Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
495
Views
0
Helpful
5
Replies

Newbie PCA access-list/static question--with a few other questions too!

moconnor
Level 1
Level 1

‎01-23-2004 11:31 AM - edited ‎02-20-2020 09:23 PM

Ok,

So I have my lab network set up with my shiny new PIX 515e, and I am learning my heart out but I am having a problem with a static command.

I have a vendor who at this pooint isnt set up for a VPN so they use PCanywhere and I need to open a hole in my nice firewall(I know what good is a firewall with holes).

I would like to allow PCA for this vendors IP only(and only this vendor). I have tried experimenting with an access-list and static( see the config belwo) but the vendor can not connect. Plus I am often confused by having DHCP from my lab cable modem on the outside interface. I am obviuosly missing something, but have no idea what.

My other questions are about ICMP and how to properly configure it to allow a host on my internal network be able to freely ping away at anything on the internet yet still deny all IMCP except UNREACHABLE on the outside. And can someone explain fixups to mein a simple form...aside from assign a port to the particular service what does a fixup do? Cisco documentation will no penetrate my thick skull right now. Also what do the '0 0' mean at the end of the static statments?

Any way here is my config if someone can help me out.

: Saved

: Written by enable_15 at 12:26:18.807 UTC Fri Jan 23 2004

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password XXXXXXXXXXXX/ encrypted

passwd XXXXXXXXXXXX/ encrypted

hostname XXXXXX

domain-name XXXXXXXXXXX

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl_inside remark BEGIN BLOCK OF BLASTER PORTS

access-list acl_inside deny udp any any eq tftp

access-list acl_inside deny tcp any any eq 135

access-list acl_inside deny udp any any eq 135

access-list acl_inside deny tcp any any eq 137

access-list acl_inside deny udp any any eq netbios-ns

access-list acl_inside deny tcp any any eq 138

access-list acl_inside deny udp any any eq netbios-dgm

access-list acl_inside deny tcp any any eq netbios-ssn

access-list acl_inside deny udp any any eq 139

access-list acl_inside deny tcp any any eq 445

access-list acl_inside deny tcp any any eq 593

access-list acl_inside deny tcp any any eq 4444

access-list acl_inside remark END BLOCK OF BLASTER PORTS

access-list acl_inside permit ip any any

access-list acl_outside remark BEGIN PCA

access-list acl_outside permit udp any host XXX.XXX.XXX.XXX eq pcanywhere-status

access-list acl_outside permit tcp any host XXX.XXX.XXX.XXX eq pcanywhere-data

access-list acl_outside remark END PCA

access-list acl_outside deny ip any any

pager lines 35

logging on

logging buffered debugging

icmp deny any echo-reply outside

icmp permit any unreachable outside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside dhcp setroute

ip address inside XXX.XXX.XXX.XXX 255.255.255.0

ip address intf2 XXX.XXX.XXX.XXX 255.255.255.0

ip audit info action alarm

ip audit attack action alarm drop

pdm location XXX.XXX.XXX.XXX 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface pcanywhere-data XXX.XXX.XXX.XXX pcanywhere-data netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 5632 XXX.XXX.XXX.XXX 5632 netmask 255.255.255.255 0 0

access-group acl_outside in interface outside

access-group acl_inside in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authorization command LOCAL

http server enable

http XXX.XXX.XXX.XXX 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

fragment chain 1 outside

fragment chain 1 inside

telnet timeout 5

ssh 68.44.XX.XXX 255.255.255.255 outside

ssh XXX.XXX.XXX.XXX 255.255.255.255 inside

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:2189482b222dea971e3ed79a61406b4c

Labels:
0 Helpful
5 Replies 5

nkhawaja
Cisco Employee
Cisco Employee

‎01-23-2004 05:17 PM

for the icmp part you need the following

access-list acl_outside permit icmp any any echo-reply

access-list acl_outside permit any any unreach

for the pc-anywhere, make sure that you are opening up the correct ports. (although it seems like you are)

YOu need to see the syslog messsage for what is being denied.

Thanks

Nadeem

0 Helpful

pd-yca
Level 1
Level 1

‎01-24-2004 08:05 PM

>>>"What does a fixup do? "

A fixup is used to handle protocols that use changing ports during the course of a transaction - such as FTP. It has no bearing on pcAnywhere.

