Pix 515 and inbound services

Discussion in 'Cisco' started by tartar813, Mar 18, 2006.

  1. tartar813

    tartar813 Guest

    I'm trying to get away from the static/conduit way of doing things,
    just about have it. I can get out, but no clients outside could access
    the services inside. Any help would be greatly appreciated.

    The following is my configuration

    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet1 vlan35 physical
    interface ethernet1 vlan20 logical
    interface ethernet1 vlan21 logical
    interface ethernet1 vlan22 logical
    interface ethernet1 vlan23 logical
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif vlan20 priv security96
    nameif vlan21 reggie security99
    nameif vlan22 net3 security98
    nameif vlan23 net4 security97
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname dimepix1
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group network REGGIE_STATIC_HOSTS
    network-object host 72.29.91.82
    network-object host 72.29.91.83
    network-object host 72.29.91.84
    network-object host 72.29.91.85
    network-object host 72.29.91.86
    network-object host 72.29.91.87
    network-object host 72.29.91.88
    network-object host 72.29.91.89
    network-object host 72.29.91.90
    object-group network priv_hosts
    network-object host 72.29.91.66
    network-object host 72.29.91.67
    network-object host 72.29.91.68
    network-object host 72.29.91.69
    network-object host 72.29.91.70
    network-object host 72.29.91.71
    network-object host 72.29.91.72
    network-object host 72.29.91.73
    network-object host 72.29.91.74
    network-object host 72.29.91.76
    network-object host 72.29.91.75
    network-object host 72.29.91.77
    network-object host 72.29.91.78
    object-group network net3_hosts
    network-object host 72.29.91.98
    network-object host 72.29.91.99
    network-object host 72.29.91.100
    network-object host 72.29.91.101
    network-object host 72.29.91.102
    network-object host 72.29.91.103
    network-object host 72.29.91.104
    network-object host 72.29.91.105
    network-object host 72.29.91.106
    network-object host 72.29.91.107
    network-object host 72.29.91.108
    network-object host 72.29.91.109
    network-object host 72.29.91.110
    object-group network net4_hosts
    network-object host 72.29.91.114
    network-object host 72.29.91.115
    network-object host 72.29.91.116
    network-object host 72.29.91.117
    network-object host 72.29.91.118
    object-group protocol webservices
    protocol-object tcp
    object-group service web_service tcp
    port-object eq ftp
    port-object eq www
    port-object eq https
    object-group service mail_service tcp
    description Allows mail services inbound
    port-object eq smtp
    port-object eq imap4
    port-object eq pop3
    object-group network webhosts
    network-object host 72.29.91.84
    network-object host 72.29.91.82
    network-object host 72.29.91.85
    network-object host 72.29.91.83
    network-object host 72.29.91.86
    network-object host 72.29.91.87
    network-object host 72.29.91.88
    network-object host 72.29.91.89
    network-object host 72.29.91.66
    network-object host 72.29.91.67
    network-object host 72.29.91.68
    network-object host 72.29.91.69
    network-object host 72.29.91.70
    network-object host 72.29.91.71
    network-object host 72.29.91.72
    network-object host 72.29.91.73
    network-object host 72.29.91.77
    network-object host 72.29.91.78
    network-object host 72.29.91.98
    network-object host 72.29.91.99
    network-object host 72.29.91.100
    network-object host 72.29.91.101
    network-object host 72.29.91.102
    network-object host 72.29.91.103
    network-object host 72.29.91.104
    network-object host 72.29.91.105
    network-object host 72.29.91.106
    network-object host 72.29.91.107
    network-object host 72.29.91.108
    network-object host 72.29.91.109
    network-object host 72.29.91.74
    object-group network mailhosts
    network-object host 72.29.91.83
    network-object host 72.29.91.66
    network-object host 72.29.91.99
    network-object host 72.29.91.114
    network-object host 72.29.91.115
    object-group network rdp_hosts
    network-object host 72.29.91.84
    network-object host 72.29.91.82
    network-object host 72.29.91.83
    network-object host 72.29.91.85
    network-object host 72.29.91.66
    network-object host 72.29.91.69
    network-object host 72.29.91.107
    network-object host 72.29.91.108
    network-object host 72.29.91.109
    object-group network dnshosts
    network-object host 72.29.91.82
    network-object host 72.29.91.83
    network-object host 72.29.91.73
    network-object host 72.29.91.76
    network-object host 72.29.91.98
    network-object host 72.29.91.99
    network-object host 72.29.91.114
    network-object host 72.29.91.115
    access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS
    any
    access-list priv_out_acl permit ip object-group priv_hosts any
    access-list net3_out_acl permit ip object-group net3_hosts any
    access-list net4_out_acl permit ip object-group net4_hosts any
    access-list acl_in permit tcp object-group webhosts any object-group
    web_service
    access-list acl_in permit tcp object-group mailhosts any object-group
    mail_service
    access-list acl_in permit tcp object-group rdp_hosts any eq 3389
    access-list acl_in permit tcp object-group dnshosts any eq domain
    access-list acl_in permit udp object-group dnshosts any eq domain
    access-list acl_in permit tcp host 72.29.91.83 any eq 7099
    access-list acl_in permit tcp host 72.29.91.82 any eq 8888
    access-list acl_in permit icmp any any
    access-list acl_in permit tcp host 72.29.91.66 any eq 81
    access-list acl_in permit tcp host 72.29.91.66 any range 7000 7500
    access-list acl_in permit tcp host 72.29.91.107 any range 7000 7500
    access-list acl_in permit tcp host 72.29.91.114 any eq ssh
    access-list acl_in permit tcp host 72.29.91.114 any eq 993
    access-list acl_in permit tcp host 72.29.91.114 any eq 995
    access-list acl_in permit tcp host 72.29.91.76 any eq 9080
    access-list acl_in permit tcp host 72.29.91.76 host 64.3.246.250 eq
    1090
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 72.29.91.125 255.255.255.248
    no ip address inside
    ip address priv 72.29.91.65 255.255.255.240
    ip address reggie 72.29.91.81 255.255.255.240
    ip address net3 72.29.91.97 255.255.255.240
    ip address net4 72.29.91.113 255.255.255.248
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address priv
    no failover ip address reggie
    no failover ip address net3
    no failover ip address net4
    pdm history enable
    arp timeout 14400
    nat (priv) 0 access-list priv_out_acl
    nat (reggie) 0 access-list reggie_out_acl
    nat (net3) 0 access-list net3_out_acl
    nat (net4) 0 access-list net4_out_acl
    access-group acl_in in interface outside
    access-group priv_out_acl in interface priv
    access-group reggie_out_acl in interface reggie
    access-group net3_out_acl in interface net3
    access-group net4_out_acl in interface net4
    route outside 0.0.0.0 0.0.0.0 72.29.91.126 1
     
