PAT pix 501

Discussion in 'Cisco' started by Fredrik, May 24, 2005.

  1. Fredrik

    Fredrik Guest

    Hi
    cant figure it out what I´m doing wrong ....
    Cant get the inside net to go out on the internet please check my
    config.
    it works if I add this to the config.
    "access-list outside_access_in permit ip any any"

    but isnt that dangerus ?

    my config:


    Building configuration...
    : Saved
    :
    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    ---"password removed"----
    hostname 3531
    domain-name ---removed----
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    name 192.0.0.0 Electra_net
    name 192.168.244.140 Server
    name 10.10.10.2 IP_VX
    object-group service scc tcp
    port-object range 1723 1723
    port-object range 3389 3389
    object-group service VOIP udp
    port-object range 8002 8013
    port-object range 5588 5588
    port-object range 2048 2063
    port-object range 8020 8027
    port-object range 6254 6254
    access-list inside_outbound_nat0_acl permit ip 192.168.244.128
    255.255.255.192 Electra_net 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.244.128
    255.255.255.192 Electra_net 255.255.255.0
    access-list outside_access_in permit tcp any object-group scc host
    Server object-group Datasmeden
    access-list outside_access_in permit tcp any eq pop3 host Server eq
    pop3
    access-list outside_access_in permit tcp any eq https host Server eq
    https
    access-list outside_access_in permit tcp any eq imap4 host Server eq
    imap4
    access-list outside_access_in permit udp any object-group VOIP host
    IP_VX object-group VOIP
    access-list outside_access_in permit ip any any
    access-list inside_IN permit ip any any
    access-list fsv permit ip host 193.88.44.22 any
    pager lines 24
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute retry 4
    ip address inside 192.168.244.129 255.255.255.192
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) Server Server netmask 255.255.255.255 0 0
    static (inside,outside) IP_VX IP_VX netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 195.67.82.163 255.255.255.255 outside
    http 192.168.244.128 255.255.255.192 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    no floodguard enable
    sysopt connection permit-ipsec
    no sysopt route dnat
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 195.67.82.174
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 195.67.82.174 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp identity address
    isakmp keepalive 10 10
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet timeout 5
    ssh timeout 5
    dhcpd address 192.168.244.130-192.168.244.135 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:cf589a15f0a80c1633094e5a7a610184
    : end
    [OK]
     
    Fredrik, May 24, 2005
    #1
    1. Advertising

  2. In article <>,
    Fredrik <> wrote:
    :Cant get the inside net to go out on the internet please check my
    :config.

    :it works if I add this to the config.
    :"access-list outside_access_in permit ip any any"

    :but isnt that dangerus ?

    Yes.


    :pIX Version 6.2(2)

    You should update that; there are known security problems in 6.2(2),
    and there were a bunch of bugs fixed in 6.2(3). As I recall you can
    get a free update to 6.2(5); search cisco's site for PIX Security
    Advisories for more information.


    :name 192.0.0.0 Electra_net

    :access-list inside_outbound_nat0_acl permit ip 192.168.244.128 255.255.255.192 Electra_net 255.255.255.0

    That's your nat 0 access-list ACL, but Electra_net 255.255.255.0
    is 192.0.0.* and 192.0.0.* is reserved IP address space.
    The PIX won't stop the IP traffic from going through, but other
    equipment along the line isn't necessarily going to be as friendly
    to that IP space.

    :access-list outside_cryptomap_20 permit ip 192.168.244.128 255.255.255.192 Electra_net 255.255.255.0

    :eek:bject-group service scc tcp
    : port-object range 1723 1723
    : port-object range 3389 3389

    :access-list outside_access_in permit tcp any object-group scc host Server object-group Datasmeden

    You didn't give a definition for object-group Datasmeden in what you
    posted. See below as well.

    :access-list outside_access_in permit tcp any eq pop3 host Server eq pop3
    :access-list outside_access_in permit tcp any eq https host Server eq https
    :access-list outside_access_in permit tcp any eq imap4 host Server eq imap4

    Those lines and the one with the scc object group are almost certainly
    wrong. For pop3, https, and imap4, the *source* port is supposed
    to be a dynamically allocated port from 1024 upward. When a client
    wants to connect to pop3 on a server, the only occurance of the pop3
    port number is in the destination port -- the source port is semi-random.

    :access-list outside_access_in permit udp any object-group VOIP host IP_VX object-group VOIP

    That line very likely has the same problem.

    :access-list outside_access_in permit ip any any
    :access-list inside_IN permit ip any any
    :access-list fsv permit ip host 193.88.44.22 any

    :interface ethernet0 10baset
    :interface ethernet1 10full

    *Usually* you want to set those to auto. 10full in particular is
    not very common -- it was only standardized a few years ago, with a
    lot of defacto work-arounds in the meantime. Let it float unless
    you have a good reason otherwise.

    :name 192.168.244.140 Server
    :name 10.10.10.2 IP_VX

    :ip address inside 192.168.244.129 255.255.255.192

    Okay, so Server is in your inside address space. But IP_VX isn't.

    :global (outside) 1 interface
    :nat (inside) 0 access-list inside_outbound_nat0_acl
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    :static (inside,outside) Server Server netmask 255.255.255.255 0 0

    That's okay for Server, as long as the outside devices know
    to route or proxy arp 192.168.244.140 to the care of your PIX.

