Solved

PIX-515e - Port Translation

Posted on 2004-03-31
16
612 Views
Last Modified: 2010-04-08
I'm certainly not an expert on Cisco kit, which is why I'm asking this question here.
Basically, on a PIX-515, I have this config (various parts snipped for brevity, and ip numbers changed
to protected the innocent).

nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
name 192.168.0.1 Fw-PIX-Outside
name 10.0.0.1 Fw-PIX-Inside
name 10.0.0.2 Protected-1a
name 10.0.0.3 Protected-1b
ip address outside Fw-PIX-Outside 255.255.255.0
ip address inside Fw-PIX-Inside 255.255.255.0
static (inside,outside) Protected-1a Protected-1a netmask 255.255.255.255 0 0
static (inside,outside) Protected-1b Protected-1b netmask 255.255.255.255 0 0
access-list ACL-IN permit tcp any host Protected-1a eq https
access-list ACL-IN permit tcp any host Protected-1b eq 5223
access-list ACL-IN permit tcp any host Protected-1b eq https
access-list ACL-IN permit tcp any host Protected-1b eq 22

Hopefully, the snips are obvious.
All IP addresses used on this router are publicly routable.

Now, what I want to do is basically rewrite connections coming into the firewall, for Protected-1a, on port
443, to port 5223.

I *think* that what I need to do is this:
no static (inside,outside) Protected-1a Protected-1a netmask 255.255.255.255 0 0
no static (inside,outside) Protected-1b Protected-1b netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-1a 443 Protected-1a 5223 netmask 255.255.255.255
static (inside,outside) Protected-1a Protected-1a netmask 255.255.255.255 0.0
static (inside,outside) Protected-1b Protected-1b netmask 255.255.255.255 0.0]

I think I need to start with the 'no static' lines to prevent overlapping, but I'm not 100% sure
of that (this just needs to work first time).

Since this is a live system, I'm relucant to just try the above, without some other opinions from some more
'clued-up on Cisco' people.

So, what do I have to do to get the port forwarding to work? I'm especially wondering if I need to
add another access line in of the form:
access-list ACL-IN permit tcp any host Protected-1a eq 5223

Thanks in advance,

James
0
Comment
Question by:j_dyer
  • 8
  • 7
16 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10723721
You're on the right track, but I'd have to throw in the question as to why you want to redirect port 443 to 5223 ?  There's absolutely ZERO security advantage in doing this ?
0
 
LVL 4

Expert Comment

by:hawgpig
ID: 10732760
FAIR WARNING!!!
If you are running code 6.3.1..... it has a static bug in it.
The pix will continue to process the deleted statics even though they are not in the ocnfig anymore
The work around for this bug is to reboot the pix and all will be well
until you delete another static
If you are on 6.3.1....... upgrade to 6.3.3 ASAP....
Good Luck
0
 
LVL 2

Author Comment

by:j_dyer
ID: 10732773
Thanks for that. Does 'the right track' mean that it should work???

As far as why...it's got nothing to do with security.
Basically, we're running Jabber on the server, and currently have two jabber processes running, one as root on 443,
and one as a non-privileged user on 5223.
If we redirect the 443 traffic to 5223, we can kill the process running on 443, which should resolve some problems
we've seen with running two of these processes together. As well as which, I guess it does increase security after all,
in that the process running as root is basically going away (but that is definetly a secondary factor, and not an influence
on our decision at at).
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10736535
Straight from the horse's mouth, so to speak:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic9

Although you don't really need:

static (inside,outside) Protected-1a Protected-1a netmask 255.255.255.255 0.0
static (inside,outside) Protected-1b Protected-1b netmask 255.255.255.255 0.0

You will need to add access lists to permit https to the public addresses, as the access lists will be applied first, then the NAT.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10736551
PS - would need to see the WHOLE configuration in order to make doubly sure !!
0
 
LVL 2

Author Comment

by:j_dyer
ID: 10773925
tim_holman:

OK, I'm paranoid, so I'm going to attach the whole config to this message.
The things I've posted so far have just been summaries of what we want to do.
What we actually want is to turn the attached config into one which (as well as keeping the existing access lists),
- Connections to Protected-3 on port 443 are rewritten to port 5223 on Protected-3
- Connections to Protected-1a on port 443 are rewritten to port 443 on Protected-3
- Connections to Protected-1a on port 80 are rewritten to port 80 on Protected-3
- All other connections (subject to access-lists) to Protected-1a continue to go to Protected-1a

