Newbie needs the most basic of help with a PIX 515

Discussion in 'Cisco' started by tad, Sep 1, 2005.

  1. tad

    tad Guest

    Hello,

    I have been tasked with configuring a PIX 515, but my Cisco skills
    aren't up to the challenge. I have set up and maintained some networks
    using Linux gateways with iptables, so I do know the basic concepts
    involved. In order to learn how to make things happen on the PIX, I've
    set up a test environment consisting of three machines, each on one
    interface on the PIX. My initial goal is to be able to ping across to
    the network to each machine. Once I have connectivity, I can start
    writing my access-list rules.

    Unfortunately, I am unable to ping across the PIX to any of the other
    networks. My configuration is:

    PIX Version 7.0(1)
    names
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address 10.0.100.190 255.255.255.0
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0
    !
    interface Ethernet2
    nameif dmz
    security-level 20
    ip address 10.0.5.1 255.255.255.0
    !
    interface Ethernet3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet5
    shutdown
    no nameif
    no security-level
    no ip address
    !
    enable password v3eNd/VU2QcDQYO6 encrypted
    passwd 1eLX4kzXqzXs6wsU encrypted
    hostname pixfirewall
    ftp mode passive
    no pager
    mtu inside 1500
    mtu outside 1500
    no failover
    monitor-interface inside
    monitor-interface outside
    asdm image flash:/asdm
    no asdm history enable
    arp timeout 14400
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (dmz) 1 10.0.5.0 255.255.255.0 0
    static (dmz,outside) 10.0.100.10 10.0.5.5 netmask 255.255.255.255 0 0

    access-list ping_acl permit icmp any any

    access-group ping_acl in interface inside
    access-group ping_acl in interface dmz
    access-group ping_acl in interface outside

    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp
    telnet 10.0.0.200 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    : end

    Which obviously is missing something. The first thing I'd like to
    accomplish is to be able to ping 10.0.100.190 from machine 10.0.5.5 on
    the DMZ interface. Second would be to be able to ping 10.0.100.10 and
    have that hit 10.0.5.5. Once that is working, don't think it would be
    to hard to allow ssh logins to 10.0.100.10 (10.0.5.5).

    Thanks for any help!

    Tad
     
    tad, Sep 1, 2005
    #1
    1. Advertisements

  2. :pIX Version 7.0(1)

    :access-list ping_acl permit icmp any any

    :access-group ping_acl in interface inside
    :access-group ping_acl in interface dmz
    :access-group ping_acl in interface outside

    I haven't looked at the details of your configuration, but the above
    popped out at me.

    Effectively you cannot reuse access-lists on the PIX: the PIX
    manipulates them internally for purposes related to the Adaptive
    Security Algorithm. And some other cases that you wouldn't think
    could cause a conflict have had bug reports against problems with
    shared ACLs.

    So, on the PIX, if you need the same ACL functionality in more
    than one context, you should duplicate the ACL contents. If the
    ACL is non-trivial, using object-group can help reduce the clutter
    a fair bit.
     
    Walter Roberson, Sep 1, 2005
    #2
    1. Advertisements

  3. tad

    Kashifc Guest

    you need the global command that would tell the pix what the internal
    addresses should be translated into. It would be something like this:

    global (outside) global (outside) 1 209.64.3.129-209.64.3.253 netmask
    255.255.255.128

    where the ip addresses in the line above are the range of public
    addresses available to you.

    If you dont have enough public addresses use pat by defining only one
    global address such as

    global (outside) 1 209.64.3.129

    Good Luck.
     
    Kashifc, Sep 1, 2005
    #3
  4. tad

    tad Guest

    I've incorporated both of these changes, and now I have something like
    this in the relevant parts of the configuration:

    global (outside) 1 10.0.100.1-10.0.100.255 netmask 255.255.255.0

    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (dmz) 1 10.0.5.0 255.255.255.0 0
    static (dmz,outside) 10.0.100.10 10.0.5.5 netmask 255.255.255.255 0 0

    access-list ping_inside_acl permit icmp any any
    access-list ping_dmz_acl permit icmp any any
    access-list ping_outside_acl permit icmp any any
    access-list ssh_dmz_acl permit tcp any host 10.0.100.10 eq 22

    access-group ping_inside_acl in interface inside
    access-group ping_dmz_acl in interface dmz
    access-group ping_outside_acl in interface outside
    access-group ssh_dmz_acl in interface outside

    I still cannot get data across the interfaces into a different zone. I
    can ping 10.0.100.10 from a machine on the outside of the PIX, but the
    ttl is 64 so I'm feeling like the traffic isn't actually getting to the
    machine that is supposed to be NATed to 10.0.100.10 (10.0.5.5).

    Any other suggestions?

    Thanks,
    Tad
     
    tad, Sep 2, 2005
    #4
  5. tad

    tad Guest

    I'm not sure that my changes are progress. I now get the following
    errors loading the configuration file:

    !Error: 10.0.100.1-10.0.100.255 overlaps with outside interface address
    Duplicate NAT entry
    Duplicate NAT entry
    ERROR: mapped-address conflict with existing static
    dmz:10.0.5.5 to outside:10.0.100.10 netmask 255.255.255.255
    Config Error -- static (dmz,outside) 10.0.100.10 10.0.5.5 netmask
    255.255.255.255 0 0
    WARNING: <ping_inside_acl> found duplicate element
    WARNING: <ping_dmz_acl> found duplicate element
    WARNING: <ping_outside_acl> found duplicate element
    ERROR: entry for address/mask = 10.0.0.200/255.255.255.255 exists

    The first error is just me needing to change the range of the global
    statement. I don't understand the "Duplicate NAT entry" messages and
    the "found duplicate element" errors on the access-lists seems to be
    contrary to the first sugesstion above.

    Tad
     
    tad, Sep 2, 2005
    #5
  6. :access-group ping_outside_acl in interface outside
    :access-group ssh_dmz_acl in interface outside

    This doesn't address your original problem, but: you can only
    have one access-group per interface (per direction in 7.0).
     
    Walter Roberson, Sep 2, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.