    tartar813, Mar 18, 2006
    #1
    1. Advertising

  2. In article <>,
    tartar813 <> wrote:
    >I'm trying to get away from the static/conduit way of doing things,
    >just about have it. I can get out, but no clients outside could access
    >the services inside.


    >PIX Version 6.3(5)


    >access-list acl_in permit tcp object-group webhosts any object-group web_service


    >access-group acl_in in interface outside


    You have source and destination reversed in acl_in .
     
    Walter Roberson, Mar 18, 2006
    #2
    1. Advertising

  3. tartar813

    tartar813 Guest

    thanks, makes perfect sense now.
     
    tartar813, Mar 18, 2006
    #3
  4. tartar813

    tartar813 Guest

    Went to the dc to replace, still cannot access any of th internal
    services. Outgoing works no problem, just cannot bring up any of the
    websites. Here is the latest:

    It was my understanding that when you nat 0 an access list that
    automatically sets up all of the statics for the incoming traffic ie
    web sites, dns etc...

    Outbound ICMP wasn't working, any help with this would be greatly
    appreciated.

    Thanks


    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet1 vlan35 physical
    interface ethernet1 vlan20 logical
    interface ethernet1 vlan21 logical
    interface ethernet1 vlan22 logical
    interface ethernet1 vlan23 logical
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    nameif vlan20 priv security96
    nameif vlan21 reggie security99
    nameif vlan22 net3 security98
    nameif vlan23 net4 security97
    hostname dimepix1
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group network REGGIE_STATIC_HOSTS
    network-object host 72.29.91.82
    network-object host 72.29.91.83
    network-object host 72.29.91.84
    network-object host 72.29.91.85
    network-object host 72.29.91.86
    network-object host 72.29.91.87
    network-object host 72.29.91.88
    network-object host 72.29.91.89
    network-object host 72.29.91.90
    object-group network priv_hosts
    network-object host 72.29.91.66
    network-object host 72.29.91.67
    network-object host 72.29.91.68
    network-object host 72.29.91.69
    network-object host 72.29.91.70
    network-object host 72.29.91.71
    network-object host 72.29.91.72
    network-object host 72.29.91.73
    network-object host 72.29.91.74
    network-object host 72.29.91.76
    network-object host 72.29.91.75
    network-object host 72.29.91.77
    network-object host 72.29.91.78
    object-group network net3_hosts
    network-object host 72.29.91.98
    network-object host 72.29.91.99
    network-object host 72.29.91.100
    network-object host 72.29.91.101
    network-object host 72.29.91.102
    network-object host 72.29.91.103
    network-object host 72.29.91.104
    network-object host 72.29.91.105
    network-object host 72.29.91.106
    network-object host 72.29.91.107
    network-object host 72.29.91.108
    network-object host 72.29.91.109
    network-object host 72.29.91.110
    object-group network net4_hosts
    network-object host 72.29.91.114
    network-object host 72.29.91.115
    network-object host 72.29.91.116
    network-object host 72.29.91.117
    network-object host 72.29.91.118
    object-group protocol webservices
    protocol-object tcp
    object-group service web_service tcp
    port-object eq ftp
    port-object eq www
    port-object eq https
    object-group service mail_service tcp
    description Allows mail services inbound
    port-object eq smtp
    port-object eq imap4
    port-object eq pop3
    object-group network webhosts
    network-object host 72.29.91.84
    network-object host 72.29.91.82
    network-object host 72.29.91.85
    network-object host 72.29.91.83
    network-object host 72.29.91.86
    network-object host 72.29.91.87
    network-object host 72.29.91.88
    network-object host 72.29.91.89
    network-object host 72.29.91.66
    network-object host 72.29.91.67
    network-object host 72.29.91.68
    network-object host 72.29.91.69
    network-object host 72.29.91.70
    network-object host 72.29.91.71
