenticate via active directory. It works quite well, and does not expose your server to the public.

EDIT : What are you trying to accomplish with access-list 101 on the ethernet interface of the router? Still, I think it is the firewall that is causing your issue.

Make sure you have a static and the access list to open the ports needed.

slatonisd · ‎04-18-2006

PIX# show run

: Saved

:

PIX Version 6.3(4)

interface ethernet0 10baset

interface ethernet1 10baset

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password

passwd

hostname PIX

domain-name

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any host xx.255.89.6 eq pptp

access-list 100 permit gre any host xx.255.89.6

access-list 100 permit icmp any host xx.255.89.6

pager lines 24

logging on

logging trap debugging

logging host inside 10.34.1.233

mtu outside 1500

mtu inside 1500

ip address outside xx.255.89.2 255.255.255.128

ip address inside 10.34.4.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 xx.255.89.10-xx.255.89.126 netmask 255.255.255.128

global (outside) 1 xx.255.89.4 netmask 255.255.255.128

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) xx.255.89.6 10.34.1.10

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 70.255.89.1 1

route inside xx.48.253.64 255.255.255.224 10.34.4.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.34.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:

: end

PIX#

slatonisd · ‎04-18-2006

I had the PIX log to an internal syslogd:

It builds the TCP Connection then:

Teardown TCP connection 338186 for outside:xx.242.182.165/1330 to inside:10.34.1.10/1723 duration 0:02:01 bytes 0 SYN Timeout

slatonisd · ‎04-18-2006

I found the problem. (Completely my fault on this one.) I had the default gateway of the server set to the wrong router. The PIX logs showed the traffic coming in but not leaving... because of the default gateway.