10-10-2003 08:03 AM - edited 02-20-2020 11:02 PM
Hello All;
I was wondering if I could ask for some assistance. I am very new to configuring PIX devices, and I am currently having a problem allowing external users to access some of our servers.
I am trying to allow http, smtp, pop3, and RDP (port 3389) traffic through to our web, mail and terminal servers. I think I have the right commands, but it doesn't seem to be working.
Here is a copy of my current config:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password xxxxx encrypted
passwd xxxxxxxencrypted
hostname ymcapix
domain-name ymcadallas.org
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit tcp any host xxx.xxx.xxx.3 eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.3 eq pop3
access-list 101 permit tcp any host xxx.xxx.xxx.4 eq www
access-list 101 permit tcp any host xxx.xxx.xxx.5 eq 3389
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xxx.xxx.xxx.2 255.255.255.240
ip address inside 192.168.1.3 255.255.255.0
ip address intf2 x.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.0.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.14 netmask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.xxx.3 192.168.1.10 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.4 192.168.1.9 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.5 192.168.1.11 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
route inside 192.168.0.0 255.255.0.0 192.168.1.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:xxxxx
Feel free to critique at will. I haven't ever configured one of these devices, so I probably made numerous mistakes. Any advice/help is greatly appreciated.
Thank you all.
10-10-2003 08:19 PM
Actually for a first time you did pretty good. Can't see anything obviously wrong with what you've done. The best way to see what's going on with problems connecting thru a PIX is to turn on syslogging, the PIX will generally tell ou exactly what the problem is. Do:
logging on
logging buffer debug
sho log
This will give you a good indication of what's happening. Most syslog messages are pretty self-explanatory, but here's the full list of them for your reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/syslog/pixemsgs.htm
Of course if you're not sure what's happening post the syslog output and we'll help interpret. If you don't see any syslog messages then there's a chance your ISP isn't routing the .3-.5 IP addresses through to you, or hasn't activated them, or is filtering low port connections to them, I've seen that numerous times.
10-14-2003 03:30 PM
I have a question on this post, can anyone describe what filtering low port connections is?
I have not heard of that before.
10-11-2003 11:23 AM
is your ISP's DNS resolving those names to IP appropriately? does your inside traffic successfully get out to the Internet (is nat working right (request and return traffic))?
if your servers are using private inside addressing, you should try redirecting the ports
static (inside, outside) tcp X.X.X.4 80 [yourInsideWWWaddy] 80 netmask 255.255.255.255 0 0
static (inside, outside) tcp X.X.X.3 25 [yourInsideSMTPaddy] 25 netmask 255.255.255.255 0 0
static (inside, outside) tcp X.X.X.3 110 [yourInsidePOP3addy] 110 netmask 255.255.255.255 0 0
static (inside, outside) tcp X.X.X.5 3389 [yourInsideTSsrvaddy] 3389 netmask 255.255.255.255 0 0
this tells the firewall, " any traffic that hits at these IP's on ports 80, 25, 110, or 3389 - translate the public IPs to the appropriate Inside configured servers".
your acl 101 takes care of allowing the in from the traffic from the Internet.
for security reasons, you should not allow SMTP or POP3 because you can:
SMTP - sniff traffic and read people email (it's clear text protocol
POP3 - it is very easy to sniff passwds as people check their email and then spoof email once the passwd is gained.
I would really use a VPN for terminal services traffic (to stay away from the possibilty of brute force attacks and the trust relationships that can be expoited if one is successful)
also for reference:
Good Luck
Don Garnett
Network Support Specialist
10-14-2003 12:21 PM
Thank you for helping me out. I got the pix working.
clear xlate and clear arp do wonders. Thanks again.
11-04-2003 10:31 PM
The reason clear arp helped may be because you have overlapping translations:
You have assigned a pool for outgoing traffic:
global (outside) 1 xxx.xxx.xxx.14 netmask 255.255.255.240
And you also have addresses from this pool assigned to servers:
static (inside,outside) xxx.xxx.xxx.3 192.168.1.10 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.4 192.168.1.9 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.5 192.168.1.11 netmask 255.255.255.255 0 0
To prevent problems in the future I think you better change the global line to:
global (outside) 1 interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide