Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Pix 515 VLAN NAT0 issues

Reply
Thread Tools

Pix 515 VLAN NAT0 issues

 
 
tartar813
Guest
Posts: n/a
 
      03-16-2006
I am having problems with my Pix, it goes offline for a short perior,
plus get bad ftp performance with it. I have 6 interfaces outside, and
5 vlan interfaces on the inside, I have all the NAT's built. Not sure
if there is something I am doing incorrect. I have 4 more PIX's and am
probably going to upgrade to 7.0 but will have to relearn the pix in
the new commands.

Any help would be greatly appreciated

My firewall config is as follows:

dimepix1> en
Password: ******
dimepix1# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet1 vlan35 physical
interface ethernet1 vlan20 logical
interface ethernet1 vlan21 logical
interface ethernet1 vlan22 logical
interface ethernet1 vlan23 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan20 priv security96
nameif vlan21 reggie security99
nameif vlan22 net3 security98
nameif vlan23 net4 security97
hostname dimepix1
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 72.29.91.64 255.255.255.240 any
access-list 101 permit ip 72.29.91.80 255.255.255.240 any
access-list 101 permit ip 72.29.91.96 255.255.255.240 any
access-list 101 permit ip 72.29.91.112 255.255.255.248 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 72.29.91.125 255.255.255.248
no ip address inside
ip address priv 72.29.91.65 255.255.255.240
ip address reggie 72.29.91.81 255.255.255.240
ip address net3 72.29.91.97 255.255.255.240
ip address net4 72.29.91.113 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address priv
no failover ip address reggie
no failover ip address net3
no failover ip address net4
pdm history enable
arp timeout 14400
nat (inside) 0 72.29.91.64 255.255.255.240 0 0
nat (reggie) 0 72.29.91.80 255.255.255.240 0 0
nat (net3) 0 72.29.91.96 255.255.255.240 0 0
nat (net4) 0 72.29.91.112 255.255.255.248 0 0
static (reggie,outside) 72.29.91.84 72.29.91.84 netmask 255.255.255.255
0 0
static (reggie,outside) 72.29.91.83 72.29.91.83 netmask 255.255.255.255
0 0
static (reggie,outside) 72.29.91.82 72.29.91.82 netmask 255.255.255.255
0 0
static (reggie,outside) 72.29.91.85 72.29.91.85 netmask 255.255.255.255
0 0
static (reggie,outside) 72.29.91.86 72.29.91.86 netmask 255.255.255.255
0 0
static (reggie,outside) 72.29.91.87 72.29.91.87 netmask 255.255.255.255
0 0
static (reggie,outside) 72.29.91.88 72.29.91.88 netmask 255.255.255.255
0 0
static (reggie,outside) 72.29.91.89 72.29.91.89 netmask 255.255.255.255
0 0
static (reggie,outside) 72.29.91.94 72.29.91.94 netmask 255.255.255.255
0 0
static (net3,outside) 72.29.91.98 72.29.91.98 netmask 255.255.255.255 0
0
static (net3,outside) 72.29.91.99 72.29.91.99 netmask 255.255.255.255 0
0
static (net3,outside) 72.29.91.100 72.29.91.100 netmask 255.255.255.255
0 0
static (net3,outside) 72.29.91.101 72.29.91.101 netmask 255.255.255.255
0 0