Note, IP addresses, as ever, changed to protect the innocent.
Where you see a 10.0.0 address, think 'somewhere out on the big, scary, internet', and where you see a 192.168.0
address, think 'somewhere in our nice, safe, rack, in a hosting centre somewhere in the UK, behind our PIX firewall).

hawgpig: Thanks for the heads-up about the IOS version; our hosting company assures me they'll upgrade the IOS
shortly... :)

Hoping you can help,

J

==*==

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxx/ encrypted
passwd xxxxxxxxx/ encrypted
hostname fw-pix
domain-name xxxxxxxxx.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
name 192.168.0.1 Fw-PIX-Inside
name 192.168.0.5 Protected-1a
name 192.168.0.6 Protected-1b
name 192.168.0.7 Protected-2
name 192.168.0.8 Protected-3
name 10.0.0.1 Trusted-1
name 10.0.0.2 Gnarly
name 10.0.0.3 Bang
name 10.0.0.4 Notts
name 10.0.0.5 Sponge
access-list ACL-IN permit tcp any host Protected-1a eq www
access-list ACL-IN permit tcp any host Protected-1b eq www
access-list ACL-IN permit tcp any host Protected-2 eq www
access-list ACL-IN permit tcp any host Protected-3 eq www
access-list ACL-IN permit tcp any host Protected-1b eq https
access-list ACL-IN permit tcp any host Protected-2 eq https
access-list ACL-IN permit tcp any host Protected-3 eq https
access-list ACL-IN permit tcp any host Protected-1b eq 8443
access-list ACL-IN permit tcp any host Protected-3 eq 8443
access-list ACL-IN permit tcp any host Protected-3 eq 5222
access-list ACL-IN permit tcp any host Protected-3 eq 5223
access-list ACL-IN permit tcp any host Protected-3 eq 9007
access-list ACL-IN permit tcp any host Protected-3 eq ftp
access-list ACL-IN permit tcp any host Protected-3 eq ftp-data
access-list ACL-IN permit tcp any host Protected-3 range 10022 10029
access-list ACL-IN permit tcp any host Protected-3 range 50000 51000
access-list ACL-IN permit tcp host Protected-2 host Protected-1b eq 5432
access-list ACL-IN permit tcp host Protected-3 host Protected-1b eq 5432
access-list ACL-IN permit tcp host Trusted-1 host Protected-1b eq 5432
access-list ACL-IN permit tcp host Trusted-2 host Protected-1b eq 5432
access-list ACL-IN permit tcp host Trusted-1 any eq ssh
access-list ACL-IN permit tcp host Trusted-2 any eq ssh
access-list ACL-IN permit tcp host Bang any eq ssh
access-list ACL-IN permit tcp host Sponge any eq ssh
access-list ACL-IN permit tcp host Gnarly any eq ssh
access-list ACL-IN permit icmp any any
access-list ACL-IN permit ip host Trusted-1 any
access-list ACL-IN permit ip host Trusted-2 any
access-list ACL-IN permit ip host Bang any
access-list ACL-IN permit ip host Notts any
access-list ACL-IN permit ip host Sponge any
access-list ACL-IN permit ip host Gnarly any
access-list ACL-IN permit udp host 217.199.171.4 any eq domain
access-list ACL-IN permit udp host 217.199.171.5 any eq domain
access-list ACL-IN permit tcp host 217.199.171.4 any eq domain
access-list ACL-IN permit tcp host 217.199.171.5 any eq domain
access-list ACL-IN remark --- Monitoring from Panix
access-list ACL-IN permit tcp host 166.84.1.2 any eq echo
access-list ACL-OUT permit tcp any any eq domain
access-list ACL-OUT permit udp any any eq domain
access-list ACL-OUT permit tcp host Protected-2 any eq www
access-list ACL-OUT permit tcp host Protected-2 any eq https
access-list ACL-OUT permit tcp host Protected-2 any eq 5505
access-list ACL-OUT permit tcp host Protected-2 any eq 5506
access-list ACL-OUT permit tcp host Protected-2 any eq 6505
access-list ACL-OUT permit tcp host Protected-2 any eq 6506
access-list ACL-OUT permit tcp host Protected-1a any eq smtp
access-list ACL-OUT permit tcp host Protected-1b any eq smtp
access-list ACL-OUT permit tcp host Protected-2 any eq smtp
access-list ACL-OUT permit tcp host Protected-3 any eq smtp
access-list ACL-OUT permit tcp host Protected-1b any eq 123
access-list ACL-OUT permit udp host Protected-1b any eq ntp
access-list ACL-OUT permit icmp any any
access-list ACL-OUT permit tcp any any eq www
access-list ACL-OUT permit tcp any any eq ftp
access-list ACL-OUT deny ip any any log
pager lines 24
logging on
logging host inside Protected-1b
no logging message 304001
icmp deny host Fw-PIX-Inside outside
icmp permit any echo-reply outside
icmp permit any echo outside
icmp deny any time-exceeded outside
icmp deny any unreachable outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside Fw-PIX-Outside 255.255.255.0
ip address inside Fw-PIX-Inside 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
static (inside,outside) Protected-1b Protected-1b netmask 255.255.255.255 0 0
static (inside,outside) Protected-2 Protected-2 netmask 255.255.255.255 0 0
static (inside,outside) Protected-1a Protected-1a netmask 255.255.255.255 0 0
static (inside,outside) Protected-3 Protected-3 netmask 255.255.255.255 0 0
access-group ACL-IN in interface outside
access-group ACL-OUT in interface inside
route outside 0.0.0.0 0.0.0.0 Gnarly 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh Bang 255.255.255.255 outside
ssh Notts 255.255.255.255 outside
ssh Trusted-1 255.255.255.255 outside
ssh Trusted-2 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 0
terminal width 80


PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxx/ encrypted
passwd xxxxxxxxx/ encrypted
hostname fw-pix
domain-name xxxxxxxxx.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
name 192.168.0.1 Fw-PIX-Inside
name 192.168.0.5 Protected-1a
name 192.168.0.6 Protected-1b
name 192.168.0.7 Protected-2
name 192.168.0.8 Protected-3
name 10.0.0.1 Trusted-1
name 10.0.0.2 Gnarly
name 10.0.0.3 Bang
name 10.0.0.4 Notts
name 10.0.0.5 Sponge
access-list ACL-IN permit tcp any host Protected-1a eq www
access-list ACL-IN permit tcp any host Protected-1b eq www
access-list ACL-IN permit tcp any host Protected-2 eq www
access-list ACL-IN permit tcp any host Protected-3 eq www
access-list ACL-IN permit tcp any host Protected-1b eq https
access-list ACL-IN permit tcp any host Protected-2 eq https
access-list ACL-IN permit tcp any host Protected-3 eq https
access-list ACL-IN permit tcp any host Protected-1b eq 8443
access-list ACL-IN permit tcp any host Protected-3 eq 8443
access-list ACL-IN permit tcp any host Protected-3 eq 5222
access-list ACL-IN permit tcp any host Protected-3 eq 5223
access-list ACL-IN permit tcp any host Protected-3 eq 9007
access-list ACL-IN permit tcp any host Protected-3 eq ftp
access-list ACL-IN permit tcp any host Protected-3 eq ftp-data
access-list ACL-IN permit tcp any host Protected-3 range 10022 10029
access-list ACL-IN permit tcp any host Protected-3 range 50000 51000
access-list ACL-IN permit tcp host Protected-2 host Protected-1b eq 5432
access-list ACL-IN permit tcp host Protected-3 host Protected-1b eq 5432
access-list ACL-IN permit tcp host Trusted-1 host Protected-1b eq 5432
access-list ACL-IN permit tcp host Trusted-2 host Protected-1b eq 5432
access-list ACL-IN permit tcp host Trusted-1 any eq ssh
access-list ACL-IN permit tcp host Trusted-2 any eq ssh
access-list ACL-IN permit tcp host Bang any eq ssh
access-list ACL-IN permit tcp host Sponge any eq ssh
access-list ACL-IN permit tcp host Gnarly any eq ssh
access-list ACL-IN permit icmp any any
access-list ACL-IN permit ip host Trusted-1 any
access-list ACL-IN permit ip host Trusted-2 any
access-list ACL-IN permit ip host Bang any
access-list ACL-IN permit ip host Notts any
access-list ACL-IN permit ip host Sponge any
access-list ACL-IN permit ip host Gnarly any
access-list ACL-IN permit udp host 217.199.171.4 any eq domain
access-list ACL-IN permit udp host 217.199.171.5 any eq domain
access-list ACL-IN permit tcp host 217.199.171.4 any eq domain
access-list ACL-IN permit tcp host 217.199.171.5 any eq domain
access-list ACL-IN remark --- Monitoring from Panix
access-list ACL-IN permit tcp host 166.84.1.2 any eq echo
access-list ACL-OUT permit tcp any any eq domain
access-list ACL-OUT permit udp any any eq domain
access-list ACL-OUT permit tcp host Protected-2 any eq www
access-list ACL-OUT permit tcp host Protected-2 any eq https
access-list ACL-OUT permit tcp host Protected-2 any eq 5505
access-list ACL-OUT permit tcp host Protected-2 any eq 5506
access-list ACL-OUT permit tcp host Protected-2 any eq 6505
access-list ACL-OUT permit tcp host Protected-2 any eq 6506
access-list ACL-OUT permit tcp host Protected-1a any eq smtp
access-list ACL-OUT permit tcp host Protected-1b any eq smtp
access-list ACL-OUT permit tcp host Protected-2 any eq smtp
access-list ACL-OUT permit tcp host Protected-3 any eq smtp
access-list ACL-OUT permit tcp host Protected-1b any eq 123
access-list ACL-OUT permit udp host Protected-1b any eq ntp
access-list ACL-OUT permit icmp any any
access-list ACL-OUT permit tcp any any eq www
access-list ACL-OUT permit tcp any any eq ftp
access-list ACL-OUT deny ip any any log
pager lines 24
logging on
logging host inside Protected-1b
no logging message 304001
icmp deny host Fw-PIX-Inside outside
icmp permit any echo-reply outside
icmp permit any echo outside
icmp deny any time-exceeded outside
icmp deny any unreachable outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside Fw-PIX-Outside 255.255.255.0
ip address inside Fw-PIX-Inside 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
static (inside,outside) Protected-1b Protected-1b netmask 255.255.255.255 0 0
static (inside,outside) Protected-2 Protected-2 netmask 255.255.255.255 0 0
static (inside,outside) Protected-1a Protected-1a netmask 255.255.255.255 0 0
static (inside,outside) Protected-3 Protected-3 netmask 255.255.255.255 0 0
access-group ACL-IN in interface outside
access-group ACL-OUT in interface inside
route outside 0.0.0.0 0.0.0.0 Gnarly 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh Bang 255.255.255.255 outside
ssh Notts 255.255.255.255 outside
ssh Trusted-1 255.255.255.255 outside
ssh Trusted-2 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 0
terminal width 80
0
 
