| Home | Forums | Reviews | Guides | Newsgroups | Register | Search |
 |
| Thread Tools |
|
paul_tomlin@hotmail.com
Guest
Posts: n/a
|
Guys i've setup a static statement and believe i've put in the
necessary access list to allow the required ports to be forwarded could you have a look over this and see if i've missed anything obvious By the way this PIX is behind a managed router but i've been told all ports are open any help would be appreciated Paul PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full interface ethernet2 auto shutdown interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 state security10 hostname pixfirewall domain-name ciscopix.com clock timezone GMT/BST 0 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.252.0 192.1 68.91.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.252.0 192.1 68.92.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.252.0 192.1 68.200.0 255.255.248.0 access-list inside_outbound_nat0_acl permit ip 192.100.20.0 255.255.255.0 192.16 8.200.0 255.255.248.0 access-list inside_outbound_nat0_acl permit ip 192.100.20.0 255.255.255.0 192.16 8.92.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.100.20.0 255.255.255.0 192.16 8.91.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.252.0 192.1 00.21.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.100.20.0 255.255.255.0 192.10 0.21.0 255.255.255.0 access-list outside_cryptomap_dyn_20 permit ip any 192.168.92.0 255.255.255.0 access-list VPN_splitTunnelAcl permit ip 192.168.100.0 255.255.252.0 any access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.252.0 192.168.2 00.0 255.255.248.0 access-list outside_cryptomap_20 permit ip 192.100.20.0 255.255.255.0 192.168.20 0.0 255.255.248.0 access-list outside_cryptomap_40 permit ip 192.168.100.0 255.255.252.0 192.100.2 1.0 255.255.255.0 access-list outside_cryptomap_40 permit ip 192.100.20.0 255.255.255.0 192.100.21 ..0 255.255.255.0 access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq https access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq https access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq pptp access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq pptp access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq smtp access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq smtp access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq www access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq www pager lines 24 logging on mtu outside 1500 mtu inside 1500 mtu intf2 1500 mtu intf3 1500 mtu intf4 1500 mtu state 1500 ip address outside xxx.xxx.xxx.109 255.255.255.240 ip address inside 192.168.102.33 255.255.252.0 no ip address intf2 no ip address intf3 no ip address intf4 ip address state 192.168.90.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool PPTP 192.168.91.1-192.168.91.254 ip local pool IPSEC 192.168.92.1-192.168.92.254 failover failover timeout 0:00:00 failover poll 15 failover ip address outside xxx.xxx.xxx.108 failover ip address inside 192.168.102.32 no failover ip address intf2 no failover ip address intf3 no failover ip address intf4 failover ip address state 192.168.90.2 failover link inside pdm location 192.168.102.12 255.255.255.255 inside pdm location 192.168.91.0 255.255.255.0 outside pdm location 192.168.200.0 255.255.255.0 outside pdm location 192.100.20.0 255.255.255.0 inside pdm location 192.100.21.0 255.255.255.0 outside pdm location 192.168.200.0 255.255.255.255 outside pdm location 192.168.200.0 255.255.248.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 0.0.0.0 0.0.0.0 0 0 static (inside,outside) xxx.xxx.xxx.105 192.168.101.93 netmask 255.255.255.255 0 0 route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.97 1 route inside 192.100.20.0 255.255.255.0 192.168.102.3 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.200.0 255.255.248.0 outside http 192.168.100.0 255.255.252.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer yyy.yyy.yyy.140 crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 40 ipsec-isakmp crypto map outside_map 40 match address outside_cryptomap_40 crypto map outside_map 40 set peer zzz.zzz.zzz.189 crypto map outside_map 40 set transform-set ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication RADIUS crypto map outside_map interface outside isakmp enable outside isakmp key ******** address yyy.yyy.yyy.140 netmask 255.255.255.255 no-xauth no-con fig-mode isakmp key ******** address zzz.zzz.zzz.189 netmask 255.255.255.255 no-xauth no-c onfig-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup VPN address-pool IPSEC vpngroup VPN dns-server 192.168.102.6 vpngroup VPN wins-server 192.168.102.6 192.168.102.14 vpngroup VPN split-tunnel VPN_splitTunnelAcl vpngroup VPN idle-time 1800 vpngroup VPN password ******** telnet 192.168.200.0 255.255.248.0 outside telnet 192.168.100.0 255.255.252.0 inside telnet timeout 5 ssh 192.168.200.0 255.255.248.