static (net3,outside) 72.29.91.102 72.29.91.102 netmask 255.255.255.255
0 0
static (net3,outside) 72.29.91.103 72.29.91.103 netmask 255.255.255.255
0 0
static (net3,outside) 72.29.91.104 72.29.91.104 netmask 255.255.255.255
0 0
static (net3,outside) 72.29.91.105 72.29.91.105 netmask 255.255.255.255
0 0
static (net3,outside) 72.29.91.106 72.29.91.106 netmask 255.255.255.255
0 0
static (net3,outside) 72.29.91.107 72.29.91.107 netmask 255.255.255.255
0 0
static (net3,outside) 72.29.91.108 72.29.91.108 netmask 255.255.255.255
0 0
static (net3,outside) 72.29.91.109 72.29.91.109 netmask 255.255.255.255
0 0
static (net3,outside) 72.29.91.110 72.29.91.110 netmask 255.255.255.255
0 0
static (priv,outside) 72.29.91.66 72.29.91.66 netmask 255.255.255.255 0
0
static (priv,outside) 72.29.91.67 72.29.91.67 netmask 255.255.255.255 0
0
static (priv,outside) 72.29.91.68 72.29.91.68 netmask 255.255.255.255 0
0
static (priv,outside) 72.29.91.69 72.29.91.69 netmask 255.255.255.255 0
0
static (priv,outside) 72.29.91.70 72.29.91.70 netmask 255.255.255.255 0
0
static (priv,outside) 72.29.91.71 72.29.91.71 netmask 255.255.255.255 0
0
static (priv,outside) 72.29.91.72 72.29.91.72 netmask 255.255.255.255 0
0
static (priv,outside) 72.29.91.73 72.29.91.73 netmask 255.255.255.255 0
0
static (priv,outside) 72.29.91.74 72.29.91.74 netmask 255.255.255.255 0
0
static (priv,outside) 72.29.91.75 72.29.91.75 netmask 255.255.255.255 0
0
static (priv,outside) 72.29.91.76 72.29.91.76 netmask 255.255.255.255 0
0
static (priv,outside) 72.29.91.77 72.29.91.77 netmask 255.255.255.255 0
0
static (priv,outside) 72.29.91.78 72.29.91.78 netmask 255.255.255.255 0
0
static (priv,net3) 72.29.91.66 72.29.91.66 netmask 255.255.255.255 0 0
static (net3,priv) 72.29.91.99 72.29.91.99 netmask 255.255.255.255 0 0
static (net3,priv) 72.29.91.98 72.29.91.98 netmask 255.255.255.255 0 0
static (net3,priv) 72.29.91.107 72.29.91.107 netmask 255.255.255.255 0
0
static (priv,reggie) 72.29.91.66 72.29.91.66 netmask 255.255.255.255 0
0
static (reggie,priv) 72.29.91.82 72.29.91.82 netmask 255.255.255.255 0
0
static (reggie,priv) 72.29.91.83 72.29.91.83 netmask 255.255.255.255 0
0
static (reggie,priv) 72.29.91.84 72.29.91.84 netmask 255.255.255.255 0
0
static (reggie,priv) 72.29.91.85 72.29.91.85 netmask 255.255.255.255 0
0
static (reggie,priv) 72.29.91.86 72.29.91.86 netmask 255.255.255.255 0
0
static (reggie,net3) 72.29.91.83 72.29.91.83 netmask 255.255.255.255 0
0
static (net4,outside) 72.29.91.114 72.29.91.114 netmask 255.255.255.255
0 0
static (net4,outside) 72.29.91.115 72.29.91.115 netmask 255.255.255.255
0 0
static (net4,outside) 72.29.91.116 72.29.91.116 netmask 255.255.255.255
0 0
static (net4,outside) 72.29.91.117 72.29.91.117 netmask 255.255.255.255
0 0
static (net4,outside) 72.29.91.118 72.29.91.118 netmask 255.255.255.255
0 0
static (net4,priv) 72.29.91.114 72.29.91.114 netmask 255.255.255.255 0
0
static (net4,reggie) 72.29.91.114 72.29.91.114 netmask 255.255.255.255
0 0
