Solved: Re: IOS commands for NAT

imanco671 · ‎08-25-2011

Hello Community,

I have been using the PDM, I want to get familiar with IOS, so I am learning right now.

My daily routines on my PIX firewall to do the following (which I want to do in command line for now on):

1. add new server's IP address (173.x.x.x.22) along with the name (server01) to my interface called (NewBlock).

2. add that server's name to the group (DemoNetworkGroup)

3. Create a new access rule allowing it to be opened for port 80 traffic.

4. Create a new Translation Rule for 173.x.x.22

See it is a little weird in my setup, I have the PIX translating WAN IP addresses to WAN IP addresses. Then these WAN IP addresses goes to another router. So if you see that I am translating WAN address to WAN address, dont think its a mistake.

My internal interface is called NewBlock.

My outside interface is called Outside

Thank for helping me learn!!!

Jon Marshall · ‎08-26-2011

John

Okay, you have most of the commands. In reference to your original post here are the commands -

1) name 173.x.x.x webserver

2) object-group network DemoNetworkGroup

network-object host 173.x.x.x

3) ** see below

4) static (NewBlock, outside) 173.x.x.x 173.x.x.x netmask 255.255.255.255

3) all depends on your existing access-list. Presumably you have an access-list applied to the outside interface ie. something like this in your config -

access-group outside_in in interface outside <-- where outside_in is the name of the access-list (obviously yours may be different).

The line you would need to add for port 80 access from any host on the internet would be -

access-list outside_in permit tcp any host 173.x.x.x eq www

you need to look at your acl and work out where to put the line. If your acl only has permits in it then it safe simply to type in the above line and it will simply add it to the end. There is an implicit "deny ip any any" at the end of every acl but if there is no actual explicit entry your line will come before it.

There could be a couple of other possibilities -

1) you have a "deny ip any any" line explicitly at the end of the acl

or

2) you have a deny somewhere in your acl that would block traffic to the web server so you need your line to go above it.

Either way you need to enter the above acl entry with a line index number. If you do a sh access-list outside_in you will see the line numbers. Note, you need to run the actual "sh access-list outside_in" command to see the line numbers. If you view the access-list in the running config with "sh run" you do not see the line numbers. If you then entered a new acl entry with a line number of 4 it will simply bump up the existing line numbers ie. line 4 becomes 5, 5 becomes 6 etc. Don't worry nothing gets overwritten of deleted.

So assuming you needed your new acl entry to be line 10 yo would modify the above to be -

access-list outside_in line 10 permit tcp any host 173.x.x.x eq www

Jon

View solution in original post

Jon Marshall · ‎08-25-2011

John

What exactly is your question ?

Jon

SunilKhanna · ‎08-26-2011

Hi John,

Here is a URL which lists few NAT documents availble on cisco.com, thought you might find it useful.

http://www.cisco.com/en/US/tech/tk648/tk361/tk438/tsd_technology_support_sub-protocol_home.html

Regards,

Sunil

Regards, Sunil Khanna

imanco671 · ‎08-26-2011

Hi Jon,

I just wanted to know the proper commands. I only ask for them b/c I am afraid I may mess something up if I research and try things myself. I rather be sure that I am inputting the proper commands from an expert like you.

Sorry, not trying to be lazy...

imanco671 · ‎08-26-2011

Hi Sunil,

Thanks for the link!!

John

Jon Marshall · ‎08-26-2011

John

No problem. I was just a bit confused that was all

Jon

imanco671 · ‎08-26-2011

Hi Jon,

Any idea on what commands I should run?

John

Jon Marshall · ‎08-26-2011

Oh sorry, i thought the docs has provided that.

Okay can you clarify before posting commands -

1) what version of software on pix - "sh ver" will tell you

2) not sure what you mean by -

add new server's IP address (173.x.x.x.22) along with the name (server01) to my interface called (NewBlock).

you don't add things to interfaces like that. Could you explain exactly what you mean here ?