    network-object host 72.29.91.72
    network-object host 72.29.91.73
    network-object host 72.29.91.77
    network-object host 72.29.91.78
    network-object host 72.29.91.98
    network-object host 72.29.91.99
    network-object host 72.29.91.100
    network-object host 72.29.91.101
    network-object host 72.29.91.102
    network-object host 72.29.91.103
    network-object host 72.29.91.104
    network-object host 72.29.91.105
    network-object host 72.29.91.106
    network-object host 72.29.91.107
    network-object host 72.29.91.108
    network-object host 72.29.91.109
    network-object host 72.29.91.74
    object-group network mailhosts
    network-object host 72.29.91.83
    network-object host 72.29.91.66
    network-object host 72.29.91.99
    network-object host 72.29.91.114
    network-object host 72.29.91.115
    object-group network rdp_hosts
    network-object host 72.29.91.84
    network-object host 72.29.91.82
    network-object host 72.29.91.83
    network-object host 72.29.91.85
    network-object host 72.29.91.66
    network-object host 72.29.91.69
    network-object host 72.29.91.107
    network-object host 72.29.91.108
    network-object host 72.29.91.109
    object-group network dnshosts
    network-object host 72.29.91.82
    network-object host 72.29.91.83
    network-object host 72.29.91.73
    network-object host 72.29.91.76
    network-object host 72.29.91.98
    network-object host 72.29.91.99
    network-object host 72.29.91.114
    network-object host 72.29.91.115
    access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS
    any
    access-list priv_out_acl permit ip object-group priv_hosts any
    access-list net3_out_acl permit ip object-group net3_hosts any
    access-list net4_out_acl permit ip object-group net4_hosts any
    access-list acl_in permit tcp any object-group webhosts object-group
    web_service
    access-list acl_in permit tcp any object-group mailhosts object-group
    mail_service
    access-list acl_in permit tcp any object-group rdp_hosts eq 3389
    access-list acl_in permit tcp any object-group dnshosts eq domain
    access-list acl_in permit udp any object-group dnshosts eq domain
    access-list acl_in permit tcp any host 72.29.91.83 eq 7099
    access-list acl_in permit tcp any host 72.29.91.82 eq 8888
    access-list acl_in permit icmp any any
    access-list acl_in permit tcp any host 72.29.91.66 eq 81
    access-list acl_in permit tcp any host 72.29.91.66 range 7000 7500
    access-list acl_in permit tcp any host 72.29.91.107 range 7000 7500
    access-list acl_in permit tcp any host 72.29.91.114 eq ssh
    access-list acl_in permit tcp any host 72.29.91.114 eq 993
    access-list acl_in permit tcp any host 72.29.91.114 eq 995
    access-list acl_in permit tcp any host 72.29.91.76 eq 9080
    access-list acl_in permit tcp host 64.3.246.250 host 72.29.91.76 eq
    1090
    access-list acl_in permit tcp host 24.73.161.202 any eq ssh
    access-list acl_in permit tcp host 24.73.161.202 any eq 3389
    access-list acl_in permit tcp host 24.73.161.202 any eq 9999
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside 72.29.91.125 255.255.255.248
    no ip address inside
    ip address intf2 10.5.250.1 255.255.0.0
    ip address priv 72.29.91.65 255.255.255.240
    ip address reggie 72.29.91.81 255.255.255.240
    ip address net3 72.29.91.97 255.255.255.240
    ip address net4 72.29.91.113 255.255.255.248
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address intf2
    no failover ip address priv
    no failover ip address reggie
    no failover ip address net3
    no failover ip address net4
    pdm history enable
    arp timeout 14400
    nat (priv) 0 access-list priv_out_acl
    nat (reggie) 0 access-list reggie_out_acl
    nat (net3) 0 access-list net3_out_acl
    nat (net4) 0 access-list net4_out_acl
    access-group priv_out_acl in interface priv
    access-group reggie_out_acl in interface reggie
    access-group net3_out_acl in interface net3
    access-group net4_out_acl in interface net4
    route outside 0.0.0.0 0.0.0.0 72.29.91.126 1
     
