PIX NIX : A simple static and access-list (below) seems to have prevented ANY access through the PIX

Discussion in 'Cisco' started by J Bard, Jan 10, 2004.

  1. J Bard

    J Bard Guest

    A simple static and access-list (below) seems to have prevented ANY access
    through the PIX to the web.



    access-list out2in permit icmp any any echo-reply

    access-list out2in permit tcp any any eq www



    static (DMZ,outside) 1xx.21x.99.142 192.168.2.33 netmask 255.255.255.255 0
    0



    I was playing with these to get a web server visible from the outside; this
    always failed; logs showed connections made, but timeouts occurring prior to
    the web page being served.

    Much more troubling is that ,twice, we lost connection to the internet via
    the PIX. Rebooting to a prior clean flash worked once; the other time I
    saved my work to flash , and had to , simply, delete these settings and
    reboot to get back on the web.

    Typical failures were :

    305006: portmap translation creation failed for udp src ins

    ide:192.168.0.41/1569 dst outside:198.6.1.122/53





    HELP!!!

    The current settings are:



    sh run

    : Saved

    :

    PIX Version 6.3(1)

    interface ethernet0 auto

    interface ethernet1 auto

    interface ethernet1 vlan2 logical

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    nameif vlan2 DMZ security50

    enable password RKu3p1CF3TrlG1v9 encrypted

    passwd FRou7zzj.tp5/Po3 encrypted

    hostname atcentralfw

    domain-name atcentral

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol ils 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    names

    access-list out2in permit icmp any any echo-reply

    access-list out2in permit tcp any any eq www

    access-list inside_outbound_nat0_acl permit ip any 192.168.0.192
    255.255.255.192



    pager lines 24

    logging on

    logging timestamp

    logging console informational

    logging buffered informational

    logging host inside 192.168.0.33

    mtu outside 1500

    mtu inside 1500

    ip address outside 111.111.111.11255.255.255.252

    ip address inside 192.168.0.2 255.255.255.0

    ip address DMZ 192.168.2.1 255.255.255.0

    ip audit info action alarm

    ip audit attack action alarm

    ip local pool b11111p1ort 192.168.0.200-192.168.0.230

    pdm location 192.168.0.31 255.255.255.255 inside

    pdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 0 access-list inside_outbound_nat0_acl

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    route outside 0.0.0.0 0.0.0.0 1xx.21x.9x.141 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server RADIUS protocol radius

    aaa-server LOCAL protocol local

    aaa authentication include http DMZ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL

    http server enable

    http 192.168.0.31 255.255.255.255 inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    sysopt connection permit-pptp

    telnet 0.0.0.0 0.0.0.0 inside

    telnet timeout 33

    ssh timeout 5

    console timeout 0

    vpdn group PPTP-VPDN-GROUP accept dialin pptp

    vpdn group PPTP-VPDN-GROUP ppp authentication chap

    vpdn group PPTP-VPDN-GROUP client configuration address local boxxxxxport

    vpdn group PPTP-VPDN-GROUP client configuration dns xxx.17.6x.2
    2x6.4x.101.15

    vpdn group PPTP-VPDN-GROUP pptp echo 60

    vpdn group PPTP-VPDN-GROUP client authentication local

    vpdn username xlxxx password *********

    vpdn enable outside

    username art1 password F/IZF.kOBNKpyTM1 encrypted privilege 2

    username robert password wqEpZlHyXB1vk/uT encrypted privilege 2

    terminal width 80
     
    J Bard, Jan 10, 2004
    #1
    1. Advertising

  2. Have you tried applying your out2in ACL to your outside interface? this
    should permit users to access your DMZ, not sure about why your LAN does not
    have Internet access.

    Claude

    "J Bard" <> wrote in message
    news:...
    >
    >
    >
    > A simple static and access-list (below) seems to have prevented ANY access
    > through the PIX to the web.
    >
    >
    >
    > access-list out2in permit icmp any any echo-reply
    >
    > access-list out2in permit tcp any any eq www
    >
    >
    >
    > static (DMZ,outside) 1xx.21x.99.142 192.168.2.33 netmask 255.255.255.255

    0
    > 0
    >
    >
    >
    > I was playing with these to get a web server visible from the outside;

    this
    > always failed; logs showed connections made, but timeouts occurring prior

    to
    > the web page being served.
    >
    > Much more troubling is that ,twice, we lost connection to the internet

    via
    > the PIX. Rebooting to a prior clean flash worked once; the other time I
    > saved my work to flash , and had to , simply, delete these settings and
    > reboot to get back on the web.
    >
    > Typical failures were :
    >
    > 305006: portmap translation creation failed for udp src ins
    >
    > ide:192.168.0.41/1569 dst outside:198.6.1.122/53
    >
    >
    >
    >
    >
    > HELP!!!
    >
    > The current settings are:
    >
    >
    >
    > sh run
    >
    > : Saved
    >
    > :
    >
    > PIX Version 6.3(1)
    >
    > interface ethernet0 auto
    >
    > interface ethernet1 auto
    >
    > interface ethernet1 vlan2 logical
    >
    > nameif ethernet0 outside security0
    >
    > nameif ethernet1 inside security100
    >
    > nameif vlan2 DMZ security50
    >
    > enable password RKu3p1CF3TrlG1v9 encrypted
    >
    > passwd FRou7zzj.tp5/Po3 encrypted
    >
    > hostname atcentralfw
    >
    > domain-name atcentral
    >
    > fixup protocol ftp 21
    >
    > fixup protocol h323 h225 1720
    >
    > fixup protocol h323 ras 1718-1719
    >
    > fixup protocol http 80
    >
    > fixup protocol ils 389
    >
    > fixup protocol rsh 514
    >
    > fixup protocol rtsp 554
    >
    > fixup protocol sip 5060
    >
    > fixup protocol sip udp 5060
    >
    > fixup protocol skinny 2000
    >
    > fixup protocol smtp 25
    >
    > fixup protocol sqlnet 1521
    >
    > names
    >
    > access-list out2in permit icmp any any echo-reply
    >
    > access-list out2in permit tcp any any eq www
    >
    > access-list inside_outbound_nat0_acl permit ip any 192.168.0.192
    > 255.255.255.192
    >
    >
    >
    > pager lines 24
    >
    > logging on
    >
    > logging timestamp
    >
    > logging console informational
    >
    > logging buffered informational
    >
    > logging host inside 192.168.0.33
    >
    > mtu outside 1500
    >
    > mtu inside 1500
    >
    > ip address outside 111.111.111.11255.255.255.252
    >
    > ip address inside 192.168.0.2 255.255.255.0
    >
    > ip address DMZ 192.168.2.1 255.255.255.0
    >
    > ip audit info action alarm
    >
    > ip audit attack action alarm
    >
    > ip local pool b11111p1ort 192.168.0.200-192.168.0.230
    >
    > pdm location 192.168.0.31 255.255.255.255 inside
    >
    > pdm history enable
    >
    > arp timeout 14400
    >
    > global (outside) 1 interface
    >
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    >
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >
    > route outside 0.0.0.0 0.0.0.0 1xx.21x.9x.141 1
    >
    > timeout xlate 3:00:00
    >
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    >
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    >
    > timeout uauth 0:05:00 absolute
    >
    > aaa-server TACACS+ protocol tacacs+
    >
    > aaa-server RADIUS protocol radius
    >
    > aaa-server LOCAL protocol local
    >
    > aaa authentication include http DMZ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
    >
    > http server enable
    >
    > http 192.168.0.31 255.255.255.255 inside
    >
    > no snmp-server location
    >
    > no snmp-server contact
    >
    > snmp-server community public
    >
    > no snmp-server enable traps
    >
    > floodguard enable
    >
    > sysopt connection permit-pptp
    >
    > telnet 0.0.0.0 0.0.0.0 inside
    >
    > telnet timeout 33
    >
    > ssh timeout 5
    >
    > console timeout 0
    >
    > vpdn group PPTP-VPDN-GROUP accept dialin pptp
    >
    > vpdn group PPTP-VPDN-GROUP ppp authentication chap
    >
    > vpdn group PPTP-VPDN-GROUP client configuration address local boxxxxxport
    >
    > vpdn group PPTP-VPDN-GROUP client configuration dns xxx.17.6x.2
    > 2x6.4x.101.15
    >
    > vpdn group PPTP-VPDN-GROUP pptp echo 60
    >
    > vpdn group PPTP-VPDN-GROUP client authentication local
    >
    > vpdn username xlxxx password *********
    >
    > vpdn enable outside
    >
    > username art1 password F/IZF.kOBNKpyTM1 encrypted privilege 2
    >
    > username robert password wqEpZlHyXB1vk/uT encrypted privilege 2
    >
    > terminal width 80
    >
    >
    >
    >
    >
     
    Claude LeFort, Jan 10, 2004
    #2
    1. Advertising

  3. J Bard

    J Bard Guest

    Claude:

    Sorry I wasn't more clear; (was very tired and got in late from the
    client) those setting were applied on the outside interface when we
    couldn't reach the web; the config below is what we were running but for the
    access list and the static command. From what I went through,twice, with
    those commands (and two variations of each ) the pix would simply not
    connect to the web. This is my first PIX and it has me worried ...am I
    missing something obvious or is this PIX a problem ? How often does one get
    a lemon ?



    "Claude LeFort" <> wrote in message
    news:BPSLb.56173$...
    > Have you tried applying your out2in ACL to your outside interface? this
    > should permit users to access your DMZ, not sure about why your LAN does

    not
    > have Internet access.
    >
    > Claude
    >
    > "J Bard" <> wrote in message
    > news:...
    > >
    > >
    > >
    > > A simple static and access-list (below) seems to have prevented ANY

    access
    > > through the PIX to the web.
    > >
    > >
    > >
    > > access-list out2in permit icmp any any echo-reply
    > >
    > > access-list out2in permit tcp any any eq www
    > >
    > >
    > >
    > > static (DMZ,outside) 1xx.21x.99.142 192.168.2.33 netmask

    255.255.255.255
    > 0
    > > 0
    > >
    > >
    > >
    > > I was playing with these to get a web server visible from the outside;

    > this
    > > always failed; logs showed connections made, but timeouts occurring

    prior
    > to
    > > the web page being served.
    > >
    > > Much more troubling is that ,twice, we lost connection to the internet