static (net4,net3) 72.29.91.114 72.29.91.114 netmask 255.255.255.255 0
0
static (net3,reggie) 72.29.91.99 72.29.91.99 netmask 255.255.255.255 0
0
static (net3,net4) 72.29.91.99 72.29.91.99 netmask 255.255.255.255 0 0
static (net3,reggie) 72.29.91.98 72.29.91.98 netmask 255.255.255.255 0
0
static (net3,net4) 72.29.91.98 72.29.91.98 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 72.29.91.84 eq www any
conduit permit tcp host 72.29.91.84 eq https any
conduit permit tcp host 72.29.91.84 eq 3389 any
conduit permit tcp host 72.29.91.84 eq ftp any
conduit permit tcp host 72.29.91.82 eq domain any
conduit permit udp host 72.29.91.82 eq domain any
conduit permit tcp host 72.29.91.82 eq ftp any
conduit permit tcp host 72.29.91.82 eq www any
conduit permit tcp host 72.29.91.82 eq https any
conduit permit tcp host 72.29.91.82 eq 3389 any
conduit permit tcp host 72.29.91.83 eq domain any
conduit permit udp host 72.29.91.83 eq domain any
conduit permit tcp host 72.29.91.83 eq pop3 any
conduit permit tcp host 72.29.91.83 eq 3389 any
conduit permit tcp host 72.29.91.83 eq ftp any
conduit permit tcp host 72.29.91.83 eq smtp any
conduit permit tcp host 72.29.91.85 eq www any
conduit permit tcp host 72.29.91.85 eq ftp any
conduit permit tcp host 72.29.91.85 eq https any
conduit permit tcp host 72.29.91.85 eq 3389 any
conduit permit tcp host 72.29.91.85 eq 7099 any
conduit permit tcp host 72.29.91.83 eq www any
conduit permit tcp host 72.29.91.83 eq imap4 any
conduit permit tcp host 72.29.91.86 eq www any
conduit permit tcp host 72.29.91.86 eq https any
conduit permit tcp host 72.29.91.87 eq https any
conduit permit tcp host 72.29.91.87 eq www any
conduit permit tcp host 72.29.91.88 eq www any
conduit permit tcp host 72.29.91.88 eq https any
conduit permit tcp host 72.29.91.89 eq https any
conduit permit tcp host 72.29.91.89 eq www any
conduit permit tcp host 72.29.91.66 eq https any
conduit permit tcp host 72.29.91.66 eq www any
conduit permit tcp host 72.29.91.66 eq pop3 any
conduit permit tcp host 72.29.91.66 eq imap4 any
conduit permit tcp host 72.29.91.66 eq 3389 any
conduit permit tcp host 72.29.91.66 eq smtp any
conduit permit tcp host 72.29.91.66 eq 81 any
conduit permit tcp host 72.29.91.67 eq www any
conduit permit tcp host 72.29.91.67 eq https any
conduit permit tcp host 72.29.91.68 eq https any
conduit permit tcp host 72.29.91.68 eq www any
conduit permit tcp host 72.29.91.69 eq www any
conduit permit tcp host 72.29.91.69 eq https any
conduit permit tcp host 72.29.91.69 eq 3389 any
conduit permit tcp host 72.29.91.69 eq ftp any
conduit permit tcp host 72.29.91.66 eq ftp any
conduit permit tcp host 72.29.91.70 eq ftp any
conduit permit tcp host 72.29.91.70 eq www any
conduit permit tcp host 72.29.91.70 eq https any
conduit permit tcp host 72.29.91.71 eq www any
conduit permit tcp host 72.29.91.73 eq www any
conduit permit tcp host 72.29.91.73 eq domain any
conduit permit udp host 72.29.91.73 eq domain any