LVL 2

Author Comment

by:j_dyer
ID: 10773928
Apologies for pasting the config twice...not sure how that happened!
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10775891
To do this, you will need to remove current translations to protected-1a and protected-3:

no static (inside,outside) Protected-1a Protected-1a netmask 255.255.255.255 0 0
no static (inside,outside) Protected-3 Protected-3 netmask 255.255.255.255 0 0

- Connections to Protected-3 on port 443 are rewritten to port 5223 on Protected-3

static (inside,outside) tcp Protected-3 443 Protected-3 5223 netmask 255.255.255.255 0 0

- Connections to Protected-1a on port 443 are rewritten to port 443 on Protected-3

static (inside,outside) tcp Protected-1a 443 Protected-3 443 netmask 255.255.255.255 0.0

- Connections to Protected-1a on port 80 are rewritten to port 80 on Protected-3

static (inside,outside) tcp Protected-1a 80 Protected-3 80 netmask 255.255.255.255 0.0

- All other connections (subject to access-lists) to Protected-1a continue to go to Protected-1a

All other connections will need to be explicitly defined, as when you start splitting up the ports there is no longer any 'catch all' rule that will direct the rest to your original destination.
Do you need any more services on protected-1a ?  I can only see www from your access lists anyway ??

After each change, you must do a reload to remove the old statics (or upgrade to 6.3(3)).


0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 2

Author Comment

by:j_dyer
ID: 10776073
At the moment, we're just using http on 1a, but part of the changes we're making will need it to support https as well.

I assume when you say that all other connections will need to be explicity defined, you mean all the other ones
for 1a and 3? I guess that since 1b and 2 are not going to have any statics over them, I can just leave them alone?

Also, just to be sure, once I've put a static in place for each of the entries in the access list, there'll be no need to
add these lines back in?
static (inside,outside) Protected-1a Protected-1a netmask 255.255.255.255 0 0
static (inside,outside) Protected-3 Protected-3 netmask 255.255.255.255 0 0

And finally...'After each change, you must do a reload to remove the old statics'; I hope you don't mean that, after
each static line, I need to reboot...I hope you mean that, once I've entered all of the statics we need, I then need to
reboot. Please clarify (and hopefully save my sanity).

