Cheers Paddy, you're a star!!!

Just one other thing if you don't mind, basically I have a server sat behind the pix 501. I want to be able to ssh to that server which has both a public and private ip address.

I have created access-lists on bothe the inside and outside interface with the following:-

access-list 102 line 3 permit tcp any any eq ssh (hitcnt=0)

access-list 102 line 4 permit ip any any (hitcnt=0)

access-list 102 line 5 permit icmp any any (hitcnt=0)

access-list inside; 3 elements

access-list inside line 1 permit icmp any any (hitcnt=0)

access-list inside line 2 permit ip any any (hitcnt=0)

access-list inside line 3 permit tcp any any eq ssh (hitcnt=0)

any advise on how to do this? I was thinking of port redirection like you suggested for www and https but then how would I ssh into the pix itself if I forwarded all ssh traffic to the server?

cheers very much!

Rob

Good question.

I think there are three options!

1) I have never tried this but you can specify an interface on your PIX to be the management interface and connect to it using SSH/Telnet/PDM etc, the command to do this in your case would be "management-access inside". So i am hoping that this will allow you to SSH to the inside interface of your PIX via devices on the outside. Have a look at the following link:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#wp1137951

2) If you have another spare public address in the same range as your outside address then you could use this address on the outside interface of your PIX

and keep the other for your static port redirection statements to your web server and use the new address on the PIX for management.

3) Use telnet, you can only telnet to the outside interface of a PIX if you have a VPN connection for security (which you do). If all options above don't work for you then this could be your last resort. The only downside is that packets will only be encrypted between both PIXs and not on your internal network.

HTH

Paddy

That's brill paddy, thanks! Nearly there! :-)

sooo, I have the pix with an outside public ip of 84.xx.xx.1 and internal ip of 172.18.124.1

Now, i have a web server behind the pix with a public ip address of 84.xx.xx.2 and private of 172.18.124.2

So your saying that I need to use static port forwarding for www, https and ssh to the private interface of the web server from the pix for all www, https and ssh traffic on 84.xx.xx.2 and forward it to 172.18.124.2?

so i have:-

static (inside,outside) tcp 84.xx.xx.2 ssh 172.18.124.2 ssh netmask 255.255.255.255 0 0

would that do it? or do I need to bind the public ip address of the web server to the pix somehow and scrap it on the web server all together? Bearing in mind I still need to ssh to the pix as well as the web server?

cheers again for all the help!!!

Rob

Yes that looks good.

You will also need to include

nat (inside) 1 172.18.124.2 255.255.255.255

global (outside) 1 84.xx.xx.2

So that traffic from the web server to the outside is also NATed to the public address.

Good luck!

Paddy

Hi Paddy,

I've added those rules. The web server now just has the ip 172.18.124.2 and can ping the pix 172.18.124.1 and visa versa. The pix can ping other public addresses, however the web server can't ping anything on the outside world.

My access-lists look like:-

access-list 102 line 1 permit tcp any host 84.xx.xx.46 eq www (hitcnt=0)

access-list 102 line 2 permit tcp any host 84.xx.xx.46 eq https (hitcnt=0)

access-list 102 line 3 permit tcp any any eq ssh (hitcnt=0)

access-list 102 line 4 permit ip any any (hitcnt=0)

access-list 102 line 5 permit icmp any any (hitcnt=0)

access-list inside; 3 elements

access-list inside line 1 permit icmp any any (hitcnt=0)

access-list inside line 2 permit ip any any (hitcnt=0)

access-list inside line 3 permit tcp any any eq ssh (hitcnt=0)

where 102 is bound to the outside and inside is inside.

any ideas?

cheers matey!

Rov

Hi,

Did you do a "clear xlate" on the PIX after making all the changes?

What can you see in the xlate table ("show xlate")when you try and talk out from your webserver to a public address?

Rgds

Paddy

PHOENIX1(config)# show xlate

1 in use, 2 most used

PAT Global 84.xx.xx.46(1) Local 172.18.124.2 ICMP id 34050

Hi Paddy,

I'm getting there, the only problem now seems to be that when I ping from the web server to another server on the internet, the other server see's the ip address of the outside interface of the pix, not the translated ip address of the web server.

any ideas how to translate back the internal 172.18.124.2 -> 84.xx.xx.146?

cheers matey!

Rob

Rob,

What does your global statement say at the mo?

This is the address that your internal web server is NATed which i believe should now be

nat (inside) 1 172.18.124.2 255.255.255.255

global (outside) 1 84.xx.xx.146

When you make this change issue "clear xlate"

Initiate a connection from your web server to the www and then have a look at the NAT entry thats been created on the PIX using "show xlate".

HTH

Paddy

that's finally got it!!! YEAH BABY!!!

the offending line was:-

static (inside,outside) tcp 84.45.48.146 ssh 172.18.124.2 ssh netmask 255.255.255.255 10 0

instead of:-

static (inside,outside) tcp 84.45.48.146 ssh 172.18.124.2 ssh netmask 255.255.255.255 0 0

Just on another not, I have 1 rack of kit with just a catalyst 2950 running flood control. What's a better way to prevent network flooding by DoS and the likes attacks that flood the network? I take it the 501 can't do this? Would a better PIX do it or would we need a router? I'd ideally be able to keep an eye on IP addresses on the network as opposed to just ports.

cheers again Paddy!!!

Rob

Rob that's good news...

You can set the embryonic limit on a PIX per host which which basically sets a limit of the number of half open connections the PIX will forward to the server. If this limit is met, the PIX proxies TCP handshakes between itself and the server thus preventing SYN packets with no valid source from getting to the server (SYN flooding type attacks)

If you wanted to use this method then you need to amend your static statements as similar:

static (inside,outside) tcp 84.45.48.146 ssh 172.18.124.2 ssh netmask 255.255.255.255 0 100

Note the 100 at the end means the PIX will allow a max number of 100 half open connections to the server before the it intervenes, 0 which is the default means unlimited.

I would recommend having a look at the Cisco ISP Essentials guide for securing access, it covers how to secure a perimeter router to protect your network using RPF and anti spoofing access-lists, worth a read.

ftp://ftp-eng.cisco.com/cons/isp/documents/IOSEssentialsPDF.zip

Thanks

Paddy

PS if you find any of these posts useful please give them a rating :)

Also have a look through the following which outlines some of the other security features of the PIX. They are all explained in further detail in the PIX configuration guide you can download from this site.

"The integrated in-line intrusion prevention capabilities of the Cisco PIX 501 Security Appliance can protect small office networks from many popular forms of attacks, including Denial-of-Service (DoS) attacks and malformed packet attacks. Using a wealth of advanced intrusion-prevention features, including DNSGuard, FloodGuard, FragGuard, MailGuard, IPVerify, and TCP intercept, in addition to looking for more than 55 different attack "signatures," Cisco PIX Security Appliances keep a vigilant watch for attacks, can optionally block them, and can provide real-time notification to administrators."

Rgds

Paddy

That's great, and ratings coming your way!

Just on another note, do you know what model of serial cable I'd need to attach 2 cisco 2500's?

cheers very much!

Rob