Need help with a PIX 520 and VPN traffic

Discussion in 'Cisco' started by docpatelsf, Jun 27, 2007.

  1. docpatelsf

    docpatelsf Guest

    I need some help configuring a firewall that was pretty much thrown at
    me to manage. I'm unable to get out of the firewall for an
    application that requires the following ports be open (this is from
    the application vendor:

    Firewall ports (outbound) that need to be enabled:

    TCP/264
    IPSEC and IKE (UDP/500)
    IPSEC ESP (IP type 50)
    IPSEC AH (IP type 51)
    TCP/500
    UDP/2746
    UDP/259
    TCP/18231

    Here's the current firewall config; the IOS has not been updated in a
    seriously long time; I would really appreciate some help as to why I
    am not able to get out of the firewall for this application.
    Syslogging shows that acl_inside group is disallowing the connection.

    The application vendor's IP's are 192.131.69.200 and 192.131.65.200

    I am not familiar with CISCO firewalls, but I believe there might also
    be an issue with NAT-T (correct me if I am wrong).

    Thanks in advance for any/all help.

    firewall config (condensed, minus some ACL's):

    PIX Version 5.2(6)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 public security10
    enable password 0NVe7N9xFeDnrRfe encrypted
    passwd tflge61LqXv/Dm/V encrypted
    hostname internetfw
    domain-name masked.out
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol ftp 2120
    no fixup protocol smtp 25
    no names
    access-list acl_inside deny ip any host 152.163.0.0
    access-list acl_inside permit tcp any any eq ftp-data
    access-list acl_inside permit tcp any any eq ftp
    access-list acl_inside permit tcp any any eq domain
    access-list acl_inside permit udp any any eq domain
    access-list acl_inside permit tcp any any eq 443
    access-list acl_inside permit tcp any any eq 554
    access-list acl_inside permit tcp any any eq 1080
    access-list acl_inside permit tcp any any eq 1755
    access-list acl_inside permit tcp any any eq 1863
    access-list acl_inside permit tcp any any eq 3101
    access-list acl_inside permit tcp any any eq 3520
    access-list acl_inside permit tcp any any eq 5050
    access-list acl_inside permit tcp any any eq 5190
    access-list acl_inside permit tcp any any eq 8000
    access-list acl_inside permit tcp any any eq 8010
    access-list acl_inside permit tcp any any eq 8080
    access-list acl_inside permit icmp host 151.209.194.228 any echo
    access-list acl_inside permit icmp host 151.209.194.119 any echo
    access-list acl_inside permit icmp any any echo
    access-list acl_inside permit tcp any any eq www
    access-list acl_inside deny tcp any any eq smtp
    access-list acl_inside deny tcp any any
    access-list acl_inside deny udp any any
    access-list acl_inside deny ip any any
    access-list acl_inside deny udp any any eq tftp
    access-list acl_inside deny tcp any any eq 81
    access-list acl_inside deny tcp any any eq 135
    access-list acl_inside deny udp any any eq 135
    access-list acl_inside deny tcp any any eq 136
    access-list acl_inside deny udp any any eq 136
    access-list acl_inside deny tcp any any eq 137
    access-list acl_inside deny udp any any eq netbios-ns
    access-list acl_inside deny tcp any any eq 138
    access-list acl_inside deny udp any any eq netbios-dgm
    access-list acl_inside deny tcp any any eq 139
    access-list acl_inside deny udp any any eq 139
    access-list acl_inside deny tcp any any eq 445
    access-list acl_inside deny udp any any eq 445
    access-list acl_inside deny tcp any any eq 4444
    access-list acl_inside permit tcp any host 192.131.69.200 eq 264
    access-list acl_inside permit udp any host 192.131.69.200 eq isakmp
    access-list acl_inside permit udp any host 192.131.69.200 eq 2746
    access-list acl_inside permit udp any host 192.131.69.200 eq 259
    access-list acl_inside permit tcp any host 192.131.69.200 eq 18231
    access-list acl_inside permit udp any host 192.131.69.200 eq 4500
    access-list acl_inside permit tcp any host 192.131.65.200 eq 264
