1. Home
  2. Networking Firewalls
  3. PIX 501 config question

PIX 501 config question

Hi all,

I'm not sure if this is a suitable place to ask this, but here goes...

I have a PIX501 which I think should be working correctly but since my hosting provider, who tell me they have set up a private network for my use, wants $50 per 30 minutes to configure it (they have seen the config but expressed no view on whether it is broken) I think I need an independent opinion. My suspicion is that the PIX is fine and that it is the external routing that needs fixing.

Can anyone give me an opinion on whether this should let any traffic through? There is a software firewall installed on my webserver so I am happy for the PIX to be very insecure right now - I just want to get it to work at all :-)

I have changed some specifics below to protect the innocent.

Outside: Interface: 212.130.214.10 Mask: 255.255.255.252 Gateway: 212.130.214.9

Inside: Interface: 212.130.215.193 Mask: 255.255.255.192 Gateway: 212.130.215.193

Result of firewall command: "write term"

Building configuration... : Saved : PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password aaaaa encrypted passwd bbbbb encrypted hostname ccccc domain-name ddddd.com clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 no fixup protocol dns fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name xxx.xxx.xxx.xxx XXXXX name yyy.yyy.yyy.yyy YYYYY access-list outside_access_in permit icmp any any access-list outside_access_in permit tcp any any access-list outside_access_in permit udp any any pager lines 24 logging on logging history debugging icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside 212.130.214.10 255.255.255.252 ip address inside 212.130.215.193 255.255.255.192 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit info action alarm ip audit attack action alarm pdm location XXXXX 255.255.255.240 outside pdm location YYYYY 255.255.255.240 outside pdm location zzz.zzz.zzz.zzz 255.255.255.0 outside pdm logging debugging 500 pdm history enable arp timeout 14400 nat (inside) 0 212.130.215.192 255.255.255.192 0 0 static (inside,outside) 212.130.215.192 212.130.215.192 netmask

255.255.255.192 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 212.130.214.9 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authorization command LOCAL ntp server xxx.xxx.xxx.xxx source outside prefer http server enable http AAAAA 255.255.255.240 outside http BBBBB 255.255.255.240 outside http 212.130.193.0 255.255.255.0 outside http 212.130.215.192 255.255.255.192 inside no snmp-server location no snmp-server contact snmp-server community EEEEE no snmp-server enable traps floodguard enable telnet AAAAA 255.255.255.240 outside telnet 212.130.193.0 255.255.255.0 outside telnet 212.130.215.192 255.255.255.192 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd lease 3600 dhcpd ping_timeout 750 username iiiii password iiiii encrypted privilege 3 username jjjjj password jjjjj encrypted privilege 15 username kkkkk password kkkkk encrypted privilege 5 privilege show level 0 command version privilege show level 0 command curpriv privilege show level 3 command pdm privilege show level 3 command blocks privilege show level 3 command ssh privilege configure level 3 command who privilege show level 3 command isakmp privilege show level 3 command ipsec privilege show level 3 command vpdn privilege show level 3 command local-host privilege show level 3 command interface privilege show level 3 command ip privilege configure level 3 command ping privilege show level 3 command uauth privilege configure level 5 mode enable command configure privilege show level 5 command running-config privilege show level 5 command privilege privilege show level 5 command clock privilege show level 5 command ntp privilege show level 5 mode configure command logging privilege show level 5 command fragment terminal width 80 Cryptochecksum:zzzzz : end [OK]
Reply to
Dave_LondonUK
Loading thread data ...

comp.dcom.sys.cisco is a better place for PIX questions. There is a non-trivial overlap between Cisco IOS and the Cisco PIX operating system -- and more PIX people just hang out there anyhow.

Your nat statement has a much lower priority than your static statement. The only higher priority than a plain static like you have there, would be nat (inside) 0 access-list ACLNAME

Your nat 0 statement is thus redundant -- but that's okay because at the moment for your purpose of just letting everything through, your static statement is fine and has the dual effect of translating each IP to itself and of allowing new flows from the outside to the inside as per your access-group .

As a security feature, the PIX will not allow telnet from "outside" (unless the traffic is coming in via a VPN.) But that's not going to cause you any active problems.

Your PIX configuration looks okay. Most likely, your provider is not routing 212.130.215.192 212.130.215.192 via 212.130.214.10 in which case nothing would get through except that which happened to work via proxy-arp (which should not be counted on working.)

You can investigate further by debug icmp trace and then pinging 212.130.214.9 from the PIX itself and from inside systems. You can also debug packet outside and see whether the packets are reaching you. (Once the connection is basically working, "debug packet outside" will usually produce too much information to be useful; you would then switch to using more selective 'capture' commands.)

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.