Presumably you already have an access-list that you want to add this new access to ? If so does it have an explicit "deny ip any any" at the end or not ? If it does you need to enter the new acl entry by index number. If it doesn't you can just add it to the access-list and it will be added at the end.

Just to confirm you are natting the IP address to the same IP address ? Which interfaces ?

Jon

imanco671 · ‎08-26-2011

Hi Jon,

No Problem,

1. Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(4)

Yes I am NATing the 173.x.x.x. address to interface named: NewBlock.

Here are the lines I want to show in after pulling my running-config (below is the outcome I want, which is the NATing and defining of my ip address 173.x.x.x.):

1. name 173.x.x.x webserver

2.network-object webserver 255.255.255.255

3. pdm location webserver 255.255.255.255 NewBlock

4. static (NewBlock, outside) webserver webserver netmask 255.255.255.255 0 0

I am not sure if I am missing anythig from above or not. The "pdm" statement is from using the web interface, which I am trying to stop using. I thing there should be a "access-list" line above.

John

Jon Marshall · ‎08-26-2011

John

Okay, you have most of the commands. In reference to your original post here are the commands -

1) name 173.x.x.x webserver

2) object-group network DemoNetworkGroup

network-object host 173.x.x.x

3) ** see below

4) static (NewBlock, outside) 173.x.x.x 173.x.x.x netmask 255.255.255.255

3) all depends on your existing access-list. Presumably you have an access-list applied to the outside interface ie. something like this in your config -

access-group outside_in in interface outside <-- where outside_in is the name of the access-list (obviously yours may be different).

The line you would need to add for port 80 access from any host on the internet would be -

access-list outside_in permit tcp any host 173.x.x.x eq www

you need to look at your acl and work out where to put the line. If your acl only has permits in it then it safe simply to type in the above line and it will simply add it to the end. There is an implicit "deny ip any any" at the end of every acl but if there is no actual explicit entry your line will come before it.

There could be a couple of other possibilities -

1) you have a "deny ip any any" line explicitly at the end of the acl

or

2) you have a deny somewhere in your acl that would block traffic to the web server so you need your line to go above it.

Either way you need to enter the above acl entry with a line index number. If you do a sh access-list outside_in you will see the line numbers. Note, you need to run the actual "sh access-list outside_in" command to see the line numbers. If you view the access-list in the running config with "sh run" you do not see the line numbers. If you then entered a new acl entry with a line number of 4 it will simply bump up the existing line numbers ie. line 4 becomes 5, 5 becomes 6 etc. Don't worry nothing gets overwritten of deleted.

So assuming you needed your new acl entry to be line 10 yo would modify the above to be -

access-list outside_in line 10 permit tcp any host 173.x.x.x eq www

Jon

Jon Marshall · ‎08-26-2011

John

One other point i forgot to mention. If you are adding the server to an object-group there may well be entries in the acl that reference that object-group so you may not actually need make a new entry in your acl.

Be aware that if for example you had port 25 (smtp), 80(www), 443(ssl) allowed to this object-group this allows access to those ports on all servers in that object-group. So by adding the server to the object-group you are effectively allowing access to the above ports on the new server. Whether or not those services are running is another matter but you should only allow the ports to any server that are needed.

So sometimes you don't actually want to add it to an object-group because it allows too much access.

Just something to be aware of.

Jon

imanco671 · ‎08-27-2011

Hi John,

Great replys. Some good points!

I have issued the name command successfully

I have also issued the static command successfuly (which I beleive is to define the static NAT? )

I am not on the ACL. Is this my next step? or am I missing a command to issue before this step?

I am confused with my ACL. I just want to clarify a couple things.

I have the following questionable lines in my "show run"...

conduit permit tcp host Abbott05 eq www any

access-list inside_outbound_nat0_acl permit ip host hcwin07 any

I am consused on the above. I beleive that my in_outside is called....."inside_outbound_nat0_acl" ?

