Pix 515 VLAN NAT0 issues

Discussion in 'Cisco' started by tartar813, Mar 16, 2006.

  1. tartar813

    tartar813 Guest

    I am having problems with my Pix, it goes offline for a short perior,
    plus get bad ftp performance with it. I have 6 interfaces outside, and
    5 vlan interfaces on the inside, I have all the NAT's built. Not sure
    if there is something I am doing incorrect. I have 4 more PIX's and am
    probably going to upgrade to 7.0 but will have to relearn the pix in
    the new commands.

    Any help would be greatly appreciated

    My firewall config is as follows:

    dimepix1> en
    Password: ******
    dimepix1# show run
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet1 vlan35 physical
    interface ethernet1 vlan20 logical
    interface ethernet1 vlan21 logical
    interface ethernet1 vlan22 logical
    interface ethernet1 vlan23 logical
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif vlan20 priv security96
    nameif vlan21 reggie security99
    nameif vlan22 net3 security98
    nameif vlan23 net4 security97
    hostname dimepix1
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 101 permit ip 72.29.91.64 255.255.255.240 any
    access-list 101 permit ip 72.29.91.80 255.255.255.240 any
    access-list 101 permit ip 72.29.91.96 255.255.255.240 any
    access-list 101 permit ip 72.29.91.112 255.255.255.248 any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 72.29.91.125 255.255.255.248
    no ip address inside
    ip address priv 72.29.91.65 255.255.255.240
    ip address reggie 72.29.91.81 255.255.255.240
    ip address net3 72.29.91.97 255.255.255.240
    ip address net4 72.29.91.113 255.255.255.248
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address priv
    no failover ip address reggie
    no failover ip address net3
    no failover ip address net4
    pdm history enable
    arp timeout 14400
    nat (inside) 0 72.29.91.64 255.255.255.240 0 0
    nat (reggie) 0 72.29.91.80 255.255.255.240 0 0
    nat (net3) 0 72.29.91.96 255.255.255.240 0 0
    nat (net4) 0 72.29.91.112 255.255.255.248 0 0
    static (reggie,outside) 72.29.91.84 72.29.91.84 netmask 255.255.255.255
    0 0
    static (reggie,outside) 72.29.91.83 72.29.91.83 netmask 255.255.255.255
    0 0
    static (reggie,outside) 72.29.91.82 72.29.91.82 netmask 255.255.255.255
    0 0
    static (reggie,outside) 72.29.91.85 72.29.91.85 netmask 255.255.255.255
    0 0
    static (reggie,outside) 72.29.91.86 72.29.91.86 netmask 255.255.255.255
    0 0
    static (reggie,outside) 72.29.91.87 72.29.91.87 netmask 255.255.255.255
    0 0
    static (reggie,outside) 72.29.91.88 72.29.91.88 netmask 255.255.255.255
    0 0
    static (reggie,outside) 72.29.91.89 72.29.91.89 netmask 255.255.255.255
    0 0
    static (reggie,outside) 72.29.91.94 72.29.91.94 netmask 255.255.255.255
    0 0
    static (net3,outside) 72.29.91.98 72.29.91.98 netmask 255.255.255.255 0
    0
    static (net3,outside) 72.29.91.99 72.29.91.99 netmask 255.255.255.255 0
    0
    static (net3,outside) 72.29.91.100 72.29.91.100 netmask 255.255.255.255
    0 0
    static (net3,outside) 72.29.91.101 72.29.91.101 netmask 255.255.255.255
    0 0
    static (net3,outside) 72.29.91.102 72.29.91.102 netmask 255.255.255.255
    0 0
    static (net3,outside) 72.29.91.103 72.29.91.103 netmask 255.255.255.255
    0 0
    static (net3,outside) 72.29.91.104 72.29.91.104 netmask 255.255.255.255
    0 0
    static (net3,outside) 72.29.91.105 72.29.91.105 netmask 255.255.255.255
    0 0
    static (net3,outside) 72.29.91.106 72.29.91.106 netmask 255.255.255.255
    0 0
    static (net3,outside) 72.29.91.107 72.29.91.107 netmask 255.255.255.255
    0 0
    static (net3,outside) 72.29.91.108 72.29.91.108 netmask 255.255.255.255
    0 0
    static (net3,outside) 72.29.91.109 72.29.91.109 netmask 255.255.255.255
    0 0
    static (net3,outside) 72.29.91.110 72.29.91.110 netmask 255.255.255.255
    0 0
    static (priv,outside) 72.29.91.66 72.29.91.66 netmask 255.255.255.255 0
    0
    static (priv,outside) 72.29.91.67 72.29.91.67 netmask 255.255.255.255 0
    0
    static (priv,outside) 72.29.91.68 72.29.91.68 netmask 255.255.255.255 0
    0
    static (priv,outside) 72.29.91.69 72.29.91.69 netmask 255.255.255.255 0
    0