>>>"Also what do the '0 0' mean at the end of the static statments?"

The two zeros indicate that no limit has been set on the number of connections nor embryonic connections that this translation can support.

For the pcAnywhere access try this:

Delete your 2 existing statics:

static (inside,outside) tcp interface pcanywhere-data XXX.XXX.XXX.XXX pcanywhere-data netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 5632 XXX.XXX.XXX.XXX 5632 netmask 255.255.255.255 0 0

Add:

static (inside,outside) interface XXX.XXX.XXX.XXX netmask 255.255.255.255

(Your ACL will control the traffic that is allowed in).

0 Helpful

pd-yca
Level 1
Level 1
In response to pd-yca

‎01-24-2004 09:07 PM

Another thought - Maybe all you need to do is delete:

"static (inside,outside) tcp interface 5632 XXX.XXX.XXX.XXX 5632 netmask 255.255.255.255 0 0"

And add:

"static (inside,outside) udp interface 5632 XXX.XXX.XXX.XXX 5632 netmask 255.255.255.255 0 0

(changing tcp to udp)

0 Helpful

moconnor
Level 1
Level 1
In response to pd-yca

‎01-25-2004 06:57 AM

Thanks PD,

I am going to try it...as soon as I get back to the office!

I have been tryiong to follow the documentation to the 'T', but I will let you know how this works.

Marc

0 Helpful

moconnor
Level 1
Level 1
In response to moconnor

‎01-28-2004 06:34 AM

Ok,

So I have tried it a few different ways but nothing seems to work. I have tried switching the 'interface' in the static statement to the actual IP but it still doesnt work. Does anyone have any ideas? These static/access-list combos are making me nutz! I still cant get the PCA or the port 3389 to redirect to the indisde. Here is the config again. Thanks for any adivce!

pix(config)# show conf

: Saved

: Written by enable_15 at 09:13:38.907 UTC Wed Jan 28 2004

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password XXXXXXXXXX/ encrypted

passwd XXXXXXXXXXXXXX/ encrypted

hostname pix

domain-name XXXXXXXXXXX

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl_inside remark BEGIN BLOCK OF BLASTER PORTS

access-list acl_inside deny udp any any eq tftp

access-list acl_inside deny tcp any any eq 135

access-list acl_inside deny udp any any eq 135

access-list acl_inside deny tcp any any eq 137

access-list acl_inside deny udp any any eq netbios-ns

access-list acl_inside deny tcp any any eq 138

access-list acl_inside deny udp any any eq netbios-dgm

access-list acl_inside deny tcp any any eq netbios-ssn

access-list acl_inside deny udp any any eq 139

access-list acl_inside deny tcp any any eq 445

access-list acl_inside deny tcp any any eq 593

access-list acl_inside deny tcp any any eq 4444

access-list acl_inside remark END BLOCK OF BLASTER PORTS

access-list acl_inside permit ip any any

access-list acl_outside remark BEGIN PCA

access-list acl_outside permit udp any host xxx.xxx.xxx.xxx eq pcanywhere-status

access-list acl_outside permit tcp any host xxx.xxx.xxx.xxx eq pcanywhere-data

access-list acl_outside remark END PCA

access-list acl_outside permit tcp any host xxx.xxx.xxx.xxx eq 3389

access-list acl_outside deny ip any any

pager lines 35

logging on

logging buffered debugging

icmp deny any echo-reply outside

icmp permit any unreachable outside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside dhcp setroute

ip address inside xxx.xxx.xxx.xxx 255.255.255.0

ip address intf2 xxx.xxx.xxx.xxx 255.255.255.0

ip audit info action alarm

ip audit attack action alarm drop

pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) udp xxx.xxx.xxx.xxx pcanywhere-status xxx.xxx.xxx.xxx pcanywhere-status

netmask 255.255.255.255 0 0

static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 xxx.xxx.xxx.xxx 3389 netmask 255.255.255.255 0

0

access-group acl_outside in interface outside

access-group acl_inside in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authorization command LOCAL

ntp server xxx.xxx.xxx.xxx source inside

http server enable

http xxx.xxx.xxx.xxx 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

fragment chain 1 outside

fragment chain 1 inside

telnet timeout 5

ssh xxx.xxx.xxx.xxx 255.255.255.255 outside

ssh xxx.xxx.xxx.xxx 255.255.255.255 inside

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents