Solved: Test Firewall setup - Not working

atvejovis · ‎02-22-2012

Ive been trying to find a few guides to setup this box but none seem to work entirely:

http://www.youtube.com/watch?v=CByWWdC2Deo&feature=related

another:

http://www.dslreports.com/faq/15785

So im setting up a Pix 525 for testing and im having a few issues to start with. I can seem to make the interface eth 0 or 1 register the ip changes i want.

Entering the following Commands the (config-if) drops to (config), it seems that the FTP address takes the change but not the interfaces.

pix525(config)# interface ethernet0

pix525(config-if)# ip address 192.168.50.10 255.255.255.0

pix525(config)#

End result is id like to be able to access this box from a ASDM client on an internal ip of 192.168.50.XXX

Thanks in advice!

------

INFO

Config:

PIX Version 8.0(4)

!

firewall transparent

hostname pix525

enable password xxxxxxxxxxxxxxxxxxxx

passwd xxxxxxxxxxxxxxxxx

names

!

interface Ethernet0

nameif outside

security-level 0

!

interface Ethernet1

nameif inside

security-level 100

!

interface Ethernet2

shutdown

no nameif

no security-level

!

interface Ethernet3

shutdown

no nameif

no security-level

!

interface Ethernet4

shutdown

no nameif

no security-level

!

interface Ethernet5

shutdown

no nameif

no security-level

!

ftp mode passive

pager lines 24

mtu outside 1500

mtu inside 1500

ip address 192.168.50.10 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-615.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

: end

pix525(config)# show ver

Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)

Compiled on Thu 07-Aug-08 19:42 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"

pix525 up 5 hours 28 mins

Hardware: PIX-525, 768 MB RAM, CPU Pentium III 748 MHz
Flash E28F128J3 @ xxx, 16MB
BIOS Flash AM29F400B @ xxx, 32KB

0: Ext: Ethernet0           : address is xxxx
1: Ext: Ethernet1           : address is xxx
2: Ext: Ethernet2           : address is xxx
3: Ext: Ethernet3           : address is xxx

4: Ext: Ethernet4 : address is xxx
5: Ext: Ethernet5 : address is xxx

Licensed features for this platform:
Maximum Physical Interfaces : 10
Maximum VLANs                : 100
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Cut-through Proxy            : Enabled
Guards                       : Enabled
URL Filtering                : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : Unlimited

Marvin Rhoads · ‎02-24-2012

V,

It seems you haven't had an opportunity to learn about subnet masks and how they work. When you configure a Pix (or switch or router or PC) interface, the mask you are giving it is for the network it belongs to. Thus 255.255.255.0 above is a /24 (last octet or 8 bits of the 32-bit address is all zeros meaning that 24 bits are the network number).

Interfaces are always masked with the netmask in order to distinguish the host address from the network address. The netmask must be consistent for all devices on a given network. That is how we are able to properly ascertain layer 2 (MAC) addresses with layer 3 (IP) broadcasts - by sending a broadcast (all 1's) frame on the network asking "Who has address xxx.xxx.xxx.xxx?"

So your workstation and the Pix interface must have the same correct mask. 255.255.255.0 is the most common for a Class C network (although others are possible and not uncommon).

The "http" command on the Pix is more like an access-list - you are telling the Pix from whom it may accept http(s) requests (https is used by ASDM for management). You tell it how tightly you want to control that access by using the netmask also. In this case you can specify a single host (netmask 255.255.255.255). When doing so, you would then give the exact host address in the first number. e.g.:

http 192.168.1.1 255.255.255.255 outside

You could allow any host in that network to manage the Pix (the user would still have to authenticate) by making the mask less specific. When you do that, you would also not give a host address but rather a network address. That would look like:

http 192.168.1.0 255.255.255.0 outside

Is that clearer now?

View solution in original post

Marvin Rhoads · ‎02-22-2012

Your config-if mode dropping back into global config mode like that is odd. I've never seen that. What does "show interface eth0" give you?

For the asdm to work, you will also need a command with the syntax:

http

inside

e.g., something like:

http 192.168.50.0 255.255.255.0 inside

Matt Lang · ‎02-22-2012

The PIX is running in transparent mode (see the command at the top 'firewall transparent'). If you also notice, further down in the configuration is the IP address you assigned with the command 'ip address 192.168.50.10 255.255.255.0'. In order to change it back to routed mode, enter the command 'no firewall transparent'.

Matt

atvejovis · ‎02-23-2012

So I followed what both of you said and here's where im stuck:

pix525(config)# no firewall transparent
pixfirewall(config)# http 192.168.50.10 255.255.255.0 inside
^
ERROR: % Invalid input detected at '^' marker.
pixfirewall(config)# http 192.168.50.10 255.255.255.0 ?

configure mode commands/options:
Current available interface(s):
pixfirewall(config)# http 192.168.50.10 255.255.255.0

I've seen this error or issue a few times with the "Current available interface(s):" is there something I have not done on those to activate this in some way?