Or is my outside_in called...."inside_outbound_nat0_acl" ?

When I issue the "show access-list insode_outbound_nat0_acl" I get:

access-list inside_outbound_nat0_acl line 43 permit ip host POI any (hitcnt=7494)

But I do not see any of my normal www or smtp ACLs when I issue the command.

Jon Marshall · ‎08-27-2011

John

Ah yes, i seem to remember you are allowing access using conduits. Conduits were used before acls came into use on the pix.

You had better post the config (minus any public IP info) so i can have a look. It would probably be a good idea to look to migrate all the conduit commands to access-lists. Conduits really aren't much in use anymore.

Jon

imanco671 · ‎08-27-2011

Jon,

Great idea, I would like to clean up while learning command line for inserting, defining and issueing NATs on my PIX.

Could those Conduit lines be from using the PDM gui? (which I am trying to stop using)

Let me know if you see something "screwy" in my config. I'll clean up...

Below is my running config.

Result of firewall command: "show run"

: Saved

:

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 auto shutdown

interface ethernet3 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 RESCUE security55

nameif ethernet3 NewBlock security30

enable password hJswxxxtqi3ZUj1 encrypted

passwd 2KFQnbxxxdI.2KYOU encrypted

hostname AGNIPIX520

domain-name OurDomain.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 69.xx.xxx.178 "xxxxx"-"xxxxx"

name 69.xx.xxx.175 "xxxxx"

name 69.xx.xxx.174 "xxxxx"

name 69.xx.xxx.170 "xxxxx"

name 69.xx.xxx.167 "xxxxx"

name 69.xx.xxx.133 "xxxxx"

name 69.xx.xxx.132 "xxxxx"

name 69.xx.xxx.131 "xxxxx"

name 69.xx.xxx.161 "xxxxx"

name 69.xx.xxx.158 "xxxxx"

name 69.xx.xxx.156 "xxxxx"

name 69.xx.xxx.150 "xxxxx"

name 69.xx.xxx.128 "xxxxx"

name 164.xxx.xx.82 "xxxxx"

name 164.xx.xxx.10 "xxxxx"

name 69.xx.xxx.136 "xxxxx"

name 209.xxx.xx.129 "xxxxx"

name 69.xx.xxx.138 "xxxxx"

name 164.xxx.xx.149 "xxxxx"

name 69.xx.xxx.183 "xxxxx"

name 164. xxx.xx..98 "xxxxx"

name 76. xxx.xx..6 "xxxxx"

name 164. xxx.xx.106 "xxxxx"

name 69.xx.xxx.141 "xxxxx"

name 138. xxx.xx..139 "xxxxx"

name 138. xxx.xx..138 "xxxxx"

name 138. xxx.xx..132 "xxxxx"

name 138. xxx.xx..131 "xxxxx"

name 69.xx.xxx.139 "xxxxx"

name 78. xxx.xx..115 "xxxxx"

name 69.xx.xxx.176 "xxxxx"

name 164. xxx.xx.101 "xxxxx"

name 199. xxx.xx..116 "xxxxx"

name 38. xxx.xx..170 "xxxxx"

name 141. xxx.xx..1 "xxxxx"

name 141. xxx.xx..22 "xxxxx"

name 141. xxx.xx..21 "xxxxx"

name 141. xxx.xx..20 "xxxxx"

name 141. xxx.xx..22 "xxxxx"

name 141. xxx.xx..21 "xxxxx"

name 141. xxx.xx.20 "xxxxx"

name 141.xxx.xx.1 "xxxxx"

name 69.xx.xxx.166 "xxxxx"

name 207.xx.xx..158 "xxxxx"

name 69.xx.xxx.177 "xxxxx"

name 69.xx.xxx.137 "xxxxx"

name 69.xx.xxx.185 "xxxxx"

name 69.xx.xxx.140 "xxxxx"

name 207. xxx.xx..156 "xxxxx"

name 69.xx.xxx.173 "xxxxx"