conduit permit tcp host 72.29.91.73 eq https any
conduit permit tcp host 72.29.91.76 eq domain any
conduit permit udp host 72.29.91.76 eq domain any
conduit permit tcp host 72.29.91.76 eq smtp any
conduit permit tcp host 72.29.91.77 eq www any
conduit permit tcp host 72.29.91.77 eq https any
conduit permit tcp host 72.29.91.78 eq www any
conduit permit tcp host 72.29.91.78 eq https any
conduit permit tcp host 72.29.91.98 eq domain any
conduit permit udp host 72.29.91.98 eq domain any
conduit permit tcp host 72.29.91.98 eq www any
conduit permit tcp host 72.29.91.99 eq domain any
conduit permit udp host 72.29.91.99 eq domain any
conduit permit tcp host 72.29.91.99 eq www any
conduit permit tcp host 72.29.91.99 eq smtp any
conduit permit tcp host 72.29.91.99 eq imap4 any
conduit permit tcp host 72.29.91.99 eq pop3 any
conduit permit tcp host 72.29.91.107 eq www any
conduit permit tcp host 72.29.91.107 eq ftp any
conduit permit tcp host 72.29.91.107 eq 3389 any
conduit permit tcp host 72.29.91.108 eq 3389 any
conduit permit tcp host 72.29.91.108 eq ftp any
conduit permit tcp host 72.29.91.108 eq www any
conduit permit tcp host 72.29.91.109 eq www any
conduit permit tcp host 72.29.91.109 eq ftp any
conduit permit tcp host 72.29.91.109 eq 3389 any
conduit permit tcp host 72.29.91.74 eq www any
conduit permit tcp host 72.29.91.114 eq ssh any
conduit permit tcp host 72.29.91.114 eq smtp any
conduit permit tcp host 72.29.91.114 eq pop3 any
conduit permit tcp host 72.29.91.114 eq imap4 any
conduit permit tcp host 72.29.91.114 eq domain any
conduit permit udp host 72.29.91.114 eq domain any
conduit permit tcp host 72.29.91.114 eq www any
conduit permit tcp host 72.29.91.114 eq https any
conduit permit tcp host 72.29.91.114 eq ftp-data any
conduit permit tcp host 72.29.91.114 eq ftp any
conduit permit tcp host 72.29.91.114 eq 993 any
conduit permit tcp host 72.29.91.114 eq 995 any
conduit permit tcp host 72.29.91.115 eq ssh any
conduit permit tcp host 72.29.91.115 eq smtp any
conduit permit tcp host 72.29.91.115 eq pop3 any
conduit permit tcp host 72.29.91.115 eq imap4 any
conduit permit tcp host 72.29.91.115 eq domain any
conduit permit udp host 72.29.91.115 eq domain any
conduit permit tcp host 72.29.91.115 eq www any
conduit permit tcp host 72.29.91.115 eq https any
conduit permit tcp host 72.29.91.115 eq ftp-data any
conduit permit tcp host 72.29.91.115 eq ftp any
conduit permit tcp host 72.29.91.115 eq 993 any
conduit permit tcp host 72.29.91.115 eq 995 any
conduit permit tcp host 72.29.91.103 eq www any
conduit permit tcp host 72.29.91.104 eq www any
conduit permit tcp host 72.29.91.105 eq www any
conduit deny ip any any
outbound 1 permit 0.0.0.0 0.0.0.0 0 ip
apply (inside) 1 outgoing_src
apply (reggie) 1 outgoing_src
apply (net3) 1 outgoing_src
apply (net4) 1 outgoing_src
route outside 0.0.0.0 0.0.0.0 72.29.91.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:3d0e96df8a545fcb3aa924794e17f3a1

