Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PAT pix 501

Reply
Thread Tools

PAT pix 501

 
 
Fredrik
Guest
Posts: n/a
 
      05-24-2005
Hi
cant figure it out what I´m doing wrong ....
Cant get the inside net to go out on the internet please check my
config.
it works if I add this to the config.
"access-list outside_access_in permit ip any any"

but isnt that dangerus ?

my config:


Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
---"password removed"----
hostname 3531
domain-name ---removed----
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.0.0.0 Electra_net
name 192.168.244.140 Server
name 10.10.10.2 IP_VX
object-group service scc tcp
port-object range 1723 1723
port-object range 3389 3389
object-group service VOIP udp
port-object range 8002 8013
port-object range 5588 5588
port-object range 2048 2063
port-object range 8020 8027
port-object range 6254 6254
access-list inside_outbound_nat0_acl permit ip 192.168.244.128
255.255.255.192 Electra_net 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.244.128
255.255.255.192 Electra_net 255.255.255.0
access-list outside_access_in permit tcp any object-group scc host
Server object-group Datasmeden
access-list outside_access_in permit tcp any eq pop3 host Server eq
pop3
access-list outside_access_in permit tcp any eq https host Server eq
https
access-list outside_access_in permit tcp any eq imap4 host Server eq
imap4
access-list outside_access_in permit udp any object-group VOIP host
IP_VX object-group VOIP
access-list outside_access_in permit ip any any
access-list inside_IN permit ip any any
access-list fsv permit ip host 193.88.44.22 any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.244.129 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) Server Server netmask 255.255.255.255 0 0
static (inside,outside) IP_VX IP_VX netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 195.67.82.163 255.255.255.255 outside
http 192.168.244.128 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 195.67.82.174
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 195.67.82.174 netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.244.130-192.168.244.135 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:cf589a15f0a80c1633094e5a7a610184
: end
[OK]
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      05-24-2005
In article <(E-Mail Removed) >,
Fredrik <(E-Mail Removed)> wrote:
:Cant get the inside net to go out on the internet please check my
:config.

:it works if I add this to the config.
:"access-list outside_access_in permit ip any any"

:but isnt that dangerus ?

Yes.


IX Version 6.2(2)

You should update that; there are known security problems in 6.2(2),
and there were a bunch of bugs fixed in 6.2(3). As I recall you can
get a free update to 6.2(5); search cisco's site for PIX Security
Advisories for more information.


:name 192.0.0.0 Electra_net

:access-list inside_outbound_nat0_acl permit ip 192.168.244.128 255.255.255.192 Electra_net 255.255.255.0

That's your nat 0 access-list ACL, but Electra_net 255.255.255.0
is 192.0.0.* and 192.0.0.* is reserved IP address space.
The PIX won't stop the IP traffic from going through, but other
equipment along the line isn't necessarily going to be as friendly
to that IP space.

:access-list outside_cryptomap_20 permit ip 192.168.244.128 255.255.255.192 Electra_net 255.255.255.0

bject-group service scc tcp
: port-object range 1723 1723
: port-object range 3389 3389

:access-list outside_access_in permit tcp any object-group scc host Server object-group Datasmeden

You didn't give a definition for object-group Datasmeden in what you
posted. See below as well.

:access-list outside_access_in permit tcp any eq pop3 host Server eq pop3
:access-list outside_access_in permit tcp any eq https host Server eq https
:access-list outside_access_in permit tcp any eq imap4 host Server eq imap4

Those lines and the one with the scc object group are almost certainly
wrong. For pop3, https, and imap4, the *source* port is supposed
to be a dynamically allocated port from 1024 upward. When a client
wants to connect to pop3 on a server, the only occurance of the pop3
port number is in the destination port -- the source port is semi-random.

:access-list outside_access_in permit udp any object-group VOIP host IP_VX object-group VOIP

That line very likely has the same problem.

:access-list outside_access_in permit ip any any
:access-list inside_IN permit ip any any
:access-list fsv permit ip host 193.88.44.22 any

:interface ethernet0 10baset
:interface ethernet1 10full

*Usually* you want to set those to auto. 10full in particular is
not very common -- it was only standardized a few years ago, with a
lot of defacto work-arounds in the meantime. Let it float unless
you have a good reason otherwise.

:name 192.168.244.140 Server
:name 10.10.10.2 IP_VX

:ip address inside 192.168.244.129 255.255.255.192

Okay, so Server is in your inside address space. But IP_VX isn't.

:global (outside) 1 interface
:nat (inside) 0 access-list inside_outbound_nat0_acl
:nat (inside) 1 0.0.0.0 0.0.0.0 0 0

:static (inside,outside) Server Server netmask 255.255.255.255 0 0

That's okay for Server, as long as the outside devices know
to route or proxy arp 192.168.244.140 to the care of your PIX.

:static (inside,outside) IP_VX IP_VX netmask 255.255.255.255 0 0

But that isn't okay. Oh, the PIX will proxy arp for IP_VX no problem,
but when the packets get to the PIX, the PIX will drop the packets.
In order to get the packets to where they are going, you need to
add a 'route' statement to tell the PIX which router to forward 10.10.10.*
to in order to be delivered to the IP_VX .
 
Reply With Quote
 
 
 
 
Fredrik
Guest
Posts: n/a
 
      05-25-2005
http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<d703ca$em9$(E-Mail Removed)>...
> In article <(E-Mail Removed) >,
> Fredrik <(E-Mail Removed)> wrote:
> :Cant get the inside net to go out on the internet please check my
> :config.
>
> :it works if I add this to the config.
> :"access-list outside_access_in permit ip any any"
>
> :but isnt that dangerus ?
>
> Yes.
>
>
> IX Version 6.2(2)
>
> You should update that; there are known security problems in 6.2(2),
> and there were a bunch of bugs fixed in 6.2(3). As I recall you can
> get a free update to 6.2(5); search cisco's site for PIX Security
> Advisories for more information.
>
>
> :name 192.0.0.0 Electra_net
>
> :access-list inside_outbound_nat0_acl permit ip 192.168.244.128 255.255.255.192 Electra_net 255.255.255.0
>
> That's your nat 0 access-list ACL, but Electra_net 255.255.255.0
> is 192.0.0.* and 192.0.0.* is reserved IP address space.
> The PIX won't stop the IP traffic from going through, but other
> equipment along the line isn't necessarily going to be as friendly
> to that IP space.
>
> :access-list outside_cryptomap_20 permit ip 192.168.244.128 255.255.255.192 Electra_net 255.255.255.0
>
> bject-group service scc tcp
> : port-object range 1723 1723
> : port-object range 3389 3389
>
> :access-list outside_access_in permit tcp any object-group scc host Server object-group Datasmeden
>
> You didn't give a definition for object-group Datasmeden in what you
> posted. See below as well.
>
> :access-list outside_access_in permit tcp any eq pop3 host Server eq pop3
> :access-list outside_access_in permit tcp any eq https host Server eq https
> :access-list outside_access_in permit tcp any eq imap4 host Server eq imap4
>
> Those lines and the one with the scc object group are almost certainly
> wrong. For pop3, https, and imap4, the *source* port is supposed
> to be a dynamically allocated port from 1024 upward. When a client
> wants to connect to pop3 on a server, the only occurance of the pop3
> port number is in the destination port -- the source port is semi-random.
>
> :access-list outside_access_in permit udp any object-group VOIP host IP_VX object-group VOIP
>
> That line very likely has the same problem.
>
> :access-list outside_access_in permit ip any any
> :access-list inside_IN permit ip any any
> :access-list fsv permit ip host 193.88.44.22 any
>
> :interface ethernet0 10baset
> :interface ethernet1 10full
>
> *Usually* you want to set those to auto. 10full in particular is
> not very common -- it was only standardized a few years ago, with a
> lot of defacto work-arounds in the meantime. Let it float unless
> you have a good reason otherwise.
>
> :name 192.168.244.140 Server
> :name 10.10.10.2 IP_VX
>
> :ip address inside 192.168.244.129 255.255.255.192
>
> Okay, so Server is in your inside address space. But IP_VX isn't.
>
> :global (outside) 1 interface
> :nat (inside) 0 access-list inside_outbound_nat0_acl
> :nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> :static (inside,outside) Server Server netmask 255.255.255.255 0 0
>
> That's okay for Server, as long as the outside devices know
> to route or proxy arp 192.168.244.140 to the care of your PIX.
>
> :static (inside,outside) IP_VX IP_VX netmask 255.255.255.255 0 0
>
> But that isn't okay. Oh, the PIX will proxy arp for IP_VX no problem,
> but when the packets get to the PIX, the PIX will drop the packets.
> In order to get the packets to where they are going, you need to
> add a 'route' statement to tell the PIX which router to forward 10.10.10.*
> to in order to be delivered to the IP_VX .



Tnx for a fast and good answer!
but ..
If I use the config like it is now ....why cant I get the inside net
to go out to the internet shouldn´t it bee statfull? why does it drop
the incomming packets?

regards
Fredrik
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Static PAT overrides Dynamic Pat - Pix 515e BinSur Cisco 4 01-13-2006 09:44 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
PIX 501 and inbound NAT/PAT Alex Cisco 2 08-10-2004 10:41 PM
Nat/Pat-problem with pix 501 Martin Edwards Cisco 7 07-22-2004 10:20 PM
Assistance with PIX 501 (6.3) and VPN thru PAT B Creed Cisco 2 07-18-2003 09:34 PM



Advertisments