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 192.168.100.0 255.255.252.0 inside ssh timeout 5 console timeout 0 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe 40 vpdn group 1 client configuration address local PPTP vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username administrator password ******** vpdn username remote password ******** vpdn enable outside terminal width 80 |
|
|
|
|
|||
|
|||
| paul_tomlin@hotmail.com |
|
|
|
| |
|
Brian V
Guest
Posts: n/a
|
<> wrote in message news: oups.com... > Guys i've setup a static statement and believe i've put in the > necessary access list to allow the required ports to be forwarded could > you have a look over this and see if i've missed anything obvious > > By the way this PIX is behind a managed router but i've been told all > ports are open > > any help would be appreciated > > Paul > > PIX Version 6.3(4) > interface ethernet0 100full > interface ethernet1 100full > interface ethernet2 auto shutdown > interface ethernet3 auto shutdown > interface ethernet4 auto shutdown > interface ethernet5 100full > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 intf2 security4 > nameif ethernet3 intf3 security6 > nameif ethernet4 intf4 security8 > nameif ethernet5 state security10 > hostname pixfirewall > domain-name ciscopix.com > clock timezone GMT/BST 0 > fixup protocol dns maximum-length 512 > fixup protocol ftp 21 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol http 80 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol sip 5060 > fixup protocol sip udp 5060 > fixup protocol skinny 2000 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol tftp 69 > names > access-list inside_outbound_nat0_acl permit ip 192.168.100.0 > 255.255.252.0 192.1 > 68.91.0 255.255.255.0 > access-list inside_outbound_nat0_acl permit ip 192.168.100.0 > 255.255.252.0 192.1 > 68.92.0 255.255.255.0 > access-list inside_outbound_nat0_acl permit ip 192.168.100.0 > 255.255.252.0 192.1 > 68.200.0 255.255.248.0 > access-list inside_outbound_nat0_acl permit ip 192.100.20.0 > 255.255.255.0 192.16 > 8.200.0 255.255.248.0 > access-list inside_outbound_nat0_acl permit ip 192.100.20.0 > 255.255.255.0 192.16 > 8.92.0 255.255.255.0 > access-list inside_outbound_nat0_acl permit ip 192.100.20.0 > 255.255.255.0 192.16 > 8.91.0 255.255.255.0 > access-list inside_outbound_nat0_acl permit ip 192.168.100.0 > 255.255.252.0 192.1 > 00.21.0 255.255.255.0 > access-list inside_outbound_nat0_acl permit ip 192.100.20.0 > 255.255.255.0 192.10 > 0.21.0 255.255.255.0 > access-list outside_cryptomap_dyn_20 permit ip any 192.168.92.0 > 255.255.255.0 > access-list VPN_splitTunnelAcl permit ip 192.168.100.0 255.255.252.0 > any > access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.252.0 > 192.168.2 > 00.0 255.255.248.0 > access-list outside_cryptomap_20 permit ip 192.100.20.0 255.255.255.0 > 192.168.20 > 0.0 255.255.248.0 > access-list outside_cryptomap_40 permit ip 192.168.100.0 255.255.252.0 > 192.100.2 > 1.0 255.255.255.0 > access-list outside_cryptomap_40 permit ip 192.100.20.0 255.255.255.0 > 192.100.21 > .0 255.255.255.0 > access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq https > access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq https > access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq pptp > access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq pptp > access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq smtp > access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq smtp > access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq www > access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq www > pager lines 24 > logging on > mtu outside 1500 > mtu inside 1500 > mtu intf2 1500 > mtu intf3 1500 > mtu intf4 1500 > mtu state 1500 > ip address outside xxx.xxx.xxx.109 255.255.255.240 > ip address inside 192.168.102.33 255.255.252.0 > no ip address intf2 > no ip address intf3 > no