    > via
    > > the PIX. Rebooting to a prior clean flash worked once; the other time I
    > > saved my work to flash , and had to , simply, delete these settings and
    > > reboot to get back on the web.
    > >
    > > Typical failures were :
    > >
    > > 305006: portmap translation creation failed for udp src ins
    > >
    > > ide:192.168.0.41/1569 dst outside:198.6.1.122/53
    > >
    > >
    > >
    > >
    > >
    > > HELP!!!
    > >
    > > The current settings are:
    > >
    > >
    > >
    > > sh run
    > >
    > > : Saved
    > >
    > > :
    > >
    > > PIX Version 6.3(1)
    > >
    > > interface ethernet0 auto
    > >
    > > interface ethernet1 auto
    > >
    > > interface ethernet1 vlan2 logical
    > >
    > > nameif ethernet0 outside security0
    > >
    > > nameif ethernet1 inside security100
    > >
    > > nameif vlan2 DMZ security50
    > >
    > > enable password RKu3p1CF3TrlG1v9 encrypted
    > >
    > > passwd FRou7zzj.tp5/Po3 encrypted
    > >
    > > hostname atcentralfw
    > >
    > > domain-name atcentral
    > >
    > > fixup protocol ftp 21
    > >
    > > fixup protocol h323 h225 1720
    > >
    > > fixup protocol h323 ras 1718-1719
    > >
    > > fixup protocol http 80
    > >
    > > fixup protocol ils 389
    > >
    > > fixup protocol rsh 514
    > >
    > > fixup protocol rtsp 554
    > >
    > > fixup protocol sip 5060
    > >
    > > fixup protocol sip udp 5060
    > >
    > > fixup protocol skinny 2000
    > >
    > > fixup protocol smtp 25
    > >
    > > fixup protocol sqlnet 1521
    > >
    > > names
    > >
    > > access-list out2in permit icmp any any echo-reply
    > >
    > > access-list out2in permit tcp any any eq www
    > >
    > > access-list inside_outbound_nat0_acl permit ip any 192.168.0.192
    > > 255.255.255.192
    > >
    > >
    > >
    > > pager lines 24
    > >
    > > logging on
    > >
    > > logging timestamp
    > >
    > > logging console informational
    > >
    > > logging buffered informational
    > >
    > > logging host inside 192.168.0.33
    > >
    > > mtu outside 1500
    > >
    > > mtu inside 1500
    > >
    > > ip address outside 111.111.111.11255.255.255.252
    > >
    > > ip address inside 192.168.0.2 255.255.255.0
    > >
    > > ip address DMZ 192.168.2.1 255.255.255.0
    > >
    > > ip audit info action alarm
    > >
    > > ip audit attack action alarm
    > >
    > > ip local pool b11111p1ort 192.168.0.200-192.168.0.230
    > >
    > > pdm location 192.168.0.31 255.255.255.255 inside
    > >
    > > pdm history enable
    > >
    > > arp timeout 14400
    > >
    > > global (outside) 1 interface
    > >
    > > nat (inside) 0 access-list inside_outbound_nat0_acl
    > >
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > >
    > > route outside 0.0.0.0 0.0.0.0 1xx.21x.9x.141 1
    > >
    > > timeout xlate 3:00:00
    > >
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > > 1:00:00
    > >
    > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > >
    > > timeout uauth 0:05:00 absolute
    > >
    > > aaa-server TACACS+ protocol tacacs+
    > >
    > > aaa-server RADIUS protocol radius
    > >
    > > aaa-server LOCAL protocol local
    > >
    > > aaa authentication include http DMZ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

    LOCAL
    > >
    > > http server enable
    > >
    > > http 192.168.0.31 255.255.255.255 inside
    > >
    > > no snmp-server location
    > >
    > > no snmp-server contact
    > >
    > > snmp-server community public
    > >
    > > no snmp-server enable traps
    > >
    > > floodguard enable
    > >
    > > sysopt connection permit-pptp
    > >
    > > telnet 0.0.0.0 0.0.0.0 inside
    > >
    > > telnet timeout 33
    > >
    > > ssh timeout 5
    > >
    > > console timeout 0
    > >
    > > vpdn group PPTP-VPDN-GROUP accept dialin pptp
    > >
    > > vpdn group PPTP-VPDN-GROUP ppp authentication chap
    > >
    > > vpdn group PPTP-VPDN-GROUP client configuration address local

    boxxxxxport
    > >
    > > vpdn group PPTP-VPDN-GROUP client configuration dns xxx.17.6x.2
    > > 2x6.4x.101.15
    > >
    > > vpdn group PPTP-VPDN-GROUP pptp echo 60
    > >
    > > vpdn group PPTP-VPDN-GROUP client authentication local
    > >
    > > vpdn username xlxxx password *********
    > >
    > > vpdn enable outside
    > >
    > > username art1 password F/IZF.kOBNKpyTM1 encrypted privilege 2
    > >
    > > username robert password wqEpZlHyXB1vk/uT encrypted privilege 2
    > >
    > > terminal width 80
    > >
    > >
    > >
    > >
    > >

    >
    >
     
    J Bard, Jan 10, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. NeoMaxiZoomDweeby

    Stores Nix Disposable Flicks

    NeoMaxiZoomDweeby, Feb 2, 2004, in forum: DVD Video
    Replies:
    1
    Views:
    369
    Scot Gardner
    Feb 2, 2004
  2. Replies:
    1
    Views:
    835
  3. Networking Student
    Replies:
    4
    Views:
    1,438
    vreyesii
    Nov 16, 2006
  4. Scoresby

    Question for nix users

    Scoresby, Nov 9, 2006, in forum: Computer Support
    Replies:
    18
    Views:
    751
  5. nobody >
    Replies:
    4
    Views:
    4,805
    Plato
    Jan 5, 2008
Loading...

Share This Page