PAT pix 501

- F
- Fredrik
  
  Contact options for registered users
posted
18 years ago

Tue, May 24, 2005 8:19 PM

Hi cant figure it out what I´m doing wrong .... Cant get the inside net to go out on the internet please check my config. it works if I add this to the config. "access-list outside_access_in permit ip any any"

but isnt that dangerus ?

my config:

Building configuration... : Saved : PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100

---"password removed"---- hostname 3531 domain-name ---removed---- clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name 192.0.0.0 Electra_net name 192.168.244.140 Server name 10.10.10.2 IP_VX object-group service scc tcp port-object range 1723 1723 port-object range 3389 3389 object-group service VOIP udp port-object range 8002 8013 port-object range 5588 5588 port-object range 2048 2063 port-object range 8020 8027 port-object range 6254 6254 access-list inside_outbound_nat0_acl permit ip 192.168.244.128

255.255.255.192 Electra_net 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.244.128 255.255.255.192 Electra_net 255.255.255.0 access-list outside_access_in permit tcp any object-group scc host Server object-group Datasmeden access-list outside_access_in permit tcp any eq pop3 host Server eq pop3 access-list outside_access_in permit tcp any eq https host Server eq https access-list outside_access_in permit tcp any eq imap4 host Server eq imap4 access-list outside_access_in permit udp any object-group VOIP host IP_VX object-group VOIP access-list outside_access_in permit ip any any access-list inside_IN permit ip any any access-list fsv permit ip host 193.88.44.22 any pager lines 24 interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute retry 4 ip address inside 192.168.244.129 255.255.255.192 ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) Server Server netmask 255.255.255.255 0 0 static (inside,outside) IP_VX IP_VX netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 195.67.82.163 255.255.255.255 outside http 192.168.244.128 255.255.255.192 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 195.67.82.174 crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 195.67.82.174 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp keepalive 10 10 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet timeout 5 ssh timeout 5 dhcpd address 192.168.244.130-192.168.244.135 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:cf589a15f0a80c1633094e5a7a610184 : end [OK]

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Tue, May 24, 2005 8:38 PM

In article , Fredrik wrote: :Cant get the inside net to go out on the internet please check my :config.

:it works if I add this to the config. :"access-list outside_access_in permit ip any any"

:but isnt that dangerus ?

Yes.

:PIX Version 6.2(2)

You should update that; there are known security problems in 6.2(2), and there were a bunch of bugs fixed in 6.2(3). As I recall you can get a free update to 6.2(5); search cisco's site for PIX Security Advisories for more information.

:name 192.0.0.0 Electra_net

:access-list inside_outbound_nat0_acl permit ip 192.168.244.128 255.255.255.192 Electra_net 255.255.255.0

That's your nat 0 access-list ACL, but Electra_net 255.255.255.0 is 192.0.0.* and 192.0.0.* is reserved IP address space. The PIX won't stop the IP traffic from going through, but other equipment along the line isn't necessarily going to be as friendly to that IP space.

:access-list outside_cryptomap_20 permit ip 192.168.244.128 255.255.255.192 Electra_net 255.255.255.0

:object-group service scc tcp : port-object range 1723 1723 : port-object range 3389 3389

:access-list outside_access_in permit tcp any object-group scc host Server object-group Datasmeden

You didn't give a definition for object-group Datasmeden in what you posted. See below as well.

:access-list outside_access_in permit tcp any eq pop3 host Server eq pop3 :access-list outside_access_in permit tcp any eq https host Server eq https :access-list outside_access_in permit tcp any eq imap4 host Server eq imap4

Those lines and the one with the scc object group are almost certainly wrong. For pop3, https, and imap4, the *source* port is supposed to be a dynamically allocated port from 1024 upward. When a client wants to connect to pop3 on a server, the only occurance of the pop3 port number is in the destination port -- the source port is semi-random.

:access-list outside_access_in permit udp any object-group VOIP host IP_VX object-group VOIP

That line very likely has the same problem.

:access-list outside_access_in permit ip any any :access-list inside_IN permit ip any any :access-list fsv permit ip host 193.88.44.22 any

:interface ethernet0 10baset :interface ethernet1 10full

*Usually* you want to set those to auto. 10full in particular is not very common -- it was only standardized a few years ago, with a lot of defacto work-arounds in the meantime. Let it float unless you have a good reason otherwise.

:name 192.168.244.140 Server :name 10.10.10.2 IP_VX

:ip address inside 192.168.244.129 255.255.255.192

Okay, so Server is in your inside address space. But IP_VX isn't.

:global (outside) 1 interface :nat (inside) 0 access-list inside_outbound_nat0_acl :nat (inside) 1 0.0.0.0 0.0.0.0 0 0

:static (inside,outside) Server Server netmask 255.255.255.255 0 0

That's okay for Server, as long as the outside devices know to route or proxy arp 192.168.244.140 to the care of your PIX.

:static (inside,outside) IP_VX IP_VX netmask 255.255.255.255 0 0

But that isn't okay. Oh, the PIX will proxy arp for IP_VX no problem, but when the packets get to the PIX, the PIX will drop the packets. In order to get the packets to where they are going, you need to add a 'route' statement to tell the PIX which router to forward 10.10.10.* to in order to be delivered to the IP_VX .

- F
- Fredrik
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Wed, May 25, 2005 5:36 AM

255.255.255.192 Electra_net 255.255.255.0

Electra_net 255.255.255.0

object-group Datasmeden

object-group VOIP

Tnx for a fast and good answer! but .. If I use the config like it is now ....why cant I get the inside net to go out to the internet shouldn´t it bee statfull? why does it drop the incomming packets?

regards Fredrik