1. Home
  2. Cisco Systems
  3. Cisco PIX 515 configuration help

Cisco PIX 515 configuration help

I've inherited a preconfigured PIX 515 at my new job. I've been able to connect via hyperterminal and luckily guess the password. I'm attaching the output below of the "show config" command. I'm very new to Cisco equipment, but my needs are very small at the moment and I'm sure it's probably and handful of trivial commands to get me going.

Right now, (and I'm speaking in terms of what I see company wise not in terms of the firewall configuration) the only Internet traffic being specifically routed to a machine is 10.6.18.179. This is our Web/ email server, and to my knowledge the only server accessible to the outside world. The mail server supports IMAP and POP from withing our private netowrk. The mail server is only accessible outside the office through webmail. IMAP and POP support from a mail client like Thunderbird isn't working.

The goal(s):

  1. I've setup and FTP server on 10.6.18.10 and need to have all traffic on port 21 sent to that machine (internally and externally). The DNS server is already setup to resolve the name, so that shouldn't be an issue.

  1. I'd like to get IMAP and POP support working outside the office (ports 143 and 110 I assume).

  2. Very soon our website is going to be outsourced. I assume this will mean two changes on our part: change the DNS entry to point to the third party hosting server and remove the firewall entry that routes traffic to 10.6.18.179.

I hope I've been clear on what I need help with. I appreciate your expertise and patience.

BTW, and not to sound like a jerk, but actual specific commands for accomplishing these 3 tasks in hyperterminal would be more beneficial to me than a vague overview of Cisco theory, broad statements, or hyperbole.

Here's my configuration:

: Saved : Written by enable_15 at 09:13:06.454 UTC Mon Mar 19 2007 PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security10 enable password xxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxx encrypted hostname xxxxxxxxx domain-name ciscopix.com fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 no fixup protocol http 80 names access-list 101 permit ip 10.6.18.0 255.255.255.0 172.6.18.0

255.255.255.0 pager lines 24 interface ethernet0 100full interface ethernet1 auto interface ethernet2 auto shutdown mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 68.16.146.90 255.255.255.248 ip address inside 10.6.18.1 255.255.255.0 ip address intf2 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm ip local pool ippool 172.6.18.1-172.6.18.25 pdm location 10.6.18.2 255.255.255.255 inside pdm location 10.6.18.179 255.255.255.255 inside pdm location 67.77.12.0 255.255.255.0 outside pdm history enable arp timeout 14400 global (outside) 1 68.16.146.92-68.16.146.93 netmask 255.255.255.248 global (outside) 1 68.16.146.94 netmask 255.255.255.248 nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 68.16.146.91 10.6.18.179 netmask 255.255.255.255 0 0 conduit permit tcp host 68.16.146.91 eq www any conduit permit tcp host 68.16.146.91 eq 444 any conduit permit tcp host 68.16.146.91 eq 81 any conduit permit tcp host 68.16.146.91 eq https any conduit permit tcp host 68.16.146.91 eq ssh any conduit permit tcp host 68.16.146.91 eq telnet any conduit permit tcp host 68.16.146.91 eq ftp any conduit permit tcp host 68.16.146.91 eq smtp any conduit permit tcp host 68.16.146.91 eq pop3 any conduit permit tcp host 68.16.146.91 eq 32000 any route outside 0.0.0.0 0.0.0.0 68.16.146.89 1 route inside 192.168.0.0 255.255.255.0 10.6.18.9 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http 10.6.18.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set remote esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set remote crypto map remote 10 ipsec-isakmp dynamic dynmap crypto map remote interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup remote address-pool ippool vpngroup remote dns-server 10.6.18.2 vpngroup remote wins-server 10.6.18.2 vpngroup remote default-domain xxxxxxxxxxxx.com vpngroup remote idle-time 5000 vpngroup remote password ******** telnet timeout 5 ssh timeout 5 terminal width 80

Thanks, Paul

Reply to
sintral
Loading thread data ...

The below statements are what you have in place

You already have POP access:

+OK mail.fergusoncopeland.com IceWarp 9.1.0 POP3 Fri, 25 Jul 2008 15:41:35 -04

and ftp

U:\\>ftp ftp> open To 68.16.146.91 Connected to 68.16.146.91.