ip address intf4 > ip address state 192.168.90.1 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > ip local pool PPTP 192.168.91.1-192.168.91.254 > ip local pool IPSEC 192.168.92.1-192.168.92.254 > failover > failover timeout 0:00:00 > failover poll 15 > failover ip address outside xxx.xxx.xxx.108 > failover ip address inside 192.168.102.32 > no failover ip address intf2 > no failover ip address intf3 > no failover ip address intf4 > failover ip address state 192.168.90.2 > failover link inside > pdm location 192.168.102.12 255.255.255.255 inside > pdm location 192.168.91.0 255.255.255.0 outside > pdm location 192.168.200.0 255.255.255.0 outside > pdm location 192.100.20.0 255.255.255.0 inside > pdm location 192.100.21.0 255.255.255.0 outside > pdm location 192.168.200.0 255.255.255.255 outside > pdm location 192.168.200.0 255.255.248.0 outside > pdm logging informational 100 > pdm history enable > arp timeout 14400 > global (outside) 10 interface > nat (inside) 0 access-list inside_outbound_nat0_acl > nat (inside) 10 0.0.0.0 0.0.0.0 0 0 > static (inside,outside) xxx.xxx.xxx.105 192.168.101.93 netmask > 255.255.255.255 0 0 > route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.97 1 > route inside 192.100.20.0 255.255.255.0 192.168.102.3 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 > 1:00:00 > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > http server enable > http 192.168.200.0 255.255.248.0 outside > http 192.168.100.0 255.255.252.0 inside > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > sysopt connection permit-pptp > crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac > crypto dynamic-map outside_dyn_map 20 match address > outside_cryptomap_dyn_20 > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 > crypto map outside_map 20 ipsec-isakmp > crypto map outside_map 20 match address outside_cryptomap_20 > crypto map outside_map 20 set peer yyy.yyy.yyy.140 > crypto map outside_map 20 set transform-set ESP-DES-MD5 > crypto map outside_map 40 ipsec-isakmp > crypto map outside_map 40 match address outside_cryptomap_40 > crypto map outside_map 40 set peer zzz.zzz.zzz.189 > crypto map outside_map 40 set transform-set ESP-DES-MD5 > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map > crypto map outside_map client authentication RADIUS > crypto map outside_map interface outside > isakmp enable outside > isakmp key ******** address yyy.yyy.yyy.140 netmask 255.255.255.255 > no-xauth no-con > fig-mode > isakmp key ******** address zzz.zzz.zzz.189 netmask 255.255.255.255 > no-xauth no-c > onfig-mode > isakmp policy 20 authentication pre-share > isakmp policy 20 encryption des > isakmp policy 20 hash md5 > isakmp policy 20 group 2 > isakmp policy 20 lifetime 86400 > vpngroup VPN address-pool IPSEC > vpngroup VPN dns-server 192.168.102.6 > vpngroup VPN wins-server 192.168.102.6 192.168.102.14 > vpngroup VPN split-tunnel VPN_splitTunnelAcl > vpngroup VPN idle-time 1800 > vpngroup VPN password ******** > telnet 192.168.200.0 255.255.248.0 outside > telnet 192.168.100.0 255.255.252.0 inside > telnet timeout 5 > ssh 192.168.200.0 255.255.248.0 outside > ssh 0.0.0.0 0.0.0.0 outside > ssh 192.168.100.0 255.255.252.0 inside > ssh timeout 5 > console timeout 0 > vpdn group 1 accept dialin pptp > vpdn group 1 ppp authentication pap > vpdn group 1 ppp authentication chap > vpdn group 1 ppp authentication mschap > vpdn group 1 ppp encryption mppe 40 > vpdn group 1 client configuration address local PPTP > vpdn group 1 pptp echo 60 > vpdn group 1 client authentication local > vpdn username administrator password ******** > vpdn username remote password ******** > vpdn enable outside > terminal width 80 > You didn't apply your access-list ip access-group out-acl in interface outside Everything else looks fine. |
|
|
|
|
|||
|
|
|||
| Brian V |
|
|
|
| |
|
Walter Roberson
Guest
Posts: n/a
|
In article < .com>,