 
Reply With Quote
 
 
 
 
Kevin Widner
Guest
Posts: n/a
 
      03-16-2006
I am having problems with my Pix, it goes offline for a short perior,
plus get bad ftp performance with it. I have 6 interfaces outside, and

5 vlan interfaces on the inside, I have all the NAT's built. Not sure
if there is something I am doing incorrect.

==========

Have you taken a look at the following?

http://www.cisco.com/en/US/products/...80094317.shtml

set your logging to debug level and try your ftp, just to see if it
tells you anything interesting.

 
Reply With Quote
 
 
 
 
tartar813
Guest
Posts: n/a
 
      03-16-2006
Would that also cause me to not be able to ping my outside interface
and any ip addresses behind the firewall?

I have another server on the outside firewall on the sameswitch, it
never goes down.

Do you see any problems with my config? The statics going between the
different interfaces?

Thanks

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      03-16-2006
In article <(E-Mail Removed) .com>,
tartar813 <(E-Mail Removed)> wrote:
>I am having problems with my Pix, it goes offline for a short perior,
>plus get bad ftp performance with it.


I do not see anything -obviously- wrong with your configuration;
but see below.

>PIX Version 6.3(5)


>access-list 101 permit ip 72.29.91.64 255.255.255.240 any
>access-list 101 permit ip 72.29.91.80 255.255.255.240 any
>access-list 101 permit ip 72.29.91.96 255.255.255.240 any
>access-list 101 permit ip 72.29.91.112 255.255.255.248 any


You do not appear to be using that access-list.

>nat (reggie) 0 72.29.91.80 255.255.255.240 0 0
>static (reggie,outside) 72.29.91.84 72.29.91.84 netmask 255.255.255.255
>0 0
>static (reggie,outside) 72.29.91.83 72.29.91.83 netmask 255.255.255.255
>0 0


As a matter of style, you may wish to replace most of the
individual static's with an access list that specifies the hosts
to be static'd, and then

nat (reggie) 0 access-list REGGIE_STATIC_ACL_NAME
or
static (reggie,outside) 72.29.91.80 access-list REGGIE_STATIC_ACL_NAME

The difference between the two is that the nat 0 access-list form
does not do proxy ARP.

For the access-list REGGIE_STATIC_ACL_NAME instead of having
a bunch of "permit ip host" entries, you could create an
object-group of type network, list the hosts in there, and then
have a single ACL line:

object-group network REGGIE_STATIC_HOSTS
network-object host 72.29.91.82
network-object host 72.29.91.85
access-list REGGIE_STATIC_ACL_NAME permit ip object-group REGGIE_STATIC_HOSTS any

>conduit permit icmp any any

[many more conduit]
>outbound 1 permit 0.0.0.0 0.0.0.0 0 ip
>apply (inside) 1 outgoing_src


In any PIX version from 5.3(2) onwards, it saves time to assume
that conduit and outbound and apply are broken beyond repair.
Cisco started declining to fix conduit bugs about then,
and although they had to rewrite a bunch of the conduit code
for 6.2, bugs they created in the course of that rewrite will
usually not be fixed. There are a number of conduit bugs in
the Bug Navigator.

Cisco has been saying since early 5.2 that conduit is
deprecated; it is not present at all in 7.0.

As there are conduit bugs that will not be fixed, I do not believe
that it is productive to try to diagnose problems that might be
related to conduit, especially in interactions with any feature
introduced in 6.x.

If your policies and downtime availability permit, I would
recommend running your configuration through Cisco's conduit
conversion tool, having a careful look at the result
to ensure that it will do what you want, and then put that into place.
 
Reply With Quote
 
tartar813
Guest
Posts: n/a
 
      03-16-2006
Where is the conduit conversion tool? I've tried to find it but
cannot. I do have an extra pix here that I am trying to use some of
your suggestions.

object-group network REGGIE_STATIC_HOSTS
network-object host 72.29.91.82
network-object host 72.29.91.83
network-object host 72.29.91.84
network-object host 72.29.91.85
network-object host 72.29.91.86
network-object host 72.29.91.87
network-object host 72.29.91.88
access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS
any
nat (reggie) 0 access-list reggie_out_acl

Let me make sure I get it, This will not NAT all of the items going out
from the REGGIE_STATIC_HOSTS network object group?
Does this automatically setup the inbound translations also?

Thank you, I really appreciate this, I feel like an idiot since I've
been using the conduits and stuff for so long.

 
Reply With Quote
 
tartar813
Guest
Posts: n/a
 
      03-16-2006
Do I need?

access-group reggie_out_acl in interface reggie ?

 
Reply With Quote
 
tartar813
Guest
Posts: n/a
 
      03-16-2006
This is basically what I have so far?

Not sure how to get things to come in? When you nat 0 an access list,
does that automatically setup the inbound statics?