Mklemovitch: What does "show interface eth0" give you?

pixfirewall(config)# show interface eth0

Interface Ethernet0 "", is administratively down, line protocol is up

Hardware is i82559, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address xxxxxxx MTU not set

IP address unassigned

118018 packets input, 28066138 bytes, 0 no buffer

Received 47074 broadcasts, 0 runts, 0 giants

1 input errors, 0 CRC, 0 frame, 1 overrun, 0 ignored, 0 abort

0 L2 decode drops

73 packets output, 5724 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max packets): hardware (0/1) software (0/128)

output queue (curr/max packets): hardware (1/1) software (0/1)

atvejovis · ‎02-23-2012

Okay so I feel im getting somewhere now:

pixfirewall(config)# interface ethernet0

pixfirewall(config-if)# no shutdown

pixfirewall(config-if)# show interface eth0

Interface Ethernet0 "", is up, line protocol is up

Hardware is i82559, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 0007.eb2a.035d, MTU not set

IP address unassigned

pixfirewall(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

pixfirewall(config-if)# ip address 192.168.50.10 255.255.255.0

pixfirewall(config-if)# http 192.168.50.10 255.255.255.0 outside

WARNING: IP address <192.168.50.10> and netmask <255.255.255.0> inconsistent

Still unable to connect via my network that is running on 192.168.0.1 to the ASDM client. So far the firewall is connected to a pc via the console and eth0 is connected to my network with above ip scheme.

----------------------------------------------

Heres the current running config:

pixfirewall(config)# show running-config

: Saved

:

PIX Version 8.0(4)

!

hostname pixfirewall

enable password xxxxxxxxxxx

passwd xxxxxxxxxx

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.50.10 255.255.255.0

!

interface Ethernet1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

pager lines 24

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

xxxxxxxxxxxxxxxxxxxxx

: end

Matt Lang · ‎02-23-2012

Your subnet mask is incorrect for that command. Try the following...

http 192.168.50.10 255.255.255.255 inside

Matt

atvejovis · ‎02-24-2012

So at this point I just want to get the ASDM client to connect. Seems through comand line im having zero luck doing much of anything.

I believe im having some subnet mask conflicts.

pixfirewall(config)# int eth0

pixfirewall(config-if)# nameif outside

pixfirewall(config-if)# ip address 192.168.1.2 255.255.255.0

pixfirewall(config-if)# http ?

configure mode commands/options:

Hostname or A.B.C.D The IP address of the host and/or network authorized to

access the HTTP server

X:X:X:X::X/<0-128> IPv6 address/prefix authorized to access the HTTP server

server Enable the http server required to run Device Manager

pixfirewall(config-if)# http 192.168.1.2 255.255.255.0 outside

WARNING: IP address <192.168.1.2> and netmask <255.255.255.0> inconsistent

pixfirewall(config)# http 192.168.1.2 255.255.255.255 outside

pixfirewall(config)#

In order to not have an error, the subnet masks are different. I set my pc nic to 192.168.1.1 255.255.255.255 and at this point i can not connect.

Ideas?

Thanks,

V

Marvin Rhoads · ‎02-24-2012

V,

It seems you haven't had an opportunity to learn about subnet masks and how they work. When you configure a Pix (or switch or router or PC) interface, the mask you are giving it is for the network it belongs to. Thus 255.255.255.0 above is a /24 (last octet or 8 bits of the 32-bit address is all zeros meaning that 24 bits are the network number).

Interfaces are always masked with the netmask in order to distinguish the host address from the network address. The netmask must be consistent for all devices on a given network. That is how we are able to properly ascertain layer 2 (MAC) addresses with layer 3 (IP) broadcasts - by sending a broadcast (all 1's) frame on the network asking "Who has address xxx.xxx.xxx.xxx?"

So your workstation and the Pix interface must have the same correct mask. 255.255.255.0 is the most common for a Class C network (although others are possible and not uncommon).

The "http" command on the Pix is more like an access-list - you are telling the Pix from whom it may accept http(s) requests (https is used by ASDM for management). You tell it how tightly you want to control that access by using the netmask also. In this case you can specify a single host (netmask 255.255.255.255). When doing so, you would then give the exact host address in the first number. e.g.:

http 192.168.1.1 255.255.255.255 outside

You could allow any host in that network to manage the Pix (the user would still have to authenticate) by making the mask less specific. When you do that, you would also not give a host address but rather a network address. That would look like:

http 192.168.1.0 255.255.255.0 outside

Is that clearer now?

atvejovis · ‎02-24-2012

Awesome. Your description was perfect.

And no I have not been fully trained on the subnets. Im attempting to get my network up and running before starting the training fully which is probably not the best way to do this lol.

At this point Ive at least got in to the ASDM client.

My end goal at this point is to test this setup at home where i have a dynamic outside IP and an internal network of 192.168.50.X

As I now have access to do this via the ASDM client vs only the command line, im hoping this will be easier. Any suggestions as to setup for this?

Thanks tons!

V

Marvin Rhoads · ‎02-24-2012

You're welcome.

It will be more challenging for you (as you are seeing) to jump into Cisco security products like Pix without having the foundation of TCP/IP networking - addressing, netmasks, etc. That is why Cisco certifications all start with the CCENT or CCNA certification - so that a consistent basic knowledge level is established first.

I would suggest getting one of the study guides for either of those certifications working thought some online labs or even, if you have the resources, setting up either a real lab of your own or a "virtual lab" using a free tool like GNS3. Without the fundamentals in place, I would imagine it will be frustrating to be able to focus on the more specific security application of devices like the Pix.

https://learningnetwork.cisco.com/index.jspa has lots of reources for this endeavor, as do many other sites out there (including some of the other forms here).