<> wrote: >Guys i've setup a static statement and believe i've put in the >necessary access list to allow the required ports to be forwarded could >you have a look over this and see if i've missed anything obvious >PIX Version 6.3(4) 6.3(5)112 mitigates a security attack, but you might have to open a case to get it. >access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.252.0 192.168.91.0 255.255.255.0 >access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.252.0 192.168.92.0 255.255.255.0 >access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.252.0 192.168.200.0 255.255.248.0 So far that implies that 192.168.100.0 255.255.252.0 is internal and 192.168.91/24, 192.168.92/24, and 192.168.200.0 255.255.248.0 are outside (or lower security) >access-list inside_outbound_nat0_acl permit ip 192.100.20.0 255.255.255.0 192.168.200.0 255.255.248.0 >access-list inside_outbound_nat0_acl permit ip 192.100.20.0 255.255.255.0 192.168.92.0 255.255.255.0 >access-list inside_outbound_nat0_acl permit ip 192.100.20.0 255.255.255.0 192.168.91.0 255.255.255.0 Those have the same outside destinations but suggest 192.100.20.0 is internal. 192.100.20/24 is *public* IP space (avenet.com) >access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.252.0 192.100.21.0 255.255.255.0 Which suggests that 192.100.21/24 (Coalition for Networked Information) is external >access-list inside_outbound_nat0_acl permit ip 192.100.20.0 255.255.255.0 192.100.21.0 255.255.255.0 That's consistant, 192.100.20/24 internal, 192.100.21/24 external. >ip address inside 192.168.102.33 255.255.252.0 >route inside 192.100.20.0 255.255.255.0 192.168.102.3 1 Again consistant, 192.168.100.0 255.255.252.0 and 192.100.20/24 internal. But it just seems unlikely -- if you are the Coalition for Networked Information of Washington DC, then why would you have a VPN to Avnet Inc of Chandler Arizona?? >access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq https >access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq https >access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq pptp >access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq pptp >access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq smtp >access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq smtp >access-list out-acl permit tcp host xxx.xxx.xxx.105 any eq www >access-list out-acl permit tcp any host xxx.xxx.xxx.105 eq www I gather that xxx.xxx.xxx.105 is one of your public IPs. If so, then get rid of all of the lines "permit tcp host". You appear to be missing, access-group out-acl in interface outside >ip address outside xxx.xxx.xxx.109 255.255.255.240 >ip address inside 192.168.102.33 255.255.252.0 >ip address state 192.168.90.1 255.255.255.0 >ip local pool PPTP 192.168.91.1-192.168.91.254 >ip local pool IPSEC 192.168.92.1-192.168.92.254 >failover ip address outside xxx.xxx.xxx.108 >failover ip address inside 192.168.102.32 >failover ip address state 192.168.90.2 >failover link inside You do not appear to do anything with the 'state' interface other than set up failover for it? >global (outside) 10 interface >nat (inside) 0 access-list inside_outbound_nat0_acl >nat (inside) 10 0.0.0.0 0.0.0.0 0 0 >static (inside,outside) xxx.xxx.xxx.105 192.168.101.93 netmask 255.255.255.255 0 0 >route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.97 1 >route inside 192.100.20.0 255.255.255.0 192.168.102.3 1 >sysopt connection permit-ipsec >sysopt connection permit-pptp >crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 >crypto map outside_map 20 match address outside_cryptomap_20 >crypto map outside_map 40 match address outside_cryptomap_40 >crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map >crypto map outside_map interface outside >isakmp enable outside >isakmp policy 20 authentication pre-share >isakmp policy 20 encryption des >isakmp policy 20 hash md5 >isakmp policy 20 group 2 >isakmp policy 20 lifetime 86400 DES MD5 is more often group 1; you might want to add another policy with a higher policy number to support that case. >vpngroup VPN address-pool IPSEC >vpngroup VPN split-tunnel VPN_splitTunnelAcl >vpdn group 1 accept dialin pptp >vpdn group 1 client configuration address local PPTP >vpdn enable outside |
|
|
|
|
|||
|
|
|||
| Walter Roberson |
|
|
|
| |
|
| Thread Tools | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Cisco port 8080 port forward to public interface | rickbath | Cisco | 0 | 05-30-2012 06:27 AM |
| port forward / port changing | Michael | Cisco | 1 | 07-17-2005 12:50 PM |
| JSP response.sendRedirect and jsp:forward not working | ohaya | Java | 0 | 06-30-2005 04:35 PM |
| Re-forward declaration of types which were already forward declared | qazmlp | C++ | 1 | 02-15-2004 07:00 PM |
| Skip forward/reverse in WMP8 not working | Use.Netuser.de | Computer Support | 1 | 01-10-2004 08:44 AM |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc..
SEO by vBSEO ©2010, Crawlability, Inc. |