    access-list acl_inside permit udp any host 192.131.65.200 eq isakmp
    access-list acl_inside permit udp any host 192.131.65.200 eq 2746
    access-list acl_inside permit udp any host 192.131.65.200 eq 259
    access-list acl_inside permit tcp any host 192.131.65.200 eq 18231
    access-list acl_inside permit udp any host 192.131.65.200 eq 4500
    access-list acl_inside permit tcp any host 192.131.69.200 eq 500
    access-list acl_inside permit tcp any host 192.131.65.200 eq 500
    access-list acl_outside deny tcp any any eq 135
    access-list acl_outside deny tcp any any eq 136
    access-list acl_outside deny tcp any any eq 137
    access-list acl_outside deny tcp any any eq 138
    access-list acl_outside deny tcp any any eq 139
    access-list acl_outside permit tcp any host 63.205.237.14 eq www
    access-list acl_outside permit tcp any host 192.131.69.200 eq 264
    access-list acl_outside permit udp any host 192.131.69.200 eq isakmp
    access-list acl_outside permit udp any host 192.131.69.200 eq 2746
    access-list acl_outside permit udp any host 192.131.69.200 eq 259
    access-list acl_outside permit tcp any host 192.131.69.200 eq 18231
    access-list acl_outside permit udp any host 192.131.69.200 eq 4500
    access-list acl_outside permit tcp any host 192.131.65.200 eq 264
    access-list acl_outside permit udp any host 192.131.65.200 eq isakmp
    access-list acl_outside permit udp any host 192.131.65.200 eq 2746
    access-list acl_outside permit udp any host 192.131.65.200 eq 259
    access-list acl_outside permit tcp any host 192.131.65.200 eq 18231
    access-list acl_outside permit udp any host 192.131.65.200 eq 4500
    access-list acl_outside permit tcp any host 192.131.69.200 eq 500
    access-list acl_outside permit tcp any host 192.131.65.200 eq 500
    pager lines 20
    logging on
    no logging timestamp
    no logging standby
    no logging console
    no logging monitor
    logging buffered warnings
    logging trap warnings
    no logging history
    logging facility 20
    logging queue 2048
    logging host inside 151.209.194.228
    no logging message 106011
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    mtu outside 1500
    mtu inside 1500
    mtu public 1500
    ip address outside masked 255.255.255.240
    ip address inside 151.209.194.125 255.255.255.0
    ip address public 10.101.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside masked
    failover ip address inside 151.209.194.222
    failover ip address public 10.101.1.2
    arp timeout 14400
    global (outside) 1 masked
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) masked 151.209.194.228 netmask 255.255.255.255
    0 0
    static (public,outside) masked 10.101.1.197 netmask 255.255.255.255 0
    0
    static (inside,outside) masked 151.209.194.121 netmask 255.255.255.255
    0 0
    static (inside,outside) masked 151.209.194.133 netmask 255.255.255.255
    0 0
    static (inside,outside) masked 151.209.194.252 netmask 255.255.255.255
    0 0
    access-group acl_outside in interface outside
    access-group acl_inside in interface inside
    route outside 0.0.0.0 0.0.0.0 masked 1
    route inside 151.209.0.0 255.255.0.0 151.209.194.121 1
    route outside 151.209.24.0 255.255.255.0 masked 1
    route outside 151.209.112.0 255.255.255.0 masked 1
    route outside 151.209.113.0 255.255.255.0 masked 1
    timeout xlate 1:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server vpn protocol tacacs+
    snmp-server host inside 151.209.194.119
    no snmp-server location
    no snmp-server contact
    snmp-server community !Now!3v3r
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    isakmp enable outside
    isakmp identity hostname
    telnet timeout 5
    ssh timeout 60
    terminal width 80
     
    docpatelsf, Jun 27, 2007
    #1
    1. Advertisements

  2. docpatelsf

    Chad Mahoney Guest


    The ACL's are read from top to bottom, you have explicit deny ACL
    That ACL is being read by the firewall before

    You need to move the above lines above all the deny statements you have
    defined.
     
    Chad Mahoney, Jun 27, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.