530 Connection refused, unknown IP address. User (68.16.146.91:(none)):

To get IMAP add:

conduit permit tcp host 68.16.146.91 eq 143 any

No, you only want to remove the conduit entries that equal http/https

Reply to
Artie Lange

With FTP, I'm getting the same error message that you do: ftp 68.16.146.91 Connected to 68.16.146.91.

530 Connection refused, unknown IP address.

I've added port 22, (though I think SSH was already enabled) and I get this message when trying to connect from outside the office: ssh: connect to host 68.16.146.91 port 22: Connection refused

I haven't tried IMAP connections yet since adding the entry suggested above, but telnet (which has a conduit entry) is also giving an error: telnet: Unable to connect to remote host: Connection refused

Thanks, Paul

Reply to
sintral

Sounds to me you have an IP access list setup on the FTP server, you are listening on that port and it is being publish through your firewall

Can you tell me what SSH server you use and what SSH protocol is being used? Version of SSH?

Is telnet running on the server?

Reply to
Artie Lange

IMAP is working

Reply to
Artie Lange

Also, it seems like somewhere in my firewall configuration there would need to be rules saying "accept traffic on port 21 and send it to

10.6.18.10" and "accept traffic on port 143 and send it to 10.6.18.179".
Reply to
sintral

I'm using ProFTP on 10.6.18.10. To my knowledge I don't have an access restriction list in place. It is pretty much setup with default options. I know it is off topic, but do you know how to check and see if an access list in in use?

I'm using OpenSSH_4.7 on that same machine.

Reply to
sintral

You inherited a Cisco PIX 515 firewall at work and now you need to either do a lot of research or have your company contract a consultant. Learning all there is to know in order to manage your firewall yourself is what would make us all proud.

First, get rid of those conduits and replace them with access-lists. Most of what it is permitting is not mentioned in this e-mail.

no conduit permit tcp host 68.16.146.91 eq www any no conduit permit tcp host 68.16.146.91 eq 444 any no conduit permit tcp host 68.16.146.91 eq 81 any no conduit permit tcp host 68.16.146.91 eq https any no conduit permit tcp host 68.16.146.91 eq ssh any no conduit permit tcp host 68.16.146.91 eq telnet any no conduit permit tcp host 68.16.146.91 eq ftp any no conduit permit tcp host 68.16.146.91 eq smtp any no conduit permit tcp host 68.16.146.91 eq pop3 any no conduit permit tcp host 68.16.146.91 eq 32000 any ! access-list inbound remark * access-list inbound remark * Outside Internet Inbound access-list inbound remark * access-list inbound extended permit tcp any host 68.16.146.91 eq ftp access-list inbound extended permit tcp any host 68.16.146.91 eq ssh access-list inbound extended permit tcp any host 68.16.146.91 eq telnet access-list inbound extended permit tcp any host 68.16.146.91 eq smtp access-list inbound extended permit tcp any host 68.16.146.91 eq www access-list inbound extended permit tcp any host 68.16.146.91 eq 81 access-list inbound extended permit tcp any host 68.16.146.91 eq pop3 access-list inbound extended permit tcp any host 68.16.146.91 eq imap4 access-list inbound extended permit tcp any host 68.16.146.91 eq https access-list inbound extended permit tcp any host 68.16.146.91 eq 444 access-list inbound extended permit tcp any host 68.16.146.91 eq 32000 ! access-list inbound remark * access-list inbound remark * Inside LAN Outbound access-list inbound remark * access-list inbound extended permit ip any any ! access-group inbound in interface outside access-group outbound in interface inside

Each of these (except for the one being taken out) should correspond with entries in the inbound access-list.

no static (inside,outside) 68.16.146.91 10.6.18.179 netmask

255.255.255.255 static (inside,outside) tcp 68.16.146.91 21 10.6.18.10 21 netmask 255.255.255.255 0 0 static (inside,outside) tcp 68.16.146.91 80 10.6.18.179 80 netmask 255.255.255.255 0 0 static (inside,outside) tcp 68.16.146.91 110 10.6.18.179 110 netmask 255.255.255.255 0 0 static (inside,outside) tcp 68.16.146.91 143 10.6.18.179 143 netmask 255.255.255.255 0 0