    tartar813, Mar 19, 2006
    #4
  5. tartar813

    tartar813 Guest

    I really don't want to do static's if I don't have to? Trying to get
    away from conduits, apply outbound etc....

    I figured out the icmp outbound issue, but the incoming services?

    Do I need the following:

    static (priv,outside) 72.29.91.64 72.29.91.64 netmask 255.255.255.240 0
    0
    static (priv,reggie) 72.29.91.64 72.29.91.64 netmask 255.255.255.240 0
    0

    etc... for all interfaces? I'm kind of new to the vlan interfaces but
    I really like them.

    Thanks in advance.
     
    tartar813, Mar 19, 2006
    #5
  6. tartar813

    tartar813 Guest

    I narrowed it down to a minimal config with allowing everythingng into
    one one of the hosts that I have setup. I can ping the inside host
    from the firewall and the firewall from my workstation on the outside,
    I know the 10.x network is the public side.

    I cannot get this to work? Outbound, not problems, inbound, cannot get
    anything to connect.

    PIX Version 6.3(5)
    interface ethernet0 auto shutdown
    interface ethernet1 100full
    interface ethernet1 vlan35 physical
    interface ethernet1 vlan20 logical
    interface ethernet1 vlan21 logical
    interface ethernet1 vlan22 logical
    interface ethernet1 vlan23 logical
    interface ethernet2 100full
    nameif ethernet0 goo security1
    nameif ethernet1 inside security100
    nameif ethernet2 outside security0
    nameif vlan20 priv security96
    nameif vlan21 reggie security99
    nameif vlan22 net3 security98
    nameif vlan23 net4 security97
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname dimepix1
    domain-name host2max.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 109 permit ip 72.29.91.80 255.255.255.240 any
    access-list 109 permit icmp any any
    access-list 110 permit ip 72.29.91.64 255.255.255.240 any
    access-list 111 permit ip 72.29.91.96 255.255.255.240 any
    access-list 112 permit ip 72.29.91.112 255.255.255.248 any
    access-list 115 permit icmp any any
    access-list 115 permit ip any host 72.29.91.84
    access-list 115 permit tcp any host 72.29.91.84
    access-list 115 permit udp any host 72.29.91.84
    pager lines 24
    mtu goo 1500
    mtu inside 1500
    mtu outside 1500
    no ip address goo
    no ip address inside
    ip address outside 10.5.251.251 255.255.0.0
    ip address priv 72.29.91.65 255.255.255.240
    ip address reggie 72.29.91.81 255.255.255.240
    ip address net3 72.29.91.97 255.255.255.240
    ip address net4 72.29.91.113 255.255.255.248
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address goo
    no failover ip address inside
    no failover ip address outside
    no failover ip address priv
    no failover ip address reggie
    no failover ip address net3
    no failover ip address net4
    pdm history enable
    arp timeout 14400
    nat (priv) 0 access-list 110
    nat (reggie) 0 access-list 109
    nat (net3) 0 access-list 111
    nat (net4) 0 access-list 112
    access-group 115 in interface outside
    access-group 110 in interface priv
    access-group 109 in interface reggie
    access-group 111 in interface net3
    access-group 112 in interface net4
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
     
    tartar813, Mar 19, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. scada
    Replies:
    1
    Views:
    4,326
    Walter Roberson
    Feb 24, 2004
  2. Corbin O'Reilly
    Replies:
    14
    Views:
    4,444
  3. Corbin O'Reilly
    Replies:
    6
    Views:
    7,143
    Corbin O'Reilly
    Apr 28, 2005
  4. Scott Townsend
    Replies:
    8
    Views:
    742
    Roman Nakhmanson
    Feb 22, 2006
  5. Replies:
    2
    Views:
    7,868
Loading...

Share This Page