    static (priv,outside) 72.29.91.70 72.29.91.70 netmask 255.255.255.255 0
    0
    static (priv,outside) 72.29.91.71 72.29.91.71 netmask 255.255.255.255 0
    0
    static (priv,outside) 72.29.91.72 72.29.91.72 netmask 255.255.255.255 0
    0
    static (priv,outside) 72.29.91.73 72.29.91.73 netmask 255.255.255.255 0
    0
    static (priv,outside) 72.29.91.74 72.29.91.74 netmask 255.255.255.255 0
    0
    static (priv,outside) 72.29.91.75 72.29.91.75 netmask 255.255.255.255 0
    0
    static (priv,outside) 72.29.91.76 72.29.91.76 netmask 255.255.255.255 0
    0
    static (priv,outside) 72.29.91.77 72.29.91.77 netmask 255.255.255.255 0
    0
    static (priv,outside) 72.29.91.78 72.29.91.78 netmask 255.255.255.255 0
    0
    static (priv,net3) 72.29.91.66 72.29.91.66 netmask 255.255.255.255 0 0
    static (net3,priv) 72.29.91.99 72.29.91.99 netmask 255.255.255.255 0 0
    static (net3,priv) 72.29.91.98 72.29.91.98 netmask 255.255.255.255 0 0
    static (net3,priv) 72.29.91.107 72.29.91.107 netmask 255.255.255.255 0
    0
    static (priv,reggie) 72.29.91.66 72.29.91.66 netmask 255.255.255.255 0
    0
    static (reggie,priv) 72.29.91.82 72.29.91.82 netmask 255.255.255.255 0
    0
    static (reggie,priv) 72.29.91.83 72.29.91.83 netmask 255.255.255.255 0
    0
    static (reggie,priv) 72.29.91.84 72.29.91.84 netmask 255.255.255.255 0
    0
    static (reggie,priv) 72.29.91.85 72.29.91.85 netmask 255.255.255.255 0
    0
    static (reggie,priv) 72.29.91.86 72.29.91.86 netmask 255.255.255.255 0
    0
    static (reggie,net3) 72.29.91.83 72.29.91.83 netmask 255.255.255.255 0
    0
    static (net4,outside) 72.29.91.114 72.29.91.114 netmask 255.255.255.255
    0 0
    static (net4,outside) 72.29.91.115 72.29.91.115 netmask 255.255.255.255
    0 0
    static (net4,outside) 72.29.91.116 72.29.91.116 netmask 255.255.255.255
    0 0
    static (net4,outside) 72.29.91.117 72.29.91.117 netmask 255.255.255.255
    0 0
    static (net4,outside) 72.29.91.118 72.29.91.118 netmask 255.255.255.255
    0 0
    static (net4,priv) 72.29.91.114 72.29.91.114 netmask 255.255.255.255 0
    0
    static (net4,reggie) 72.29.91.114 72.29.91.114 netmask 255.255.255.255
    0 0
    static (net4,net3) 72.29.91.114 72.29.91.114 netmask 255.255.255.255 0
    0
    static (net3,reggie) 72.29.91.99 72.29.91.99 netmask 255.255.255.255 0
    0
    static (net3,net4) 72.29.91.99 72.29.91.99 netmask 255.255.255.255 0 0
    static (net3,reggie) 72.29.91.98 72.29.91.98 netmask 255.255.255.255 0
    0
    static (net3,net4) 72.29.91.98 72.29.91.98 netmask 255.255.255.255 0 0
    conduit permit icmp any any
    conduit permit tcp host 72.29.91.84 eq www any
    conduit permit tcp host 72.29.91.84 eq https any
    conduit permit tcp host 72.29.91.84 eq 3389 any
    conduit permit tcp host 72.29.91.84 eq ftp any
    conduit permit tcp host 72.29.91.82 eq domain any
    conduit permit udp host 72.29.91.82 eq domain any
    conduit permit tcp host 72.29.91.82 eq ftp any
    conduit permit tcp host 72.29.91.82 eq www any
    conduit permit tcp host 72.29.91.82 eq https any
    conduit permit tcp host 72.29.91.82 eq 3389 any
    conduit permit tcp host 72.29.91.83 eq domain any
    conduit permit udp host 72.29.91.83 eq domain any
    conduit permit tcp host 72.29.91.83 eq pop3 any
    conduit permit tcp host 72.29.91.83 eq 3389 any
    conduit permit tcp host 72.29.91.83 eq ftp any
    conduit permit tcp host 72.29.91.83 eq smtp any
    conduit permit tcp host 72.29.91.85 eq www any
    conduit permit tcp host 72.29.91.85 eq ftp any
    conduit permit tcp host 72.29.91.85 eq https any
    conduit permit tcp host 72.29.91.85 eq 3389 any
    conduit permit tcp host 72.29.91.85 eq 7099 any
    conduit permit tcp host 72.29.91.83 eq www any
    conduit permit tcp host 72.29.91.83 eq imap4 any
    conduit permit tcp host 72.29.91.86 eq www any
    conduit permit tcp host 72.29.91.86 eq https any
    conduit permit tcp host 72.29.91.87 eq https any
    conduit permit tcp host 72.29.91.87 eq www any
    conduit permit tcp host 72.29.91.88 eq www any
    conduit permit tcp host 72.29.91.88 eq https any
    conduit permit tcp host 72.29.91.89 eq https any
    conduit permit tcp host 72.29.91.89 eq www any
    conduit permit tcp host 72.29.91.66 eq https any
    conduit permit tcp host 72.29.91.66 eq www any
    conduit permit tcp host 72.29.91.66 eq pop3 any
    conduit permit tcp host 72.29.91.66 eq imap4 any
    conduit permit tcp host 72.29.91.66 eq 3389 any
    conduit permit tcp host 72.29.91.66 eq smtp any
    conduit permit tcp host 72.29.91.66 eq 81 any
    conduit permit tcp host 72.29.91.67 eq www any
    conduit permit tcp host 72.29.91.67 eq https any
    conduit permit tcp host 72.29.91.68 eq https any
    conduit permit tcp host 72.29.91.68 eq www any
    conduit permit tcp host 72.29.91.69 eq www any
    conduit permit tcp host 72.29.91.69 eq https any
    conduit permit tcp host 72.29.91.69 eq 3389 any
    conduit permit tcp host 72.29.91.69 eq ftp any
    conduit permit tcp host 72.29.91.66 eq ftp any
    conduit permit tcp host 72.29.91.70 eq ftp any
    conduit permit tcp host 72.29.91.70 eq www any
    conduit permit tcp host 72.29.91.70 eq https any
    conduit permit tcp host 72.29.91.71 eq www any
    conduit permit tcp host 72.29.91.73 eq www any
    conduit permit tcp host 72.29.91.73 eq domain any
    conduit permit udp host 72.29.91.73 eq domain any
    conduit permit tcp host 72.29.91.73 eq https any
    conduit permit tcp host 72.29.91.76 eq domain any
    conduit permit udp host 72.29.91.76 eq domain any
    conduit permit tcp host 72.29.91.76 eq smtp any
    conduit permit tcp host 72.29.91.77 eq www any
    conduit permit tcp host 72.29.91.77 eq https any
    conduit permit tcp host 72.29.91.78 eq www any
    conduit permit tcp host 72.29.91.78 eq https any
    conduit permit tcp host 72.29.91.98 eq domain any
    conduit permit udp host 72.29.91.98 eq domain any
    conduit permit tcp host 72.29.91.98 eq www any
    conduit permit tcp host 72.29.91.99 eq domain any
    conduit permit udp host 72.29.91.99 eq domain any
    conduit permit tcp host 72.29.91.99 eq www any
    conduit permit tcp host 72.29.91.99 eq smtp any
    conduit permit tcp host 72.29.91.99 eq imap4 any
    conduit permit tcp host 72.29.91.99 eq pop3 any
    conduit permit tcp host 72.29.91.107 eq www any
    conduit permit tcp host 72.29.91.107 eq ftp any
    conduit permit tcp host 72.29.91.107 eq 3389 any
    conduit permit tcp host 72.29.91.108 eq 3389 any
    conduit permit tcp host 72.29.91.108 eq ftp any
    conduit permit tcp host 72.29.91.108 eq www any
    conduit permit tcp host 72.29.91.109 eq www any
    conduit permit tcp host 72.29.91.109 eq ftp any
    conduit permit tcp host 72.29.91.109 eq 3389 any
    conduit permit tcp host 72.29.91.74 eq www any
    conduit permit tcp host 72.29.91.114 eq ssh any
    conduit permit tcp host 72.29.91.114 eq smtp any
    conduit permit tcp host 72.29.91.114 eq pop3 any
    conduit permit tcp host 72.29.91.114 eq imap4 any
    conduit permit tcp host 72.29.91.114 eq domain any
    conduit permit udp host 72.29.91.114 eq domain any
    conduit permit tcp host 72.29.91.114 eq www any
    conduit permit tcp host 72.29.91.114 eq https any
    conduit permit tcp host 72.29.91.114 eq ftp-data any
    conduit permit tcp host 72.29.91.114 eq ftp any
    conduit permit tcp host 72.29.91.114 eq 993 any
    conduit permit tcp host 72.29.91.114 eq 995 any
    conduit permit tcp host 72.29.91.115 eq ssh any
    conduit permit tcp host 72.29.91.115 eq smtp any
    conduit permit tcp host 72.29.91.115 eq pop3 any
    conduit permit tcp host 72.29.91.115 eq imap4 any
    conduit permit tcp host 72.29.91.115 eq domain any
    conduit permit udp host 72.29.91.115 eq domain any
    conduit permit tcp host 72.29.91.115 eq www any
    conduit permit tcp host 72.29.91.115 eq https any
    conduit permit tcp host 72.29.91.115 eq ftp-data any
    conduit permit tcp host 72.29.91.115 eq ftp any
    conduit permit tcp host 72.29.91.115 eq 993 any
    conduit permit tcp host 72.29.91.115 eq 995 any
    conduit permit tcp host 72.29.91.103 eq www any
    conduit permit tcp host 72.29.91.104 eq www any
    conduit permit tcp host 72.29.91.105 eq www any
    conduit deny ip any any
    outbound 1 permit 0.0.0.0 0.0.0.0 0 ip
    apply (inside) 1 outgoing_src
    apply (reggie) 1 outgoing_src
    apply (net3) 1 outgoing_src
    apply (net4) 1 outgoing_src
    route outside 0.0.0.0 0.0.0.0 72.29.91.126 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:3d0e96df8a545fcb3aa924794e17f3a1
     
    tartar813, Mar 16, 2006
    #1
    1. Advertising

  2. tartar813

    Kevin Widner Guest

    I am having problems with my Pix, it goes offline for a short perior,
    plus get bad ftp performance with it. I have 6 interfaces outside, and

    5 vlan interfaces on the inside, I have all the NAT's built. Not sure
    if there is something I am doing incorrect.

    ==========

    Have you taken a look at the following?

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094317.shtml

    set your logging to debug level and try your ftp, just to see if it
    tells you anything interesting.
     
    Kevin Widner, Mar 16, 2006
    #2
    1. Advertising

  3. tartar813

    tartar813 Guest

    Would that also cause me to not be able to ping my outside interface
    and any ip addresses behind the firewall?

    I have another server on the outside firewall on the sameswitch, it
    never goes down.

    Do you see any problems with my config? The statics going between the
    different interfaces?

    Thanks
     
    tartar813, Mar 16, 2006
    #3
  4. In article <>,
    tartar813 <> wrote:
    >I am having problems with my Pix, it goes offline for a short perior,
    >plus get bad ftp performance with it.


    I do not see anything -obviously- wrong with your configuration;
    but see below.

    >PIX Version 6.3(5)


    >access-list 101 permit ip 72.29.91.64 255.255.255.240 any
    >access-list 101 permit ip 72.29.91.80 255.255.255.240 any
    >access-list 101 permit ip 72.29.91.96 255.255.255.240 any
    >access-list 101 permit ip 72.29.91.112 255.255.255.248 any


    You do not appear to be using that access-list.

    >nat (reggie) 0 72.29.91.80 255.255.255.240 0 0
    >static (reggie,outside) 72.29.91.84 72.29.91.84 netmask 255.255.255.255
    >0 0
    >static (reggie,outside) 72.29.91.83 72.29.91.83 netmask 255.255.255.255
    >0 0


    As a matter of style, you may wish to replace most of the
    individual static's with an access list that specifies the hosts
    to be static'd, and then

    nat (reggie) 0 access-list REGGIE_STATIC_ACL_NAME
    or
    static (reggie,outside) 72.29.91.80 access-list REGGIE_STATIC_ACL_NAME

    The difference between the two is that the nat 0 access-list form
    does not do proxy ARP.

    For the access-list REGGIE_STATIC_ACL_NAME instead of having
    a bunch of "permit ip host" entries, you could create an
    object-group of type network, list the hosts in there, and then
    have a single ACL line:

    object-group network REGGIE_STATIC_HOSTS
    network-object host 72.29.91.82
    network-object host 72.29.91.85
    access-list REGGIE_STATIC_ACL_NAME permit ip object-group REGGIE_STATIC_HOSTS any

    >conduit permit icmp any any

    [many more conduit]
    >outbound 1 permit 0.0.0.0 0.0.0.0 0 ip
    >apply (inside) 1 outgoing_src


    In any PIX version from 5.3(2) onwards, it saves time to assume
    that conduit and outbound and apply are broken beyond repair.
    Cisco started declining to fix conduit bugs about then,
    and although they had to rewrite a bunch of the conduit code
    for 6.2, bugs they created in the course of that rewrite will
    usually not be fixed. There are a number of conduit bugs in
    the Bug Navigator.

    Cisco has been saying since early 5.2 that conduit is
    deprecated; it is not present at all in 7.0.

    As there are conduit bugs that will not be fixed, I do not believe
    that it is productive to try to diagnose problems that might be
    related to conduit, especially in interactions with any feature
    introduced in 6.x.

    If your policies and downtime availability permit, I would
    recommend running your configuration through Cisco's conduit
    conversion tool, having a careful look at the result
    to ensure that it will do what you want, and then put that into place.
     
    Walter Roberson, Mar 16, 2006
    #4
  5. tartar813

    tartar813 Guest

    Where is the conduit conversion tool? I've tried to find it but
    cannot. I do have an extra pix here that I am trying to use some of
    your suggestions.

    object-group network REGGIE_STATIC_HOSTS
    network-object host 72.29.91.82
    network-object host 72.29.91.83
    network-object host 72.29.91.84
    network-object host 72.29.91.85
    network-object host 72.29.91.86
    network-object host 72.29.91.87
    network-object host 72.29.91.88
    access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS
    any
    nat (reggie) 0 access-list reggie_out_acl

    Let me make sure I get it, This will not NAT all of the items going out
    from the REGGIE_STATIC_HOSTS network object group?
    Does this automatically setup the inbound translations also?

    Thank you, I really appreciate this, I feel like an idiot since I've
    been using the conduits and stuff for so long.
     
    tartar813, Mar 16, 2006
    #5
  6. tartar813

    tartar813 Guest

    Do I need?

    access-group reggie_out_acl in interface reggie ?
     
    tartar813, Mar 16, 2006
    #6
  7. tartar813

    tartar813 Guest

    This is basically what I have so far?

    Not sure how to get things to come in? When you nat 0 an access list,
    does that automatically setup the inbound statics?

    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet1 vlan35 physical
    interface ethernet1 vlan20 logical
    interface ethernet1 vlan21 logical
    interface ethernet1 vlan22 logical
    interface ethernet1 vlan23 logical
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif vlan20 priv security96
    nameif vlan21 reggie security99
    nameif vlan22 net3 security98
    nameif vlan23 net4 security97
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname dimepix1
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group network REGGIE_STATIC_HOSTS
    network-object host 72.29.91.82
    network-object host 72.29.91.83
    network-object host 72.29.91.84
    network-object host 72.29.91.85
    network-object host 72.29.91.86
    network-object host 72.29.91.87
    network-object host 72.29.91.88
    network-object host 72.29.91.89
    network-object host 72.29.91.90
    object-group network priv_hosts
    network-object host 72.29.91.66
    network-object host 72.29.91.67
    network-object host 72.29.91.68
    network-object host 72.29.91.69
    network-object host 72.29.91.70
    network-object host 72.29.91.71
    network-object host 72.29.91.72
    network-object host 72.29.91.73
    network-object host 72.29.91.74
    network-object host 72.29.91.76
    network-object host 72.29.91.75
    network-object host 72.29.91.77
    network-object host 72.29.91.78
    access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS
    any
    access-list priv_out_acl permit ip object-group priv_hosts any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 72.29.91.125 255.255.255.248
    no ip address inside
    ip address priv 72.29.91.65 255.255.255.240
    ip address reggie 72.29.91.81 255.255.255.240
    ip address net3 72.29.91.97 255.255.255.240
    ip address net4 72.29.91.113 255.255.255.248
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address priv
    no failover ip address reggie
    no failover ip address net3
    no failover ip address net4
    pdm history enable
    arp timeout 14400
    nat (priv) 0 access-list priv_out_acl
    nat (reggie) 0 access-list reggie_out_acl
    access-group priv_out_acl in interface priv
    access-group reggie_out_acl in interface reggie
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:d41d8cd98f00b204e980
     
    tartar813, Mar 16, 2006
    #7
  8. In article <>,
    tartar813 <> wrote:
    >Where is the conduit conversion tool?


    http://www.cisco.com/cgi-bin/tablebuild.pl/pix
    and log in to your account, then scroll down the list until you find
    occ-121 about 2/3 of the way down.

    >object-group network REGGIE_STATIC_HOSTS
    > network-object host 72.29.91.82
    > network-object host 72.29.91.83
    > network-object host 72.29.91.84
    > network-object host 72.29.91.85
    > network-object host 72.29.91.86
    > network-object host 72.29.91.87
    > network-object host 72.29.91.88
    >access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS
    >any
    >nat (reggie) 0 access-list reggie_out_acl


    >Let me make sure I get it, This will not NAT all of the items going out
    >from the REGGIE_STATIC_HOSTS network object group?


    Right. Anything sourced "within" the reggie segment that matches
    that ACL will be exempt from NAT.

    >Does this automatically setup the inbound translations also?


    Supressing some unimportant semantic quibbles, Yes, exactly. Any
    connection heading into a lower-security interface that matches the
    "reverse" of the ACL (i.e, exchange source and destination fields)
    will be permitted inward, provided that the access-group on that
    lower interface permits that flow. It -is- a form of "static"
    for that purpose.

    There is, though, the side effect that proxy arp will not be enabled
    for the IPs (not unless there is a regular static for that IP),
    so your WAN router will have to route those IPs to the outside IP
    of the PIX. This is usually not a problem unless you happen to have
    real hosts on the outside segment.


    >Thank you, I really appreciate this, I feel like an idiot since I've
    >been using the conduits and stuff for so long.


    Even the TAC ends up scratching their head over bidirectional policy NAT.
    Some stuff just isn't well documented.


    Some ACL and translation fundamentals:

    Each ACL should be written in terms of the IPs that would be in
    the packet at the time the PIX receives the packet. e.g., an
    ACL applied to an inside interface would have the internal IPs as
    the source and the outside IPs *as known to the inside* as the
    destinations.

    Translation takes place -after- the interface controls have decided
    to accept the packet, based upon the ACL applied to the interface
    (or upon the default flow rules if there is no ACL.) But
    that's the rule for when the translation is actually performed:
    before the ACL is even looked at, the PIX checks to see that
    there a translation exists. Thus if a new connection attempt hits
    your outside interface and is addressed to a public IP that
    you do not have a "static" or "nat 0 access-list" for, then
    the packet will be dropped with a log entry about
    "no translation group" and only if there is a translation can
    you go on to "denied by access-list". {It wasn't that way before 6.2,
    and they might have modified this by now, as I griped about this.}
    The modification of packet content happens after the packet has been
    accepted as having a translation and satisfying the security policies.

    The default rules, if you have no ACL applied to an interface,
    are that traffic to lower-security is allowed and to higher security
    is not allowed. If you do have an ACL, then that rule does not
    apply at all, and instead the rule becomes "anything which is
    not permitted by the ACL is not allowed."

    An important difference you will hit is that "conduit" applies
    to all interfaces, but the access-group command applies an ACL
    only to one interface. So before if you had a conduit that
    permitted traffic to something in your highest security zone,
    then you will need an ACL for each of the lower security zones
    if you want them to be able to reach that higher security zone.

    Only one ACL is permitted "in" per interface. PIX 7.x adds
    ACLs "out" an interface, and modifies to "one per direction".

    Never try to use the same ACL for two purposes. If you have two controls
    mention the same ACL name/number then you will likely have
    odd problems.

    Translation to lower security interfaces normally changes the source
    IP, and translation to higher security interfaces normally changes
    the destination IP. [PIX 6.2 and later allow changing this.]

    An ACL applied to an interface should refer to the private IP of a
    host on a lower security security interface, but to the public IP
    of a host on a higher security interface. Of course if you have
    used nat 0 access-list or static'd IPs to themselves between
    a pair of interfaces, then the public and private IP would be the same
    for that transaction.

    Only one "nat 0 access-list" is permitted per interface, and it
    applies to traffic going to lower security interfaces. Indefinite
    numbers of "nat 0" (without access-list) are permitted per interface,
    and again apply to towards all lower security interfaces.
    "static" and all other "nat" commands work between pairs of interfaces,
    so the IP of an inside host as known to dmz1 could be different than
    the IP of the same host as known to dmz2.


    Access-lists mentioned in crypto map (VPN) "match address" clauses
    should be written from the perspective of packets going out
    the interface that the crypto map is applied to. But unlike the
    other cases, the "match address" ACLs must be written in
    terms of what would be in the packet *after* translation
    (towards the outside). For incoming VPN packets, the
    "match address" ACL will automatically be read "in reverse"
    [like for the nat 0 access-list case], and the addresses used
    to check will be the ones after decapsulation but before any
    translation.

    An incoming VPN packet will be decapsulated, and the inner packet first
    checked against the {implicitly reversed} appropriate "match address"
    ACL. After that, the inner packet will be checked against the ACL (or
    default policy) for the interface it was received on, -unless- "sysopt
    connection permit-ipsec" or similar has been turned on: If you use
    those commands, then all VPN packets that manage to make it to you will
    be permitted to go to any destination (except on the -same- interface)
    without any checking of access policies.

    Similarily, an outgoing VPN packet will be checked first against the
    security policy of the interface it was received on, *unless* "sysopt
    connection permit-" is in effect and the packet would go out over the
    VPN -- those packets will go through even if the security policy says
    to block them. After the outgoing VPN packet is accepted by the
    interface, it undergoes translation, and the -translated- packet will
    be compared against the "match address" ACLs for dispatching.
     
    Walter Roberson, Mar 16, 2006
    #8
  9. tartar813

    tartar813 Guest

    Current configuration, I am trying to use acl with access-lists,
    object-groups and access-groups, Not sure if I am doing this right?

    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet1 vlan35 physical
    interface ethernet1 vlan20 logical
    interface ethernet1 vlan21 logical
    interface ethernet1 vlan22 logical
    interface ethernet1 vlan23 logical
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif vlan20 priv security96
    nameif vlan21 reggie security99
    nameif vlan22 net3 security98
    nameif vlan23 net4 security97
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname dimepix1
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group network REGGIE_STATIC_HOSTS
    network-object host 72.29.91.82
    network-object host 72.29.91.83
    network-object host 72.29.91.84
    network-object host 72.29.91.85
    network-object host 72.29.91.86
    network-object host 72.29.91.87
    network-object host 72.29.91.88
    network-object host 72.29.91.89
    network-object host 72.29.91.90
    object-group network priv_hosts
    network-object host 72.29.91.66
    network-object host 72.29.91.67
    network-object host 72.29.91.68
    network-object host 72.29.91.69
    network-object host 72.29.91.70
    network-object host 72.29.91.71
    network-object host 72.29.91.72
    network-object host 72.29.91.73
    network-object host 72.29.91.74
    network-object host 72.29.91.76
    network-object host 72.29.91.75
    network-object host 72.29.91.77
    network-object host 72.29.91.78
    object-group network net3_hosts
    network-object host 72.29.91.98
    network-object host 72.29.91.99
    network-object host 72.29.91.100
    network-object host 72.29.91.101
    network-object host 72.29.91.102
    network-object host 72.29.91.103
    network-object host 72.29.91.104
    network-object host 72.29.91.105
    network-object host 72.29.91.106
    network-object host 72.29.91.107
    network-object host 72.29.91.108
    network-object host 72.29.91.109
    network-object host 72.29.91.110
    object-group network net4_hosts
    network-object host 72.29.91.114
    network-object host 72.29.91.115
    network-object host 72.29.91.116
    network-object host 72.29.91.117
    network-object host 72.29.91.118
    object-group protocol webservices
    protocol-object tcp
    object-group service web_service tcp
    port-object eq ftp
    port-object eq www
    port-object eq https
    object-group service mail_service tcp
    description Allows mail services inbound
    port-object eq smtp
    port-object eq imap4
    port-object eq pop3
    object-group network webhosts
    network-object host 72.29.91.84
    network-object host 72.29.91.82
    network-object host 72.29.91.85
    network-object host 72.29.91.83
    network-object host 72.29.91.86
    network-object host 72.29.91.87
    network-object host 72.29.91.88
    network-object host 72.29.91.89
    network-object host 72.29.91.66
    network-object host 72.29.91.67
    network-object host 72.29.91.68
    network-object host 72.29.91.69
    network-object host 72.29.91.70
    network-object host 72.29.91.71
    network-object host 72.29.91.72
    network-object host 72.29.91.73
    network-object host 72.29.91.77
    network-object host 72.29.91.78
    network-object host 72.29.91.98
    network-object host 72.29.91.99
    network-object host 72.29.91.100
    network-object host 72.29.91.101
    network-object host 72.29.91.102
    network-object host 72.29.91.103
    network-object host 72.29.91.104
    network-object host 72.29.91.105
    network-object host 72.29.91.106
    network-object host 72.29.91.107
    network-object host 72.29.91.108
    network-object host 72.29.91.109
    network-object host 72.29.91.74
    access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS
    any
    access-list priv_out_acl permit ip object-group priv_hosts any
    access-list net3_out_acl permit ip object-group net3_hosts any
    access-list net4_out_acl permit ip object-group net4_hosts any
    access-list web_in permit tcp object-group webhosts any object-group
    web_service
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 72.29.91.125 255.255.255.248
    no ip address inside
    ip address priv 72.29.91.65 255.255.255.240
    ip address reggie 72.29.91.81 255.255.255.240
    ip address net3 72.29.91.97 255.255.255.240
    ip address net4 72.29.91.113 255.255.255.248
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address priv
    no failover ip address reggie
    no failover ip address net3
    no failover ip address net4
    pdm history enable
    arp timeout 14400
    nat (priv) 0 access-list priv_out_acl
    nat (reggie) 0 access-list reggie_out_acl
    nat (net3) 0 access-list net3_out_acl
    nat (net4) 0 access-list net4_out_acl
    access-group web_in in interface priv
    access-group web_in in interface reggie
    access-group web_in in interface net3
    access-group web_in in interface net4
    timeout xlate 3:00:00
     
    tartar813, Mar 16, 2006
    #9
  10. tartar813

    tartar813 Guest

    access-list web_in permit tcp object-group webhosts any object-group
    web_service

    With this, do I need to apply it to an interface? Or is it implied
    since I said any?
     
    tartar813, Mar 16, 2006
    #10
  11. tartar813

    tartar813 Guest

    Think I got it, only one access-group per interface, so this is what I
    came up with.

    any analysis would be greatly appreciated.

    Thanks

    :
    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet1 vlan35 physical
    interface ethernet1 vlan20 logical
    interface ethernet1 vlan21 logical
    interface ethernet1 vlan22 logical
    interface ethernet1 vlan23 logical
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif vlan20 priv security96
    nameif vlan21 reggie security99
    nameif vlan22 net3 security98
    nameif vlan23 net4 security97
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname dimepix1
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group network REGGIE_STATIC_HOSTS
    network-object host 72.29.91.82
    network-object host 72.29.91.83
    network-object host 72.29.91.84
    network-object host 72.29.91.85
    network-object host 72.29.91.86
    network-object host 72.29.91.87
    network-object host 72.29.91.88
    network-object host 72.29.91.89
    network-object host 72.29.91.90
    object-group network priv_hosts
    network-object host 72.29.91.66
    network-object host 72.29.91.67
    network-object host 72.29.91.68
    network-object host 72.29.91.69
    network-object host 72.29.91.70
    network-object host 72.29.91.71
    network-object host 72.29.91.72
    network-object host 72.29.91.73
    network-object host 72.29.91.74
    network-object host 72.29.91.76
    network-object host 72.29.91.75
    network-object host 72.29.91.77
    network-object host 72.29.91.78
    object-group network net3_hosts
    network-object host 72.29.91.98
    network-object host 72.29.91.99
    network-object host 72.29.91.100
    network-object host 72.29.91.101
    network-object host 72.29.91.102
    network-object host 72.29.91.103
    network-object host 72.29.91.104
    network-object host 72.29.91.105
    network-object host 72.29.91.106
    network-object host 72.29.91.107
    network-object host 72.29.91.108
    network-object host 72.29.91.109
    network-object host 72.29.91.110
    object-group network net4_hosts
    network-object host 72.29.91.114
    network-object host 72.29.91.115
    network-object host 72.29.91.116
    network-object host 72.29.91.117
    network-object host 72.29.91.118
    object-group protocol webservices
    protocol-object tcp
    object-group service web_service tcp
    port-object eq ftp
    port-object eq www
    port-object eq https
    object-group service mail_service tcp
    description Allows mail services inbound
    port-object eq smtp
    port-object eq imap4
    port-object eq pop3
    object-group network webhosts
    network-object host 72.29.91.84
    network-object host 72.29.91.82
    network-object host 72.29.91.85
    network-object host 72.29.91.83
    network-object host 72.29.91.86
    network-object host 72.29.91.87
    network-object host 72.29.91.88
    network-object host 72.29.91.89
    network-object host 72.29.91.66
    network-object host 72.29.91.67
    network-object host 72.29.91.68
    network-object host 72.29.91.69
    network-object host 72.29.91.70
    network-object host 72.29.91.71
    network-object host 72.29.91.72
    network-object host 72.29.91.73
    network-object host 72.29.91.77
    network-object host 72.29.91.78
    network-object host 72.29.91.98
    network-object host 72.29.91.99
    network-object host 72.29.91.100
    network-object host 72.29.91.101
    network-object host 72.29.91.102
    network-object host 72.29.91.103
    network-object host 72.29.91.104
    network-object host 72.29.91.105
    network-object host 72.29.91.106
    network-object host 72.29.91.107
    network-object host 72.29.91.108
    network-object host 72.29.91.109
    network-object host 72.29.91.74
    object-group network mailhosts
    network-object host 72.29.91.83
    network-object host 72.29.91.66
    network-object host 72.29.91.99
    network-object host 72.29.91.114
    network-object host 72.29.91.115
    object-group network rdp_hosts
    network-object host 72.29.91.84
    network-object host 72.29.91.82
    network-object host 72.29.91.83
    network-object host 72.29.91.85
    network-object host 72.29.91.66
    network-object host 72.29.91.69
    network-object host 72.29.91.107
    network-object host 72.29.91.108
    network-object host 72.29.91.109
    object-group network dnshosts
    network-object host 72.29.91.82
    network-object host 72.29.91.83
    network-object host 72.29.91.73
    network-object host 72.29.91.76
    network-object host 72.29.91.98
    network-object host 72.29.91.99
    network-object host 72.29.91.114
    network-object host 72.29.91.115
    access-list reggie_out_acl permit ip object-group REGGIE_STATIC_HOSTS
    any
    access-list priv_out_acl permit ip object-group priv_hosts any
    access-list net3_out_acl permit ip object-group net3_hosts any
    access-list net4_out_acl permit ip object-group net4_hosts any
    access-list acl_in permit tcp object-group webhosts any object-group
    web_service
    access-list acl_in permit tcp object-group mailhosts any object-group
    mail_service
    access-list acl_in permit tcp object-group rdp_hosts any eq 3389
    access-list acl_in permit tcp object-group dnshosts any eq domain
    access-list acl_in permit udp object-group dnshosts any eq domain
    access-list acl_in permit tcp host 72.29.91.83 any eq 7099
    access-list acl_in permit tcp host 72.29.91.82 any eq 8888
    access-list acl_in permit icmp any any
    access-list acl_in permit tcp host 72.29.91.66 any eq 81
    access-list acl_in permit tcp host 72.29.91.66 any range 7000 7500
    access-list acl_in permit tcp host 72.29.91.107 any range 7000 7500
    access-list acl_in permit tcp host 72.29.91.114 any eq ssh
    access-list acl_in permit tcp host 72.29.91.114 any eq 993
    access-list acl_in permit tcp host 72.29.91.114 any eq 995
    access-list acl_in permit tcp host 72.29.91.76 any eq 9080
    access-list acl_in permit tcp host 72.29.91.76 host 64.3.246.250 eq
    1090
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 72.29.91.125 255.255.255.248
    no ip address inside
    ip address priv 72.29.91.65 255.255.255.240
    ip address reggie 72.29.91.81 255.255.255.240
    ip address net3 72.29.91.97 255.255.255.240
    ip address net4 72.29.91.113 255.255.255.248
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address priv
    no failover ip address reggie
    no failover ip address net3
    no failover ip address net4
    pdm history enable
    arp timeout 14400
    nat (priv) 0 access-list priv_out_acl
    nat (reggie) 0 access-list reggie_out_acl
    nat (net3) 0 access-list net3_out_acl
    nat (net4) 0 access-list net4_out_acl
    access-group acl_in in interface outside
    access-group priv_out_acl in interface priv
    access-group reggie_out_acl in interface reggie
    access-group net3_out_acl in interface net3
    access-group net4_out_acl in interface net4
    route outside 0.0.0.0 0.0.0.0 72.29.91.126 1
     
    tartar813, Mar 16, 2006
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. filip

    PIX 515 - can't ping on vlan

    filip, Nov 20, 2003, in forum: Cisco
    Replies:
    1
    Views:
    2,989
    Walter Roberson
    Nov 20, 2003
  2. Michael Letchworth

    PIX Nat0 proxy arp?

    Michael Letchworth, Dec 26, 2004, in forum: Cisco
    Replies:
    10
    Views:
    2,315
    Walter Roberson
    Jan 8, 2005
  3. Scott Townsend
    Replies:
    8
    Views:
    758
    Roman Nakhmanson
    Feb 22, 2006
  4. Stephen M
    Replies:
    1
    Views:
    738
    mcaissie
    Nov 14, 2006
  5. mcnairi

    Asa/pix Nat0 Rule - Help

    mcnairi, Sep 5, 2008, in forum: Cisco
    Replies:
    0
    Views:
    680
    mcnairi
    Sep 5, 2008
Loading...

Share This Page