Hosts inside the firewall cannot access the FTP server by the global IP address; they must use the 10.6.18.10 IP address. Hosts one side of a firewall cannot reach the firewall's own IP address on the other side. Cisco firewalls will deny that action.

no static (inside,outside) tcp 68.16.146.91 80 10.6.18.179 80 netmask

255.255.255.255 0 0 ! no access-list inbound extended permit tcp any host 68.16.146.91 eq www no access-list inbound extended permit tcp any host 68.16.146.91 eq https

----- Scott Perry Indianapolis, IN

-----

Reply to
Scott Perry

Thanks Scott, great post, I was going to explain to him that the conduits need to go, but I did not want to ruin his Friday!

Reply to
Artie Lange

Hey guys thanks a lot for the info and advice.

Scott, I get this error when I input the commands you posted:

FergCopePIX(config)# access-list inbound remark * ERROR: missing command argument(s) Usage: [no] access-list compiled [no] access-list compiled [no] access-list deny|permit |object-group

| object-group [ [] | object-group ]

| object-group [ [] | object-group ]

[no] access-list deny|permit icmp | object-group | object-group [ | object-group ]

I've tried putting and with it such as this: access-list 102 inbound remark * but it tells me I'm missing command arguments.

I may be using an older version of software that doesn't accept this syntax exactly or something. I'm sure you guys know better than me if that possible.

Adding a number to the access-list statement for FTP gives a slightly different error: FergCopePIX(config)# access-list 102 inbound extended permit tcp any host 68.1$ ERROR: not a valid permission Usage: [no] access-list compiled [no] access-list compiled [no] access-list deny|permit |object-group

| object-group [ [] | object-group ]

| object-group [ [] | object-group ]

[no] access-list deny|permit icmp | object-group | object-group [ | object-group ]

One other question, it appears that these attempted changes aren't saved unless I enter a 'wr mem' command, correct? For example I ran all of the 'no conduit...' commands but they still show up in 'show config'. I'll need to make sure the access-list commands are excepted before writing the changes for the conduit entries so that everyone isn't cutoff.

Thanks, Scott, for the complete config settings.

Reply to
sintral

Yes, you must write memory to save the config, it is also wise to perform a 'clear xlate'

Reply to
Artie Lange

I was using a different OS version. Although I like the remarks in access-lists, you do not need to have them. From the help dialog which you included in your post, I see that there is not an option for remarks in your version of the PIX OS.

----- Scott Perry Indianapolis, IN

-----

Hey guys thanks a lot for the info and advice.

Scott, I get this error when I input the commands you posted:

FergCopePIX(config)# access-list inbound remark * ERROR: missing command argument(s) Usage: [no] access-list compiled [no] access-list compiled [no] access-list deny|permit |object-group

| object-group [ [] | object-group ]

| object-group [ [] | object-group ]

[no] access-list deny|permit icmp | object-group | object-group [ | object-group ]

I've tried putting and with it such as this: access-list 102 inbound remark * but it tells me I'm missing command arguments.

I may be using an older version of software that doesn't accept this syntax exactly or something. I'm sure you guys know better than me if that possible.

Adding a number to the access-list statement for FTP gives a slightly different error: FergCopePIX(config)# access-list 102 inbound extended permit tcp any host 68.1$ ERROR: not a valid permission Usage: [no] access-list compiled [no] access-list compiled [no] access-list deny|permit |object-group

| object-group [ [] | object-group ]

| object-group [ [] | object-group ]

[no] access-list deny|permit icmp | object-group | object-group [ | object-group ]

One other question, it appears that these attempted changes aren't saved unless I enter a 'wr mem' command, correct? For example I ran all of the 'no conduit...' commands but they still show up in 'show config'. I'll need to make sure the access-list commands are excepted before writing the changes for the conduit entries so that everyone isn't cutoff.

Thanks, Scott, for the complete config settings.

Reply to
Scott Perry

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.