    :static (inside,outside) IP_VX IP_VX netmask 255.255.255.255 0 0

    But that isn't okay. Oh, the PIX will proxy arp for IP_VX no problem,
    but when the packets get to the PIX, the PIX will drop the packets.
    In order to get the packets to where they are going, you need to
    add a 'route' statement to tell the PIX which router to forward 10.10.10.*
    to in order to be delivered to the IP_VX .
     
    Walter Roberson, May 24, 2005
    #2
    1. Advertising

  3. Fredrik

    Fredrik Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<d703ca$em9$>...
    > In article <>,
    > Fredrik <> wrote:
    > :Cant get the inside net to go out on the internet please check my
    > :config.
    >
    > :it works if I add this to the config.
    > :"access-list outside_access_in permit ip any any"
    >
    > :but isnt that dangerus ?
    >
    > Yes.
    >
    >
    > :pIX Version 6.2(2)
    >
    > You should update that; there are known security problems in 6.2(2),
    > and there were a bunch of bugs fixed in 6.2(3). As I recall you can
    > get a free update to 6.2(5); search cisco's site for PIX Security
    > Advisories for more information.
    >
    >
    > :name 192.0.0.0 Electra_net
    >
    > :access-list inside_outbound_nat0_acl permit ip 192.168.244.128 255.255.255.192 Electra_net 255.255.255.0
    >
    > That's your nat 0 access-list ACL, but Electra_net 255.255.255.0
    > is 192.0.0.* and 192.0.0.* is reserved IP address space.
    > The PIX won't stop the IP traffic from going through, but other
    > equipment along the line isn't necessarily going to be as friendly
    > to that IP space.
    >
    > :access-list outside_cryptomap_20 permit ip 192.168.244.128 255.255.255.192 Electra_net 255.255.255.0
    >
    > :eek:bject-group service scc tcp
    > : port-object range 1723 1723
    > : port-object range 3389 3389
    >
    > :access-list outside_access_in permit tcp any object-group scc host Server object-group Datasmeden
    >
    > You didn't give a definition for object-group Datasmeden in what you
    > posted. See below as well.
    >
    > :access-list outside_access_in permit tcp any eq pop3 host Server eq pop3
    > :access-list outside_access_in permit tcp any eq https host Server eq https
    > :access-list outside_access_in permit tcp any eq imap4 host Server eq imap4
    >
    > Those lines and the one with the scc object group are almost certainly
    > wrong. For pop3, https, and imap4, the *source* port is supposed
    > to be a dynamically allocated port from 1024 upward. When a client
    > wants to connect to pop3 on a server, the only occurance of the pop3
    > port number is in the destination port -- the source port is semi-random.
    >
    > :access-list outside_access_in permit udp any object-group VOIP host IP_VX object-group VOIP
    >
    > That line very likely has the same problem.
    >
    > :access-list outside_access_in permit ip any any
    > :access-list inside_IN permit ip any any
    > :access-list fsv permit ip host 193.88.44.22 any
    >
    > :interface ethernet0 10baset
    > :interface ethernet1 10full
    >
    > *Usually* you want to set those to auto. 10full in particular is
    > not very common -- it was only standardized a few years ago, with a
    > lot of defacto work-arounds in the meantime. Let it float unless
    > you have a good reason otherwise.
    >
    > :name 192.168.244.140 Server
    > :name 10.10.10.2 IP_VX
    >
    > :ip address inside 192.168.244.129 255.255.255.192
    >
    > Okay, so Server is in your inside address space. But IP_VX isn't.
    >
    > :global (outside) 1 interface
    > :nat (inside) 0 access-list inside_outbound_nat0_acl
    > :nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >
    > :static (inside,outside) Server Server netmask 255.255.255.255 0 0
    >
    > That's okay for Server, as long as the outside devices know
    > to route or proxy arp 192.168.244.140 to the care of your PIX.
    >
    > :static (inside,outside) IP_VX IP_VX netmask 255.255.255.255 0 0
    >
    > But that isn't okay. Oh, the PIX will proxy arp for IP_VX no problem,
    > but when the packets get to the PIX, the PIX will drop the packets.
    > In order to get the packets to where they are going, you need to
    > add a 'route' statement to tell the PIX which router to forward 10.10.10.*
    > to in order to be delivered to the IP_VX .



    Tnx for a fast and good answer!
    but ..
    If I use the config like it is now ....why cant I get the inside net
    to go out to the internet shouldn´t it bee statfull? why does it drop
    the incomming packets?

    regards
    Fredrik
     
    Fredrik, May 25, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. B Creed
    Replies:
    2
    Views:
    6,809
    Walter Roberson
    Jul 18, 2003
  2. Martin Edwards

    Nat/Pat-problem with pix 501

    Martin Edwards, Jul 22, 2004, in forum: Cisco
    Replies:
    7
    Views:
    698
    Walter Roberson
    Jul 22, 2004
  3. Alex

    PIX 501 and inbound NAT/PAT

    Alex, Aug 10, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,121
  4. Jordan Peterson
    Replies:
    1
    Views:
    621
    mcaissie
    Sep 17, 2004
  5. BinSur
    Replies:
    4
    Views:
    5,840
    BinSur
    Jan 13, 2006
Loading...

Share This Page