01-23-2004 11:31 AM - edited 02-20-2020 09:23 PM
Ok,
So I have my lab network set up with my shiny new PIX 515e, and I am learning my heart out but I am having a problem with a static command.
I have a vendor who at this pooint isnt set up for a VPN so they use PCanywhere and I need to open a hole in my nice firewall(I know what good is a firewall with holes).
I would like to allow PCA for this vendors IP only(and only this vendor). I have tried experimenting with an access-list and static( see the config belwo) but the vendor can not connect. Plus I am often confused by having DHCP from my lab cable modem on the outside interface. I am obviuosly missing something, but have no idea what.
My other questions are about ICMP and how to properly configure it to allow a host on my internal network be able to freely ping away at anything on the internet yet still deny all IMCP except UNREACHABLE on the outside. And can someone explain fixups to mein a simple form...aside from assign a port to the particular service what does a fixup do? Cisco documentation will no penetrate my thick skull right now. Also what do the '0 0' mean at the end of the static statments?
Any way here is my config if someone can help me out.
: Saved
: Written by enable_15 at 12:26:18.807 UTC Fri Jan 23 2004
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password XXXXXXXXXXXX/ encrypted
passwd XXXXXXXXXXXX/ encrypted
hostname XXXXXX
domain-name XXXXXXXXXXX
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_inside remark BEGIN BLOCK OF BLASTER PORTS
access-list acl_inside deny udp any any eq tftp
access-list acl_inside deny tcp any any eq 135
access-list acl_inside deny udp any any eq 135
access-list acl_inside deny tcp any any eq 137
access-list acl_inside deny udp any any eq netbios-ns
access-list acl_inside deny tcp any any eq 138
access-list acl_inside deny udp any any eq netbios-dgm
access-list acl_inside deny tcp any any eq netbios-ssn
access-list acl_inside deny udp any any eq 139
access-list acl_inside deny tcp any any eq 445
access-list acl_inside deny tcp any any eq 593
access-list acl_inside deny tcp any any eq 4444
access-list acl_inside remark END BLOCK OF BLASTER PORTS
access-list acl_inside permit ip any any
access-list acl_outside remark BEGIN PCA
access-list acl_outside permit udp any host XXX.XXX.XXX.XXX eq pcanywhere-status
access-list acl_outside permit tcp any host XXX.XXX.XXX.XXX eq pcanywhere-data
access-list acl_outside remark END PCA
access-list acl_outside deny ip any any
pager lines 35
logging on
logging buffered debugging
icmp deny any echo-reply outside
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside dhcp setroute
ip address inside XXX.XXX.XXX.XXX 255.255.255.0
ip address intf2 XXX.XXX.XXX.XXX 255.255.255.0
ip audit info action alarm
ip audit attack action alarm drop
pdm location XXX.XXX.XXX.XXX 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pcanywhere-data XXX.XXX.XXX.XXX pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5632 XXX.XXX.XXX.XXX 5632 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
http XXX.XXX.XXX.XXX 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment chain 1 outside
fragment chain 1 inside
telnet timeout 5
ssh 68.44.XX.XXX 255.255.255.255 outside
ssh XXX.XXX.XXX.XXX 255.255.255.255 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:2189482b222dea971e3ed79a61406b4c
01-23-2004 05:17 PM
for the icmp part you need the following
access-list acl_outside permit icmp any any echo-reply
access-list acl_outside permit any any unreach
for the pc-anywhere, make sure that you are opening up the correct ports. (although it seems like you are)
YOu need to see the syslog messsage for what is being denied.
Thanks
Nadeem
01-24-2004 08:05 PM
>>>"What does a fixup do? "
A fixup is used to handle protocols that use changing ports during the course of a transaction - such as FTP. It has no bearing on pcAnywhere.
>>>"Also what do the '0 0' mean at the end of the static statments?"
The two zeros indicate that no limit has been set on the number of connections nor embryonic connections that this translation can support.
For the pcAnywhere access try this:
Delete your 2 existing statics:
static (inside,outside) tcp interface pcanywhere-data XXX.XXX.XXX.XXX pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5632 XXX.XXX.XXX.XXX 5632 netmask 255.255.255.255 0 0
Add:
static (inside,outside) interface XXX.XXX.XXX.XXX netmask 255.255.255.255
(Your ACL will control the traffic that is allowed in).
01-24-2004 09:07 PM
Another thought - Maybe all you need to do is delete:
"static (inside,outside) tcp interface 5632 XXX.XXX.XXX.XXX 5632 netmask 255.255.255.255 0 0"
And add:
"static (inside,outside) udp interface 5632 XXX.XXX.XXX.XXX 5632 netmask 255.255.255.255 0 0
(changing tcp to udp)
01-25-2004 06:57 AM
Thanks PD,
I am going to try it...as soon as I get back to the office!
I have been tryiong to follow the documentation to the 'T', but I will let you know how this works.
Marc
01-28-2004 06:34 AM
Ok,
So I have tried it a few different ways but nothing seems to work. I have tried switching the 'interface' in the static statement to the actual IP but it still doesnt work. Does anyone have any ideas? These static/access-list combos are making me nutz! I still cant get the PCA or the port 3389 to redirect to the indisde. Here is the config again. Thanks for any adivce!
pix(config)# show conf
: Saved
: Written by enable_15 at 09:13:38.907 UTC Wed Jan 28 2004
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password XXXXXXXXXX/ encrypted
passwd XXXXXXXXXXXXXX/ encrypted
hostname pix
domain-name XXXXXXXXXXX
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_inside remark BEGIN BLOCK OF BLASTER PORTS
access-list acl_inside deny udp any any eq tftp
access-list acl_inside deny tcp any any eq 135
access-list acl_inside deny udp any any eq 135
access-list acl_inside deny tcp any any eq 137
access-list acl_inside deny udp any any eq netbios-ns
access-list acl_inside deny tcp any any eq 138
access-list acl_inside deny udp any any eq netbios-dgm
access-list acl_inside deny tcp any any eq netbios-ssn
access-list acl_inside deny udp any any eq 139
access-list acl_inside deny tcp any any eq 445
access-list acl_inside deny tcp any any eq 593
access-list acl_inside deny tcp any any eq 4444
access-list acl_inside remark END BLOCK OF BLASTER PORTS
access-list acl_inside permit ip any any
access-list acl_outside remark BEGIN PCA
access-list acl_outside permit udp any host xxx.xxx.xxx.xxx eq pcanywhere-status
access-list acl_outside permit tcp any host xxx.xxx.xxx.xxx eq pcanywhere-data
access-list acl_outside remark END PCA
access-list acl_outside permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list acl_outside deny ip any any
pager lines 35
logging on
logging buffered debugging
icmp deny any echo-reply outside
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside dhcp setroute
ip address inside xxx.xxx.xxx.xxx 255.255.255.0
ip address intf2 xxx.xxx.xxx.xxx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm drop
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) udp xxx.xxx.xxx.xxx pcanywhere-status xxx.xxx.xxx.xxx pcanywhere-status
netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 xxx.xxx.xxx.xxx 3389 netmask 255.255.255.255 0
0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
ntp server xxx.xxx.xxx.xxx source inside
http server enable
http xxx.xxx.xxx.xxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment chain 1 outside
fragment chain 1 inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide