PIX 520 - Static issue

Discussion in 'Cisco' started by Stan, Oct 27, 2005.

  1. Stan

    Stan Guest

    Configuration is posted below. The problem that I am having is that it
    seems that with my static entries those hosts are available to be
    scanned completely from the outside world. I am pretty sure it has to
    do with these few lines.

    access-list hosting_in permit icmp any any
    access-list hosting_in permit icmp any any echo
    access-list hosting_in permit icmp any any echo-reply
    access-list hosting_in permit tcp any any
    access-list hosting_in permit udp any any

    But the only way i could allow the inside hosts to go out was by using
    them.

    : Written by enable_15 at 00:18:23.714 UTC Thu Oct 27 2005
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 100basetx
    interface ethernet3 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 hosting security50
    nameif ethernet3 intf3 security6
    passwd 2KFQnbNIdI.2KYOU encrypted
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list hosting_in permit tcp any host 38.XXX.XX.11 eq domain
    access-list hosting_in permit udp any host 38.XXX.XX.11 eq domain
    access-list hosting_in permit udp any host 38.XXX.XX.12 eq domain
    access-list hosting_in permit tcp any host 38.XXX.XX.12 eq domain
    access-list hosting_in permit tcp any host 38.XXX.XX.14 eq https
    access-list hosting_in permit icmp any any
    access-list hosting_in permit icmp any any echo
    access-list hosting_in permit icmp any any echo-reply
    access-list hosting_in permit tcp any any
    access-list hosting_in permit udp any any
    access-list hosting_in permit tcp any host 38.XXX.XX.14 eq smtp
    access-list hosting_in permit tcp any host 38.XXX.XX.14 eq pop3
    access-list hosting_in permit tcp any host 38.XXX.XX.14 eq 3101
    access-list hosting_in permit udp any host 38.XXX.XX.14 eq 3101
    access-list hosting_in permit tcp any host 38.XXX.XX.37 eq smtp
    access-list hosting_in permit tcp any host 38.XXX.XX.37 eq pop3
    access-list hosting_in permit tcp any host 38.XXX.XX.37 eq imap4
    access-list hosting_in permit tcp any host 38.XXX.XX.37 eq 366
    access-list hosting_in permit tcp any host 38.XXX.XX.36 eq www
    access-list hosting_in deny tcp any any range 135 netbios-ssn
    access-list hosting_in deny udp any any range 135 139
    access-list inside_out permit tcp any any
    access-list inside_out permit icmp any any
    access-list inside_out permit udp any any
    access-list inside_in permit tcp any host 38.XXX.XX.13 eq smtp
    access-list inside_in permit tcp any host 38.XXX.XX.13 eq 3101
    access-list inside_in permit tcp any host 38.XXX.XX.13 eq pop3
    access-list inside_in permit tcp any host 38.XXX.XX.13 eq 3389
    access-list inside_in permit tcp any host 38.XXX.XX.13 eq www
    access-list inside_in permit tcp any any
    access-list inside_in permit icmp any any
    access-list inside_in permit udp any any
    access-list inside_in permit tcp any host 38.XXX.XX.33 eq 5900
    access-list inside_in permit tcp any host 38.XXX.XX.13 eq 8000
    access-list inside_in permit tcp any host 38.XXX.XX.13 eq 8010
    access-list inside_in permit tcp any host 38.XXX.XX.13 eq 8443
    pager lines 24
    logging on
    logging trap debugging
    logging history debugging
    mtu outside 1500
    mtu inside 1500
    mtu hosting 1500
    tu intf3 1500
    ip address outside 38.XXX.XX.10 255.0.0.0
    ip address inside 192.168.0.1 255.255.255.0
    ip address hosting 192.168.1.1 255.255.255.0
    no ip address intf3
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address hosting
    no failover ip address intf3
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (hosting) 1 interface
    nat (inside) 1 192.168.0.0 255.255.255.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (hosting) 1 192.168.1.0 255.255.255.0 0 0
    nat (hosting) 1 0.0.0.0 0.0.0.0 0 0
    nat (intf3) 1 0.0.0.0 0.0.0.0 0 0
    alias (hosting) 192.168.1.20 38.XXX.XX.14 255.255.255.255
    static (hosting,outside) 38.XXX.XX.11 192.168.1.11 netmask
    255.255.255.255 0 0
    static (hosting,outside) 38.XXX.XX.12 192.168.1.12 netmask
    255.255.255.255 0 0
    static (hosting,outside) 38.XXX.XX.14 192.168.1.20 netmask
    255.255.255.255 0 0
    static (inside,outside) 38.XXX.XX.13 192.168.0.10 netmask
    255.255.255.255 0 0
    static (inside,outside) 38.XXX.XX.33 192.168.0.101 netmask
    255.255.255.255 0 0
    static (hosting,outside) 38.XXX.XX.36 192.168.1.36 netmask
    255.255.255.255 0 0
    static (hosting,outside) 38.XXX.XX.37 192.168.1.37 netmask
    255.255.255.255 0 0
    access-group inside_out in interface outside
    access-group inside_in in interface inside
    access-group hosting_in in interface hosting
    route outside 0.0.0.0 0.0.0.0 38.XXX.XX.9 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    Stan, Oct 27, 2005
    #1
    1. Advertising

  2. In article <>,
    Stan <> wrote:
    :Configuration is posted below. The problem that I am having is that it
    :seems that with my static entries those hosts are available to be
    :scanned completely from the outside world. I am pretty sure it has to
    :do with these few lines.

    :access-list hosting_in permit icmp any any

    No, the problem is that your other two access lists are applied to the wrong
    interfaces.
    --
    Chocolate is "more than a food but less than a drug" -- RJ Huxtable
    Walter Roberson, Oct 27, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nieuws Xs4all
    Replies:
    0
    Views:
    581
    Nieuws Xs4all
    May 26, 2005
  2. Nieuws Xs4all
    Replies:
    2
    Views:
    1,587
    Jan-Willem
    May 26, 2005
  3. Replies:
    1
    Views:
    631
  4. swapnendu
    Replies:
    2
    Views:
    918
    swapnendu
    Nov 4, 2006
  5. Replies:
    2
    Views:
    414
Loading...

Share This Page