name 69.xx.xxx.172 "xxxxx"

name 173. xxx.xx..64 newblock-pool

name 69.xx.xxx.165 "xxxxx"

name 69.xx.xxx.164 "xxxxx"

name 69.xx.xxx.163 "xxxxx"

name 69.xx.xxx.162 "xxxxx"

name 69.xx.xxx.159 "xxxxx"

name 69.xx.xxx.157 "xxxxx"

name 69.xx.xxx.155 "xxxxx"

name 69.xx.xxx.154 "xxxxx"

name 69.xx.xxx.153 "xxxxx"

name 69.xx.xxx.152 "xxxxx"

name 69.xx.xxx.151 "xxxxx"

name 69.xx.xxx.149 "xxxxx"

name 69.xx.xxx.147 "xxxxx"

name 69.xx.xxx.146 "xxxxx"

name 69.xx.xxx.145 "xxxxx"

name 69.xx.xxx.144 "xxxxx"

name 69.xx.xxx.142 "xxxxx"

name 69.xx.xxx.135 "xxxxx"

name 69.xx.xxx.189 "xxxxx"

name 69.xx.xxx.182 "xxxxx"

name 69.xx.xxx.181 "xxxxx"

name 69.xx.xxx.180 "xxxxx"

name 69.xx.xxx.179 "xxxxx"

name 69.xx.xxx.171 "xxxxx"

name 69.xx.xxx.184 "xxxxx"

name 69.xx.xxx.148 "xxxxx"

name 69.xx.xxx.187 "xxxxx"

name 69.xx.xxx.169 "xxxxx"

name 69.xx.xxx.160 "xxxxx"

name 69.xx.xxx.186 "xxxxx"

name 69.xx.xxx.168 "xxxxx"

name 69.xx.xxx.188 "xxxxx"

name 173. xxx.xx..66 john

name 173.x.xx.x johntest2

name 173.x.x.x. johntest3

name 173.x.x.x. johntest4

name 173.x.x.x. NBfirewall

object-group network DemoNetworkPublicGroup

description DemoNetworkPublicGroup

network-object "xxxxx" 255.255.255.255

network-object v"xxxxx" 255.255.255.255

network-object "xxxxx" 255.255.255.255

network-object 69.xx.xxx.190 255.255.255.255

object-group network EveryOneInsideGroup

description EveryOneInsideGroup

network-object "xxxxx" 255.255.255.255

network-object "xxxxx"xxxxx"S01 255.255.255.255

network-object "xxxxx" 255.255.255.255

network-object "xxxxx"-DomainVPN 255.255.255.255

network-object "xxxxx" 255.255.255.255

network-object 69.xx.xxx.190 255.255.255.255

network-object "xxxxx" 255.255.255.255

object-group network http_httpsGroup

description http_httpsGroup

network-object "xxxxx" 255.255.255.255

network-object "xxxxx"255.255.255.255

network-object "xxxxx" 255.255.255.255

network-object "xxxxx"-DomainVPN 255.255.255.255

network-object "xxxxx" 255.255.255.255

network-object 69.xx.xxx.190 255.255.255.255

network-object "xxxxx" 255.255.255.255

object-group network publicpool

description publicpool

network-object PublicPool 255.255.255.192

object-group network "xxxxx"

description "xxxxx"

network-object "xxxxx" 255.255.255.255

object-group service UltraVNC tcp

description UltraVNC

port-object range 5800 5801

port-object range 5900 5901

object-group service NetMeeting tcp

description NetMeeting

port-object range 1503 1503

port-object range 1721 1721

port-object range h323 h323

object-group service RDP tcp

description RDp

port-object range 3389 3389

object-group service VONAGE udp

description VONAGE

port-object range 65535 65535

port-object range ntp ntp

port-object range 5060 5061

port-object range 10000 20000

object-group service CISCO_VPN tcp-udp

description CISCO_VPN

port-object range 10000 10000

object-group network VPNboxes

description anything that uses IPSEC

network-object "xxxxx" 255.255.255.255

object-group service BizConnect tcp

port-object range 9080 9080

port-object range 8081 8081

port-object range 4080 4080

object-group service FTP-7700 tcp

description Ftp server

port-object range 5700 6500

object-group service ftp5700 tcp-udp

port-object range 5700 7700

object-group service AS2Transmission tcp

description For AS 2 Transmission 4080,7080,9080

port-object eq 4080

port-object eq 7080

port-object eq 9080

object-group network "xxxxx"