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet1 vlan35 physical
interface ethernet1 vlan20 logical
interface ethernet1 vlan21 logical
interface ethernet1 vlan22 logical
interface ethernet1 vlan23 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan20 priv security96
nameif vlan21 reggie security99
nameif vlan22 net3 security98
nameif vlan23 net4 security97
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname dimepix1
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network REGGIE_STATIC_HOSTS
network-object host 72.29.91.82
network-object host 72.29.91.83
network-object host 72.29.91.84
network-object host 72.29.91.85
network-object host 72.29.91.86
network-object host 72.29.91.87
network-object host 72.29.91.88
network-object host 72.29.91.89
network-object host 72.29.91.90
object-group network priv_hosts
network-object host 72.29.91.66
network-object host 72.29.91.67
network-object host 72.29.91.68
network-object host 72.29.91.69
network-object host 72.29.91.70
network-object host 72.29.91.71
network-object host 72.29.91.72
network-object host 72.29.91.73
network-object host 72.29.91.74
network-object host 72.29.91.76
network-object host 72.29.91.75
network-object host 72.29.91.77
network-object host 72.29.91.78
access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS
any
access-list priv_out_acl permit ip object-group priv_hosts any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 72.29.91.125 255.255.255.248
no ip address inside
ip address priv 72.29.91.65 255.255.255.240
ip address reggie 72.29.91.81 255.255.255.240
ip address net3 72.29.91.97 255.255.255.240
ip address net4 72.29.91.113 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address priv
no failover ip address reggie
no failover ip address net3
no failover ip address net4
pdm history enable
arp timeout 14400
nat (priv) 0 access-list priv_out_acl
nat (reggie) 0 access-list reggie_out_acl
access-group priv_out_acl in interface priv
access-group reggie_out_acl in interface reggie
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:d41d8cd98f00b204e980

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      03-16-2006
In article <(E-Mail Removed) .com>,
tartar813 <(E-Mail Removed)> wrote:
>Where is the conduit conversion tool?


http://www.cisco.com/cgi-bin/tablebuild.pl/pix
and log in to your account, then scroll down the list until you find
occ-121 about 2/3 of the way down.

>object-group network REGGIE_STATIC_HOSTS
> network-object host 72.29.91.82
> network-object host 72.29.91.83
> network-object host 72.29.91.84
> network-object host 72.29.91.85
> network-object host 72.29.91.86
> network-object host 72.29.91.87
> network-object host 72.29.91.88
>access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS
>any
>nat (reggie) 0 access-list reggie_out_acl


>Let me make sure I get it, This will not NAT all of the items going out
>from the REGGIE_STATIC_HOSTS network object group?


Right. Anything sourced "within" the reggie segment that matches
that ACL will be exempt from NAT.

>Does this automatically setup the inbound translations also?


Supressing some unimportant semantic quibbles, Yes, exactly. Any
connection heading into a lower-security interface that matches the
"reverse" of the ACL (i.e, exchange source and destination fields)
will be permitted inward, provided that the access-group on that
lower interface permits that flow. It -is- a form of "static"
for that purpose.

There is, though, the side effect that proxy arp will not be enabled
for the IPs (not unless there is a regular static for that IP),
so your WAN router will have to route those IPs to the outside IP
of the PIX. This is usually not a problem unless you happen to have
real hosts on the outside segment.


>Thank you, I really appreciate this, I feel like an idiot since I've
>been using the conduits and stuff for so long.


Even the TAC ends up scratching their head over bidirectional policy NAT.
Some stuff just isn't well documented.


Some ACL and translation fundamentals:

Each ACL should be written in terms of the IPs that would be in
the packet at the time the PIX receives the packet. e.g., an
ACL applied to an inside interface would have the internal IPs as
the source and the outside IPs *as known to the inside* as the
destinations.

Translation takes place -after- the interface controls have decided
to accept the packet, based upon the ACL applied to the interface
(or upon the default flow rules if there is no ACL.) But
that's the rule for when the translation is actually performed:
before the ACL is even looked at, the PIX checks to see that
there a translation exists. Thus if a new connection attempt hits
your outside interface and is addressed to a public IP that
you do not have a "static" or "nat 0 access-list" for, then
the packet will be dropped with a log entry about
"no translation group" and only if there is a translation can
you go on to "denied by access-list". {It wasn't that way before 6.2,
and they might have modified this by now, as I griped about this.}
The modification of packet content happens after the packet has been
accepted as having a translation and satisfying the security policies.

