Startup Config has me stumped

Discussion in 'Cisco' started by james.a.bailey, Oct 31, 2005.

  1. Can anyone see any reason why the below configuration won't work
    correctly? I thought it was the configuration I used fine for a week
    but when I came in one morning all the ports were in stealth mode
    instead of open. I can't seem to figure out the problem.

    I changed the outside IP Addresses for the sake of security.

    Thanks!!

    Infotech

    Building configuration...
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password etqreMPNyt0AvaUj encrypted
    passwd etqreMPNyt0AvaUj encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group service sbs tcp
    port-object eq www
    port-object range domain domain
    port-object eq https
    port-object eq smtp
    port-object range 3389 3389
    port-object eq pop3
    port-object eq pptp
    object-group service airtimeserv tcp
    port-object range 3389 3389
    access-list outside_in permit icmp any any
    access-list inside_outbound_nat0_acl permit ip any 192.168.16.0
    255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.0.2 255.255.255.248
    ip address inside 192.168.16.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.16.0 255.255.255.0 inside
    pdm location 192.168.1.0 255.255.255.0 inside
    pdm location 192.168.16.2 255.255.255.255 inside
    pdm location 192.168.0.0 255.255.0.0 inside
    pdm location 192.168.16.3 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 192.168.0.3 192.168.16.2 netmask
    255.255.255.255 0 0
    static (inside,outside) 192.168.0.4 192.168.16.3 netmask
    255.255.255.255 0 0
    conduit permit tcp host 192.168.0.5 object-group sbs any
    conduit permit tcp host 192.168.0.6 object-group airtimeserv any
    route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
    route inside 192.168.0.0 255.255.0.0 69.15.203.154 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.16.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 192.168.16.38 \tftp-root
    floodguard enable
    telnet 192.168.16.0 255.255.255.0 inside
    telnet timeout 10
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:08022323919c5c99cfdf0aa54b2275df

    [OK]
     
    james.a.bailey, Oct 31, 2005
    #1
    1. Advertisements

  2. :Can anyone see any reason why the below configuration won't work
    :correctly? I thought it was the configuration I used fine for a week
    :but when I came in one morning all the ports were in stealth mode
    :instead of open.

    :pIX Version 6.3(5)

    :access-list outside_in permit icmp any any

    :conduit permit tcp host 192.168.0.5 object-group sbs any
    :conduit permit tcp host 192.168.0.6 object-group airtimeserv any

    Never mix conduit and access-lists. Better yet, don't use
    conduit at all: it is gone completely in PIX 7.0. Cisco stopped
    trying for conduit compatability back around the 5.3 timeframe.
     
    Walter Roberson, Oct 31, 2005
    #2
    1. Advertisements

  3. How do I successfuly change from using conduit to access lists?

    Thanks!
     
    james.a.bailey, Oct 31, 2005
    #3
  4. :How do I successfuly change from using conduit to access lists?

    As you have 6.3(5), you likely have access to CCO. Cisco provides
    a tool in the PIX software download area that will do conversions.

    Sometimes it's mostly a matter of reversing the conduit arguments into
    access-list form. However, 'conduit' has a couple of strange interactions
    with other commands that I have never understood (it appears to
    do two different things depending on what else you have configured),
    so I make it a policy not to try to rewrite conduits for other people:
    only they know which of the two meanings of conduit they intended.
     
    Walter Roberson, Oct 31, 2005
    #4
  5. james.a.bailey

    Infotech Guest

    Thanks for the response.

    I wasn't really asking for a conversion but an example of what an
    access list is like. I think I have the idea though. I think it's to
    start with this command:

    access-list 100 permit tcp any host 192.168.0.3 eq www

    Then after static NAT is defined, set the access group to the outside
    interface with this command:

    access-group 100 in interface outside

    Thanks again.
     
    Infotech, Oct 31, 2005
    #5
  6. :I wasn't really asking for a conversion but an example of what an
    :access list is like. I think I have the idea though. I think it's to
    :start with this command:

    :access-list 100 permit tcp any host 192.168.0.3 eq www

    :Then after static NAT is defined, set the access group to the outside
    :interface with this command:

    :access-group 100 in interface outside

    Pretty much, but for something that is being applied to the outside
    interface, the right-hand side should contain the public IP of
    the host to be accessed, not the private IP. If you are doing
    port forwarding for the IP of the outside interface, then instead
    of using an IP address, use the phrase interface outside

    access-list 100 permit tcp any host 123.45.67.89 eq www
    access-list 100 permit tcp any interface outside eq smtp
    static (inside,outside) 123.45.67.89 192.168.0.3 netmask 255.255.255.255
    static (inside,outside) tcp interface smtp 192.168.0.5 smtp netmask 255.255.255.255
    access-group 100 in interface outside
     
    Walter Roberson, Oct 31, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.