Need help with a PIX 520 and VPN traffic

Discussion in 'Cisco' started by docpatelsf@gmail.com, Jun 27, 2007.

  1. Guest

    I need some help configuring a firewall that was pretty much thrown at
    me to manage. I'm unable to get out of the firewall for an
    application that requires the following ports be open (this is from
    the application vendor:

    Firewall ports (outbound) that need to be enabled:

    TCP/264
    IPSEC and IKE (UDP/500)
    IPSEC ESP (IP type 50)
    IPSEC AH (IP type 51)
    TCP/500
    UDP/2746
    UDP/259
    TCP/18231

    Here's the current firewall config; the IOS has not been updated in a
    seriously long time; I would really appreciate some help as to why I
    am not able to get out of the firewall for this application.
    Syslogging shows that acl_inside group is disallowing the connection.

    The application vendor's IP's are 192.131.69.200 and 192.131.65.200

    I am not familiar with CISCO firewalls, but I believe there might also
    be an issue with NAT-T (correct me if I am wrong).

    Thanks in advance for any/all help.

    firewall config (condensed, minus some ACL's):

    PIX Version 5.2(6)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 public security10
    enable password 0NVe7N9xFeDnrRfe encrypted
    passwd tflge61LqXv/Dm/V encrypted
    hostname internetfw
    domain-name masked.out
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol ftp 2120
    no fixup protocol smtp 25
    no names
    access-list acl_inside deny ip any host 152.163.0.0
    access-list acl_inside permit tcp any any eq ftp-data
    access-list acl_inside permit tcp any any eq ftp
    access-list acl_inside permit tcp any any eq domain
    access-list acl_inside permit udp any any eq domain
    access-list acl_inside permit tcp any any eq 443
    access-list acl_inside permit tcp any any eq 554
    access-list acl_inside permit tcp any any eq 1080
    access-list acl_inside permit tcp any any eq 1755
    access-list acl_inside permit tcp any any eq 1863
    access-list acl_inside permit tcp any any eq 3101
    access-list acl_inside permit tcp any any eq 3520
    access-list acl_inside permit tcp any any eq 5050
    access-list acl_inside permit tcp any any eq 5190
    access-list acl_inside permit tcp any any eq 8000
    access-list acl_inside permit tcp any any eq 8010
    access-list acl_inside permit tcp any any eq 8080
    access-list acl_inside permit icmp host 151.209.194.228 any echo
    access-list acl_inside permit icmp host 151.209.194.119 any echo
    access-list acl_inside permit icmp any any echo
    access-list acl_inside permit tcp any any eq www
    access-list acl_inside deny tcp any any eq smtp
    access-list acl_inside deny tcp any any
    access-list acl_inside deny udp any any
    access-list acl_inside deny ip any any
    access-list acl_inside deny udp any any eq tftp
    access-list acl_inside deny tcp any any eq 81
    access-list acl_inside deny tcp any any eq 135
    access-list acl_inside deny udp any any eq 135
    access-list acl_inside deny tcp any any eq 136
    access-list acl_inside deny udp any any eq 136
    access-list acl_inside deny tcp any any eq 137
    access-list acl_inside deny udp any any eq netbios-ns
    access-list acl_inside deny tcp any any eq 138
    access-list acl_inside deny udp any any eq netbios-dgm
    access-list acl_inside deny tcp any any eq 139
    access-list acl_inside deny udp any any eq 139
    access-list acl_inside deny tcp any any eq 445
    access-list acl_inside deny udp any any eq 445
    access-list acl_inside deny tcp any any eq 4444
    access-list acl_inside permit tcp any host 192.131.69.200 eq 264
    access-list acl_inside permit udp any host 192.131.69.200 eq isakmp
    access-list acl_inside permit udp any host 192.131.69.200 eq 2746
    access-list acl_inside permit udp any host 192.131.69.200 eq 259
    access-list acl_inside permit tcp any host 192.131.69.200 eq 18231