The default rules, if you have no ACL applied to an interface,
are that traffic to lower-security is allowed and to higher security
is not allowed. If you do have an ACL, then that rule does not
apply at all, and instead the rule becomes "anything which is
not permitted by the ACL is not allowed."

An important difference you will hit is that "conduit" applies
to all interfaces, but the access-group command applies an ACL
only to one interface. So before if you had a conduit that
permitted traffic to something in your highest security zone,
then you will need an ACL for each of the lower security zones
if you want them to be able to reach that higher security zone.

Only one ACL is permitted "in" per interface. PIX 7.x adds
ACLs "out" an interface, and modifies to "one per direction".

Never try to use the same ACL for two purposes. If you have two controls
mention the same ACL name/number then you will likely have
odd problems.

Translation to lower security interfaces normally changes the source
IP, and translation to higher security interfaces normally changes
the destination IP. [PIX 6.2 and later allow changing this.]

An ACL applied to an interface should refer to the private IP of a
host on a lower security security interface, but to the public IP
of a host on a higher security interface. Of course if you have
used nat 0 access-list or static'd IPs to themselves between
a pair of interfaces, then the public and private IP would be the same
for that transaction.

Only one "nat 0 access-list" is permitted per interface, and it
applies to traffic going to lower security interfaces. Indefinite
numbers of "nat 0" (without access-list) are permitted per interface,
and again apply to towards all lower security interfaces.
"static" and all other "nat" commands work between pairs of interfaces,
so the IP of an inside host as known to dmz1 could be different than
the IP of the same host as known to dmz2.


Access-lists mentioned in crypto map (VPN) "match address" clauses
should be written from the perspective of packets going out
the interface that the crypto map is applied to. But unlike the
other cases, the "match address" ACLs must be written in
terms of what would be in the packet *after* translation
(towards the outside). For incoming VPN packets, the
"match address" ACL will automatically be read "in reverse"
[like for the nat 0 access-list case], and the addresses used
to check will be the ones after decapsulation but before any
translation.

An incoming VPN packet will be decapsulated, and the inner packet first
checked against the {implicitly reversed} appropriate "match address"
ACL. After that, the inner packet will be checked against the ACL (or
default policy) for the interface it was received on, -unless- "sysopt
connection permit-ipsec" or similar has been turned on: If you use
those commands, then all VPN packets that manage to make it to you will
be permitted to go to any destination (except on the -same- interface)
without any checking of access policies.

Similarily, an outgoing VPN packet will be checked first against the
security policy of the interface it was received on, *unless* "sysopt
connection permit-" is in effect and the packet would go out over the
VPN -- those packets will go through even if the security policy says
to block them. After the outgoing VPN packet is accepted by the
interface, it undergoes translation, and the -translated- packet will
be compared against the "match address" ACLs for dispatching.
 
Reply With Quote
 
tartar813
Guest
Posts: n/a
 
      03-16-2006
Current configuration, I am trying to use acl with access-lists,
object-groups and access-groups, Not sure if I am doing this right?