description Am servers for TLS

network-object "xxxxx".xxx.com255.255.255.255

network-object "xxxxx"xxx.com255.255.255.255

object-group service MailScannerGroup tcp-udp

description MailScanner related ports

port-object eq 6277

port-object eq 24441

port-object eq 2703

port-object eq echo

port-object eq 873

object-group network "xxxxx"

description For Accounting PayChex

network-object "xxxxx" 255.255.255.255

object-group service PAYPAL tcp

description on artur's request

port-object eq 1433

object-group service SAP tcp

port-object range 3201 3201

port-object range 50100 50100

object-group service Packet8 tcp

description Port 6252 for packet8 billing

port-object range 6252 6252

object-group service "xxxxx" tcp

description aport website

port-object range 90 90

object-group service L2TP udp

description L2TP VPN Ports

port-object range isakmp isakmp

port-object range 1701 1701

port-object range 4500 4500

port-object range 50 50

object-group service L2TP2 tcp-udp

description L2TP

port-object range 1723 1723

port-object range 500 500

port-object range 1701 1701

port-object range 4500 4500

object-group service port8005 tcp

description hosting applications for OurDomain

port-object range 8005 8005

object-group service Polycom-1720 tcp

port-object range h323 h323

object-group service Polycom-3230-3243 tcp

port-object range 3230 3243

object-group service Polycom-3230-3285 udp

port-object range 3230 3285

object-group service snmp_port tcp

port-object range 161 162

object-group service port8889 tcp

port-object range 8889 8889

port-object range 8080 8080

object-group network temp

network-object "xxxxx" 255.255.255.255

object-group network everyone

network-object ian 255.255.255.255

access-list inside_outbound_nat0_acl permit ip host "xxxxx"

access-list inside_outbound_nat0_acl permit ip host "xxxxx" any

access-list inside_outbound_nat0_acl permit ip host w"xxxxx"any

access-list inside_outbound_nat0_acl permit ip host "xxxxx"2 any

access-list inside_outbound_nat0_acl permit ip host "xxxxx" any

access-list inside_outbound_nat0_acl permit ip host "xxxxx"-"xxxxx" any

access-list inside_outbound_nat0_acl permit ip host "xxxxx" any

access-list inside_outbound_nat0_acl permit ip any any

no pager

logging on

logging timestamp

logging trap notifications

logging history informational

icmp deny host 69.xx.xx.10 outside

mtu outside 1500

mtu inside 1500

mtu RESCUE 1500

mtu NewBlock 1500

ip address outside 69.xx.xx.10 255.255.255.252

ip address inside 69.xx.xxx.129 255.255.255.192

ip address RESCUE 10.x.x.1 255.255.255.0

ip address NewBlock 173.xxx.xx.65 255.255.255.224

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address RESCUE

no failover ip address NewBlock

pdm location "xxxxx" 255.255.255.255 inside

pdm location "xxxxx"-"xxxxx" 255.255.255.255 inside

pdm location "xxxxx" 255.255.255.255 inside

pdm location "xxxxx" 255.255.255.255 outside

pdm location "xxxxx" 255.255.255.255 inside

pdm location "xxxxx" 255.255.255.255 outside

pdm location "xxxxx" 255.255.255.255 inside

pdm location "xxxxx" 255.255.255.255 outside

pdm location "xxxxx"255.255.255.255 inside

pdm location "xxxxx" 255.255.255.255 inside

pdm location "xxxxx" 255.255.255.255 outside

pdm location "xxxxx" 255.255.255.255 inside

pdm location "xxxxx" 255.255.255.255 outside

pdm location "xxxxx" 255.255.255.255 inside

pdm location "xxxxx".xxx.com255.255.255.255 outside

pdm location "xxxxx" 255.255.255.255 inside

pdm location "xxxxx" 255.255.255.255 outside

pdm location Ce"xxxxx""xxxxx" 255.255.255.255 inside

pdm location "xxxxx" 255.255.255.255 inside

pdm location "xxxxx" 255.255.255.255 outside

pdm location "xxxxx" 255.255.255.255 inside

pdm location "xxxxx" 255.255.255.255 outside

pdm location "xxxxx" 255.255.255.255 inside

pdm location "xxxxx" 255.255.255.255 outside

pdm location 192.168.200.249 255.255.255.255 inside

pdm location 69.xx.xxx.190 255.255.255.255 inside

pdm location johntest2 255.255.255.255 NewBlock

pdm location johntest2 255.255.255.255 inside

pdm location johntest3 255.255.255.255 NewBlock

pdm location NBFirewall 255.255.255.255 inside

pdm location NBFirewall 255.255.255.255 NewBlock

pdm location johntest3 255.255.255.255 inside

pdm group EveryOneInsideGroup inside

pdm group http_httpsGroup inside

pdm group publicpool inside

pdm group "xxxxx" inside

pdm group VPNboxes inside

pdm group "xxxxx" outside

pdm group temp inside

pdm group DemoNetworkPublicGroup inside

pdm group everyone NewBlock

pdm logging informational 100

pdm history enable

arp timeout 14440

global (inside) 1 69.xxx.xx.xxx-69.xx.xxx.xxx

global (NewBlock) 1 173.xx.xx.xx-173.xxx.xxx.xx

nat (inside) 0 access-list inside_outbound_nat0_acl

static (NewBlock,outside) johntest2 johntest2 netmask 255.255.255.255 0 0

static (NewBlock,outside) NBFirewall NBFirewall netmask 255.255.255.255 0 0

static (NewBlock,outside) johntest3 johntest3 netmask 255.255.255.255 0 0

static (NewBlock,outside) johntest4 johntest4 netmask 255.255.255.255 0 0

conduit permit gre host "xxxxx" any

conduit permit tcp host "xxxxx" object-group port8889 any

conduit permit gre host "xxxxx" any

conduit permit esp host "xxxxx" any

conduit permit ah host "xxxxx" any

conduit permit udp host "xxxxx" eq isakmp any

conduit permit udp host "xxxxx" eq 4500 any

conduit permit tcp host "xxxxx" eq 10000 any

conduit permit udp host "xxxxx" eq isakmp any

conduit permit udp host "xxxxx" eq 4500 any

conduit permit udp host "xxxxx" eq 10000 any

conduit permit tcp host "xxxxx" eq 10000 any

conduit permit udp object-group "xxxxx" eq domain any

conduit permit tcp object-group "xxxxx" eq domain any

conduit permit tcp host FTP eq ftp any

conduit permit tcp host FTP eq ftp-data any

conduit permit tcp host FTP object-group ftp5700 any

conduit permit tcp object-group DemoNetworkPublicGroup eq www any

conduit permit tcp object-group DemoNetworkPublicGroup eq https any

conduit permit tcp object-group http_httpsGroup eq www any

conduit permit tcp object-group http_httpsGroup eq https any

conduit permit tcp host "xxxxx" eq www any

conduit permit tcp host "xxxxx" eq 3101 any

conduit permit tcp host "xxxxx" eq www any

conduit permit tcp host "xxxxx" eq ssh any

conduit permit tcp host "xxxxx" object-group AS2Transmission any

conduit permit tcp host "xxxxx" eq smtp any

conduit permit tcp host "xxxxx" eq smtp object-group AmgenMXGroup

conduit permit tcp host "xxxxx" eq citrix-ica any

conduit permit tcp host "xxxxx" eq 7001 any

conduit permit tcp host 69.xx.xxx.190 eq 9080 any

conduit permit tcp host 69.xx.xxx.190 eq 7001 any

conduit permit tcp host "xxxxx" eq 7001 any

conduit permit tcp host "xxxxx" eq 7080 any

conduit permit tcp host "xxxxx" object-group SAP any

conduit permit tcp host "xxxxx" any

conduit permit tcp host xxxxxx eq www any

conduit permit tcp host "xxxxx" object-group agsupport any

conduit permit tcp host "xxxxx" eq www any

conduit permit gre host "xxxxx" any

conduit permit esp host "xxxxx" any

conduit permit tcp host "xxxxx" eq pptp any

conduit permit udp host "xxxxx" object-group L2TP any

conduit permit tcp host "xxxxx" eq citrix-ica any

conduit permit tcp host "xxxxx" eq www any

conduit permit tcp host "xxxxx" eq https any

conduit permit tcp host "xxxxx" eq 4080 any

conduit permit tcp host "xxxxx" eq 8001 any

conduit permit tcp host "xxxxx" eq 9080 any

conduit deny tcp any any

conduit deny udp any any

conduit deny icmp any any

conduit permit tcp host "xxxxx" eq h323 any

conduit permit tcp host "xxxxx" object-group Polycom-1720 any

conduit permit tcp host "xxxxx" object-group Polycom-3230-3243 any

conduit permit udp host "xxxxx" object-group Polycom-3230-3285 any

conduit permit tcp host "xxxxx" object-group BizConnect any

conduit permit tcp host "xxxxx" eq 8001 any

outbound 1 permit "xxxxx" 255.255.255.255 53 udp

outbound 1 permit "xxxxx" 255.255.255.255 25 tcp

outbound 1 permit "xxxxx" 255.255.255.255 1494 tcp

outbound 1 permit "xxxxx" 255.255.255.255 123 udp

outbound 1 permit "xxxxx" 255.255.255.255 3101 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 80 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 443 tcp

outbound 1 permit "xxxxx"-"xxxxx" 255.255.255.255 443 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 500 udp

outbound 1 permit 0.0.0.0 0.0.0.0 0 ah

outbound 1 permit 0.0.0.0 0.0.0.0 0 esp

outbound 1 permit 0.0.0.0 0.0.0.0 0 gre

outbound 1 permit 0.0.0.0 0.0.0.0 53 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 53 udp

outbound 1 permit 0.0.0.0 0.0.0.0 10000 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 4500 udp