    access-list acl_inside permit udp any host 192.131.69.200 eq 4500
    access-list acl_inside permit tcp any host 192.131.65.200 eq 264
    access-list acl_inside permit udp any host 192.131.65.200 eq isakmp
    access-list acl_inside permit udp any host 192.131.65.200 eq 2746
    access-list acl_inside permit udp any host 192.131.65.200 eq 259
    access-list acl_inside permit tcp any host 192.131.65.200 eq 18231
    access-list acl_inside permit udp any host 192.131.65.200 eq 4500
    access-list acl_inside permit tcp any host 192.131.69.200 eq 500
    access-list acl_inside permit tcp any host 192.131.65.200 eq 500
    access-list acl_outside deny tcp any any eq 135
    access-list acl_outside deny tcp any any eq 136
    access-list acl_outside deny tcp any any eq 137
    access-list acl_outside deny tcp any any eq 138
    access-list acl_outside deny tcp any any eq 139
    access-list acl_outside permit tcp any host 63.205.237.14 eq www
    access-list acl_outside permit tcp any host 192.131.69.200 eq 264
    access-list acl_outside permit udp any host 192.131.69.200 eq isakmp
    access-list acl_outside permit udp any host 192.131.69.200 eq 2746
    access-list acl_outside permit udp any host 192.131.69.200 eq 259
    access-list acl_outside permit tcp any host 192.131.69.200 eq 18231
    access-list acl_outside permit udp any host 192.131.69.200 eq 4500
    access-list acl_outside permit tcp any host 192.131.65.200 eq 264
    access-list acl_outside permit udp any host 192.131.65.200 eq isakmp
    access-list acl_outside permit udp any host 192.131.65.200 eq 2746
    access-list acl_outside permit udp any host 192.131.65.200 eq 259
    access-list acl_outside permit tcp any host 192.131.65.200 eq 18231
    access-list acl_outside permit udp any host 192.131.65.200 eq 4500
    access-list acl_outside permit tcp any host 192.131.69.200 eq 500
    access-list acl_outside permit tcp any host 192.131.65.200 eq 500
    pager lines 20
    logging on
    no logging timestamp
    no logging standby
    no logging console
    no logging monitor
    logging buffered warnings
    logging trap warnings
    no logging history
    logging facility 20
    logging queue 2048
    logging host inside 151.209.194.228
    no logging message 106011
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    mtu outside 1500
    mtu inside 1500
    mtu public 1500
    ip address outside masked 255.255.255.240
    ip address inside 151.209.194.125 255.255.255.0
    ip address public 10.101.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside masked
    failover ip address inside 151.209.194.222
    failover ip address public 10.101.1.2
    arp timeout 14400
    global (outside) 1 masked
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) masked 151.209.194.228 netmask 255.255.255.255
    0 0
    static (public,outside) masked 10.101.1.197 netmask 255.255.255.255 0
    0
    static (inside,outside) masked 151.209.194.121 netmask 255.255.255.255
    0 0
    static (inside,outside) masked 151.209.194.133 netmask 255.255.255.255
    0 0
    static (inside,outside) masked 151.209.194.252 netmask 255.255.255.255
    0 0
    access-group acl_outside in interface outside
    access-group acl_inside in interface inside
    route outside 0.0.0.0 0.0.0.0 masked 1
    route inside 151.209.0.0 255.255.0.0 151.209.194.121 1
    route outside 151.209.24.0 255.255.255.0 masked 1
    route outside 151.209.112.0 255.255.255.0 masked 1
    route outside 151.209.113.0 255.255.255.0 masked 1
    timeout xlate 1:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server vpn protocol tacacs+
    snmp-server host inside 151.209.194.119
    no snmp-server location
    no snmp-server contact
    snmp-server community !Now!3v3r
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    isakmp enable outside
    isakmp identity hostname
    telnet timeout 5
    ssh timeout 60
    terminal width 80
     