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet1 vlan35 physical
interface ethernet1 vlan20 logical
interface ethernet1 vlan21 logical
interface ethernet1 vlan22 logical
interface ethernet1 vlan23 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan20 priv security96
nameif vlan21 reggie security99
nameif vlan22 net3 security98
nameif vlan23 net4 security97
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname dimepix1
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network REGGIE_STATIC_HOSTS
network-object host 72.29.91.82
network-object host 72.29.91.83
network-object host 72.29.91.84
network-object host 72.29.91.85
network-object host 72.29.91.86
network-object host 72.29.91.87
network-object host 72.29.91.88
network-object host 72.29.91.89
network-object host 72.29.91.90
object-group network priv_hosts
network-object host 72.29.91.66
network-object host 72.29.91.67
network-object host 72.29.91.68
network-object host 72.29.91.69
network-object host 72.29.91.70
network-object host 72.29.91.71
network-object host 72.29.91.72
network-object host 72.29.91.73
network-object host 72.29.91.74
network-object host 72.29.91.76
network-object host 72.29.91.75
network-object host 72.29.91.77
network-object host 72.29.91.78
object-group network net3_hosts
network-object host 72.29.91.98
network-object host 72.29.91.99
network-object host 72.29.91.100
network-object host 72.29.91.101
network-object host 72.29.91.102
network-object host 72.29.91.103
network-object host 72.29.91.104
network-object host 72.29.91.105
network-object host 72.29.91.106
network-object host 72.29.91.107
network-object host 72.29.91.108
network-object host 72.29.91.109
network-object host 72.29.91.110
object-group network net4_hosts
network-object host 72.29.91.114
network-object host 72.29.91.115
network-object host 72.29.91.116
network-object host 72.29.91.117
network-object host 72.29.91.118
object-group protocol webservices
protocol-object tcp
object-group service web_service tcp
port-object eq ftp
port-object eq www
port-object eq https
object-group service mail_service tcp
description Allows mail services inbound
port-object eq smtp
port-object eq imap4
port-object eq pop3
object-group network webhosts
network-object host 72.29.91.84
network-object host 72.29.91.82
network-object host 72.29.91.85
network-object host 72.29.91.83
network-object host 72.29.91.86
network-object host 72.29.91.87
network-object host 72.29.91.88
network-object host 72.29.91.89
network-object host 72.29.91.66
network-object host 72.29.91.67
network-object host 72.29.91.68
network-object host 72.29.91.69
network-object host 72.29.91.70
network-object host 72.29.91.71
network-object host 72.29.91.72
network-object host 72.29.91.73
network-object host 72.29.91.77
network-object host 72.29.91.78
network-object host 72.29.91.98
network-object host 72.29.91.99
network-object host 72.29.91.100
network-object host 72.29.91.101
network-object host 72.29.91.102
network-object host 72.29.91.103
network-object host 72.29.91.104
network-object host 72.29.91.105
network-object host 72.29.91.106
network-object host 72.29.91.107
network-object host 72.29.91.108
network-object host 72.29.91.109
network-object host 72.29.91.74
access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS
any
access-list priv_out_acl permit ip object-group priv_hosts any
access-list net3_out_acl permit ip object-group net3_hosts any
access-list net4_out_acl permit ip object-group net4_hosts any
access-list web_in permit tcp object-group webhosts any object-group
web_service
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 72.29.91.125 255.255.255.248
no ip address inside
ip address priv 72.29.91.65 255.255.255.240
ip address reggie 72.29.91.81 255.255.255.240
ip address net3 72.29.91.97 255.255.255.240
ip address net4 72.29.91.113 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address priv
no failover ip address reggie
no failover ip address net3
no failover ip address net4
pdm history enable
arp timeout 14400
nat (priv) 0 access-list priv_out_acl
nat (reggie) 0 access-list reggie_out_acl
nat (net3) 0 access-list net3_out_acl
nat (net4) 0 access-list net4_out_acl
access-group web_in in interface priv
access-group web_in in interface reggie
access-group web_in in interface net3
access-group web_in in interface net4
timeout xlate 3:00:00

 
Reply With Quote
 
tartar813
Guest
Posts: n/a
 
      03-16-2006
access-list web_in permit tcp object-group webhosts any object-group
web_service

With this, do I need to apply it to an interface? Or is it implied
since I said any?

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Asa/pix Nat0 Rule - Help mcnairi Cisco 0 09-05-2008 02:03 PM
PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time? Stephen M Cisco 1 11-14-2006 02:03 PM
PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC? Scott Townsend Cisco 8 02-22-2006 09:59 PM
PIX Nat0 proxy arp? Michael Letchworth Cisco 10 01-08-2005 01:46 PM
PIX 515 - can't ping on vlan filip Cisco 1 11-20-2003 11:17 AM



Advertisments