We have a Cisco PIX 515 with Restricted license. We are trying to open up https to allow OWA traffic through as well as RDP on port 3389 to a specific server. The RDP requirement is for a very specific short term need and will be removed soon so that is less important than https but I will include it here because the issue we're having seems to be the same with either protocol.
I have created NAT translations for the two internal hosts (along with an interface PAT for outbound traffic coming from the rest of the internal network) and created access rules to allow https and tcp/3389 traffic to pass through to the two internal hosts that I've configured. For testing, I've also allow ICMP through to one of the hosts. The results are as follows:
- I CAN ping to the internal hosts from the internet
- I CANNOT connect to OWA via https from the internet (the SSL cert is working and the site is up as I can access it from internal)
- I CANNOT connect via RDP to my internal server from the internet (I can connect internally)
- If I change the access rules from https and tcp/3389 to "any" tcp protocol I CAN connect to each server from the internet
The rules appear to be fine and it seems the NAT translation is setup correctly since ICMP gets through fine and I can connect if I open the rule up to allow any tcp protocol through. When I look at my syslog server I see the following. The first entry is OWA connection, the second RDP:
172.30.100.1 Apr 06 2008 08:24:23: %PIX-2-106001: Inbound TCP connection denied from 74.95.64.130/2471 to 75.200.139.140/443 flags SYN on interface outside
172.30.100.1 Apr 06 2008 08:35:11: %PIX-2-106001: Inbound TCP connection denied from 74.95.64.130/2531 to 75.200.139.140/3389 flags SYN on interface outside
Now, this looks really weird to me because it appears that the incoming ports that these connections are using are totally wrong. Port 2471 and 2531? Shouldn't it be incoming on 443 and 3389 respectively? If I change the rule for OWA incoming port to "any" I CAN connect and the syslog entry shows this:
172.30.100.1 Apr 06 2008 08:54:18: %PIX-6-302013: Built inbound TCP connection 187368 for outside:74.95.64.130/2623 (74.95.64.130/2623) to inside:172.30.100.103/443 (75.200.139.140/443)
Now it's coming in on port 2623? The only thing I can think of is that perhaps the Verizon T1 router (an Adtran) is doing some weird port translation of the traffic before it gets to the public interface on the PIX. Since I don't have control of the router, I can't logon to see how it's setup. I plan on upgrading to v7.x at some point in the next couple of days as well but it must be done in monitor mode and I can't get onsite yet.
Any ideas here? I've include the PIX config below, sanitized of course.
MPE-PIX# show running-config
: Saved
:
PIX Version 6.2(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
hostname MPE-PIX
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sip udp 5060
names
name 172.30.100.1 pix
name 172.30.100.101 mpe_dc01_int
name 75.200.139.140 Public_for_OWA
name 172.30.100.103 email
name 75.200.139.136 Pub_VerizonT1
pager lines 24
logging on
logging timestamp
logging buffered informational
logging trap informational
logging facility 16
logging host inside 172.30.100.207
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 75.200.139.138 255.255.255.248
ip address inside pix 255.255.254.0
ip address dmz 10.100.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.10.64 255.255.255.192 dmz
pdm location 10.10.10.2 255.255.255.255 dmz
pdm location 10.10.10.0 255.255.255.0 dmz
pdm location 192.168.99.0 255.255.255.0 dmz
pdm location mpe_dc01_int 255.255.255.255 inside
pdm location Public_for_OWA 255.255.255.255 outside
pdm location email 255.255.255.255 inside
pdm location 172.30.100.207 255.255.255.255 inside
pdm logging informational 500
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 75.200.139.141
nat (inside) 1 172.30.100.0 255.255.254.0 0 0
static (outside,inside) email Public_for_OWA netmask 255.255.255.255 0 0
static (inside,outside) Public_for_OWA email netmask 255.255.255.255 0 0
static (inside,outside) 75.200.139.141 mpe_dc01_int netmask 255.255.255.255 0 0
conduit permit tcp host Public_for_OWA eq https any eq https
conduit permit icmp host Public_for_OWA any
conduit permit tcp host 75.200.139.141 eq 3389 any eq 3389
outbound 1 deny 0.0.0.0 0.0.0.0 2525 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 1328 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 1433 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 135 tcp
outbound 1 deny 0.0.0.0 0.0.0.0 2967 tcp
apply (inside) 1 outgoing_src
route outside 0.0.0.0 0.0.0.0 75.200.139.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
ntp server 18.145.0.30 source outside prefer
http server enable
http 172.30.100.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server community candida
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 172.30.100.0 255.255.254.0 inside
telnet timeout 5
ssh timeout 5
username XXXXXX password XXXXXXXX encrypted privilege 15
username XXXXXX password XXXXXXXX encrypted privilege 15
username XXXXXX password XXXXXXXX encrypted privilege 15
terminal width 80
Cryptochecksum:5713add7baf
12a633eccd
219ccedaa1
c
: end
MPE-PIX#
Start Free Trial