    , Jun 27, 2007
    #1
    1. Advertising

  2. Chad Mahoney Guest

    wrote:
    > I need some help configuring a firewall that was pretty much thrown at
    > me to manage. I'm unable to get out of the firewall for an
    > application that requires the following ports be open (this is from
    > the application vendor:
    >
    > Firewall ports (outbound) that need to be enabled:
    >
    > TCP/264
    > IPSEC and IKE (UDP/500)
    > IPSEC ESP (IP type 50)
    > IPSEC AH (IP type 51)
    > TCP/500
    > UDP/2746
    > UDP/259
    > TCP/18231
    >
    > Here's the current firewall config; the IOS has not been updated in a
    > seriously long time; I would really appreciate some help as to why I
    > am not able to get out of the firewall for this application.
    > Syslogging shows that acl_inside group is disallowing the connection.
    >
    > The application vendor's IP's are 192.131.69.200 and 192.131.65.200
    >
    > I am not familiar with CISCO firewalls, but I believe there might also
    > be an issue with NAT-T (correct me if I am wrong).
    >
    > Thanks in advance for any/all help.
    >
    > firewall config (condensed, minus some ACL's):
    >
    > PIX Version 5.2(6)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 public security10
    > enable password 0NVe7N9xFeDnrRfe encrypted
    > passwd tflge61LqXv/Dm/V encrypted
    > hostname internetfw
    > domain-name masked.out
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 1720
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sqlnet 1521
    > fixup protocol sip 5060
    > fixup protocol ftp 2120
    > no fixup protocol smtp 25
    > no names
    > access-list acl_inside deny ip any host 152.163.0.0
    > access-list acl_inside permit tcp any any eq ftp-data
    > access-list acl_inside permit tcp any any eq ftp
    > access-list acl_inside permit tcp any any eq domain
    > access-list acl_inside permit udp any any eq domain
    > access-list acl_inside permit tcp any any eq 443
    > access-list acl_inside permit tcp any any eq 554
    > access-list acl_inside permit tcp any any eq 1080
    > access-list acl_inside permit tcp any any eq 1755
    > access-list acl_inside permit tcp any any eq 1863
    > access-list acl_inside permit tcp any any eq 3101
    > access-list acl_inside permit tcp any any eq 3520
    > access-list acl_inside permit tcp any any eq 5050
    > access-list acl_inside permit tcp any any eq 5190
    > access-list acl_inside permit tcp any any eq 8000
    > access-list acl_inside permit tcp any any eq 8010
    > access-list acl_inside permit tcp any any eq 8080
    > access-list acl_inside permit icmp host 151.209.194.228 any echo
    > access-list acl_inside permit icmp host 151.209.194.119 any echo
    > access-list acl_inside permit icmp any any echo
    > access-list acl_inside permit tcp any any eq www
    > access-list acl_inside deny tcp any any eq smtp
    > access-list acl_inside deny tcp any any
    > access-list acl_inside deny udp any any
    > access-list acl_inside deny ip any any
    > access-list acl_inside deny udp any any eq tftp
    > access-list acl_inside deny tcp any any eq 81
    > access-list acl_inside deny tcp any any eq 135
    > access-list acl_inside deny udp any any eq 135
    > access-list acl_inside deny tcp any any eq 136
    > access-list acl_inside deny udp any any eq 136
    > access-list acl_inside deny tcp any any eq 137
    > access-list acl_inside deny udp any any eq netbios-ns
    > access-list acl_inside deny tcp any any eq 138
    > access-list acl_inside deny udp any any eq netbios-dgm
    > access-list acl_inside deny tcp any any eq 139
    > access-list acl_inside deny udp any any eq 139
    > access-list acl_inside deny tcp any any eq 445
    > access-list acl_inside deny udp any any eq 445
    > access-list acl_inside deny tcp any any eq 4444
    > access-list acl_inside permit tcp any host 192.131.69.200 eq 264
    > access-list acl_inside permit udp any host 192.131.69.200 eq isakmp
    > access-list acl_inside permit udp any host 192.131.69.200 eq 2746
    > access-list acl_inside permit udp any host 192.131.69.200 eq 259
    > access-list acl_inside permit tcp any host 192.131.69.200 eq 18231
    > access-list acl_inside permit udp any host 192.131.69.200 eq 4500
    > access-list acl_inside permit tcp any host 192.131.65.200 eq 264
    > access-list acl_inside permit udp any host 192.131.65.200 eq isakmp
    > access-list acl_inside permit udp any host 192.131.65.200 eq 2746
    > access-list acl_inside permit udp any host 192.131.65.200 eq 259
    > access-list acl_inside permit tcp any host 192.131.65.200 eq 18231
    > access-list acl_inside permit udp any host 192.131.65.200 eq 4500
    > access-list acl_inside permit tcp any host 192.131.69.200 eq 500
    > access-list acl_inside permit tcp any host 192.131.65.200 eq 500



    The ACL's are read from top to bottom, you have explicit deny ACL

    > access-list acl_inside deny ip any any


    That ACL is being read by the firewall before

    > access-list acl_inside permit tcp any host 192.131.69.200 eq 264
    > access-list acl_inside permit udp any host 192.131.69.200 eq isakmp
    > access-list acl_inside permit udp any host 192.131.69.200 eq 2746
    > access-list acl_inside permit udp any host 192.131.69.200 eq 259
    > access-list acl_inside permit tcp any host 192.131.69.200 eq 18231
    > access-list acl_inside permit udp any host 192.131.69.200 eq 4500
    > access-list acl_inside permit tcp any host 192.131.65.200 eq 264
    > access-list acl_inside permit udp any host 192.131.65.200 eq isakmp
    > access-list acl_inside permit udp any host 192.131.65.200 eq 2746
    > access-list acl_inside permit udp any host 192.131.65.200 eq 259
    > access-list acl_inside permit tcp any host 192.131.65.200 eq 18231
    > access-list acl_inside permit udp any host 192.131.65.200 eq 4500
    > access-list acl_inside permit tcp any host 192.131.69.200 eq 500
    > access-list acl_inside permit tcp any host 192.131.65.200 eq 500



    You need to move the above lines above all the deny statements you have
    defined.
     
    Chad Mahoney, Jun 27, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mike Voss
    Replies:
    9
    Views:
    1,007
    Ted Mittelstaedt
    Oct 16, 2003
  2. GVB
    Replies:
    1
    Views:
    2,842
    Martin Bilgrav
    Feb 6, 2004
  3. CIB3RGUY

    PIX 520 VPN problem

    CIB3RGUY, Sep 21, 2005, in forum: Cisco
    Replies:
    7
    Views:
    672
    Walter Roberson
    Sep 23, 2005
  4. ho
    Replies:
    3
    Views:
    408
    mcaissie
    Feb 5, 2007
  5. Evolution
    Replies:
    1
    Views:
    864
    Walter Roberson
    Feb 27, 2007
Loading...

Share This Page