outbound 1 permit 0.0.0.0 0.0.0.0 10000 udp

outbound 1 permit 0.0.0.0 0.0.0.0 3302 tcp

outbound 1 permit "xxxxx" 255.255.255.255 0 gre

outbound 1 permit "xxxxx" 255.255.255.255 1723 tcp

outbound 1 permit "xxxxx" 255.255.255.255 20-21 tcp

outbound 1 permit "xxxxx" 255.255.255.255 25 tcp

outbound 1 permit "xxxxx" 255.255.255.255 9080 tcp

outbound 1 permit "xxxxx" 255.255.255.255 7080 tcp

outbound 1 permit "xxxxx" 255.255.255.255 4080 tcp

outbound 1 permit "xxxxx" 255.255.255.255 25 tcp

outbound 1 deny 0.0.0.0 0.0.0.0 0 udp

outbound 1 deny 0.0.0.0 0.0.0.0 0 tcp

outbound 1 permit "xxxxx" 255.255.255.255 5060-5061 udp

outbound 1 permit "xxxxx" 255.255.255.255 10000-20000 udp

outbound 1 permit "xxxxx" 255.255.255.255 5060-5061 tcp

outbound 1 permit "xxxxx" 255.255.255.255 5700-7700 tcp

outbound 1 permit "xxxxx" 255.255.255.255 0 udp

outbound 1 permit "xxxxx" 255.255.255.255 20-22 tcp

outbound 1 permit "xxxxx" 255.255.255.255 0 udp

outbound 1 permit "xxxxx" 255.255.255.255 0 esp

outbound 1 permit "xxxxx" 255.255.255.255 0 tcp

outbound 1 permit 0.0.0.0 0.0.0.0 8005 tcp

outbound 1 permit "xxxxx" 255.255.255.255 1720 tcp

outbound 1 permit "xxxxx" 255.255.255.255 0 tcp

outbound 1 permit "xxxxx" 255.255.255.255 8001 tcp

outbound 1 permit "xxxxx" 255.255.255.255 4080 tcp

outbound 1 permit "xxxxx" 255.255.255.255 9080 tcp

outbound 2 permit "xxxxx" 255.255.255.255 21 tcp

outbound 2 permit "xxxxx" 255.255.255.255 0 icmp

outbound 2 permit "xxxxx" 255.255.255.255 0 udp

outbound 2 permit "xxxxx" 255.255.255.255 0 tcp

outbound 2 permit "xxxxx" 255.255.255.255 500 udp

outbound 2 permit "xxxxx" 255.255.255.255 0 ah

outbound 2 permit "xxxxx" 255.255.255.255 0 esp

outbound 2 permit "xxxxx" 255.255.255.255 0 gre

outbound 2 permit "xxxxx" 255.255.255.255 0 ip

outbound 2 permit "xxxxx" 255.255.255.255 0 tcp

outbound 2 permit "xxxxx" 255.255.255.255 21 tcp

outbound 2 permit "xxxxx" 255.255.255.255 20 tcp

outbound 2 permit "xxxxx" 255.255.255.255 5601 tcp

outbound 2 permit "xxxxx" 255.255.255.255 0 tcp

apply (inside) 1 outgoing_src

apply (inside) 2 outgoing_dest

route outside 0.0.0.0 0.0.0.0 69.xx.xx.9 1

route inside NBFirewall 255.255.255.255 69.xx.xxx.143 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server RADIUS (inside) host TCS04 DomainTest timeout 5

aaa-server LOCAL protocol local

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable

http "xxxxx" 255.255.255.255 inside

snmp-server host inside 192.168.200.249

snmp-server location

snmp-server contact

snmp-server community DomainN

snmp-server enable traps

tftp-server inside ESM632 TFTP-Root

floodguard enable

sysopt noproxyarp inside

sysopt noproxyarp NewBlock

auth-prompt prompt Welcome to OurDomain Network

auth-prompt accept Access Allowed

auth-prompt reject Please verify the user account details

isakmp nat-traversal 20

telnet timeout 5

ssh "xxxxx" 255.255.255.255 inside

ssh timeout 5

console timeout 0

username root password sIdfd"xxxxx"2aHgdfgOMsI encrypted privilege 15

privilege show level 0 command version

privilege show level 0 command curpriv

privilege show level 3 command pdm

privilege show level 3 command blocks

privilege show level 3 command ssh

privilege configure level 3 command who

privilege show level 3 command isakmp

privilege show level 3 command ipsec

privilege show level 3 command vpdn

privilege show level 3 command local-host

privilege show level 3 command interface

privilege show level 3 command ip

privilege configure level 3 command ping

privilege show level 3 command uauth

privilege configure level 5 mode enable command configure

privilege show level 5 command running-config

privilege show level 5 command privilege

privilege show level 5 command clock

privilege show level 5 command ntp

privilege show level 5 mode configure command logging

privilege show level 5 command fragment

terminal width 80

Cryptochecksum:8c73f"xxxxx"a6024b8c

: end

imanco671 · ‎08-31-2011

Hi Jon,

What commands do you think I should run for my ACL's?

Also, you suggest removing the conuit statements?

John