Thanks for all of your help on this; I'm planning to implement these changes tonight, if I get a chance, so fingers crossed and
all that :)
0
 
LVL 2

Author Comment

by:j_dyer
ID: 10776336
OK, if I'm understanding all of this correctly, I basically need to do the following to get this running:

no static (inside,outside) Protected-1a Protected-1a netmask 255.255.255.255 0 0
no static (inside,outside) Protected-3 Protected-3 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-3 443 Protected-3 5223 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-1a 443 Protected-3 443 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-1a 80 Protected-3 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-3 80 Protected-3 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-3 8443 Protected-3 8443 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-3 5222 Protected-3 5222 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-3 5223 Protected-3 5223 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-3 9007 Protected-3 9007 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-3 ftp Protected-3 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-3 ftp-data Protected-3 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-3 range 10022 10029 Protected-3 range 10022 10029 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-3 range 50000 51000 Protected-3 range 50000 51000 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-3 ssh Protected-3 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-3 echo Protected-3 echo netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-3 domain Protected-3 domain netmask 255.255.255.255 0 0

I'm a little concerned about the ranges in there - are they going to cause any problems at all (they just look wrong in
some way).

The reason 1a is not mentioned very much, is that it's actually just a virtual ip number, which drifts around our
servers, depending on what we want to do with it at any one time.

BTW, I've increased the points on this to 500, as I really feel you've gone above and beyond the call of duty on this!

Thanks
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10796526
That's right.  You've got the hang of it, but I'm not sure the 'range' command will work.  I've never tried it.. ?
Now...  do you need all these ports open ?  Most people just open up ports 80 and 443 for a web server and leave things like that.  
You DO need 6.3(3) though, otherwise you will need to reload to implement these changes.
0
 
LVL 2

Author Comment

by:j_dyer
ID: 10811625
Yes, unfortunatly we do need all of those ports open, for passive ftp connections...I could have one line per port but...that's
gonna make for a really hideous configuration!

I'm working on 6.3.3 - I'm gonna chase our provider again today, since they've been really quiet about this recently...
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10816118
Let me know if you need any more help !  
0
 
LVL 2

Author Comment

by:j_dyer
ID: 10959773
OK, I've finally had a chance to look at this again...
Our hosting company have finally given us 6.3(3), and the static mappings are now working on inbound connections.

One problem has now emerged though. The current configuration looks like this (irrelevant parts snipped):

access-list ACL-IN remark #  Incoming protocols and ports permitted to enter inside network
access-list ACL-IN permit tcp any any eq www
access-list ACL-IN permit tcp any any eq https
access-list ACL-IN permit tcp any host Protected-Ns2 eq 8443
access-list ACL-IN permit tcp any host Protected-Prod2 eq 8443
access-list ACL-IN permit tcp any host Protected-Prod2 eq 5222
access-list ACL-IN permit tcp any host Protected-Prod2 eq 5223
access-list ACL-IN permit tcp any host Protected-Prod2 eq ftp
access-list ACL-IN permit tcp any host Protected-Prod2 eq ftp-data
access-list ACL-IN permit tcp any host Protected-Prod2 eq 9007
access-list ACL-IN permit tcp any host Protected-Prod2 range 10022 10029
access-list ACL-IN permit tcp any host Protected-Prod2 range 50000 51000
access-list ACL-IN remark # Host Europe Infrastructure
access-list ACL-IN permit ip host Bang any
access-list ACL-IN permit ip host Notts any
access-list ACL-IN permit ip host Sponge any
access-list ACL-IN remark # ICMP could be tightened later
access-list ACL-IN deny icmp any any unreachable
access-list ACL-IN deny icmp any any time-exceeded
access-list ACL-IN permit icmp any any
access-list ACL-IN remark # Monitoring from Panix
access-list ACL-IN permit udp host Monitor-Panix any eq echo
access-list ACL-IN permit tcp host Monitor-Panix any eq echo
access-list ACL-IN remark # `Trusted' access
access-list ACL-IN permit ip host Trusted-1 any
access-list ACL-IN permit ip host Trusted-2 any
access-list ACL-IN permit tcp any host Protected-Prod6 eq 6000
access-list ACL-IN permit tcp any host Protected-Prod6 eq 5000
access-list ACL-IN deny ip any any
access-list ACL-OUT remark #  What services are protected hosts allowed to use from outside
access-list ACL-OUT permit tcp any any eq domain
access-list ACL-OUT permit udp any any eq domain
access-list ACL-OUT permit tcp any any eq smtp
access-list ACL-OUT permit tcp any any eq www
access-list ACL-OUT permit tcp any any eq ftp
access-list ACL-OUT permit tcp any any eq https
access-list ACL-OUT permit icmp any any
access-list ACL-OUT permit ip any host Sponge
access-list ACL-OUT permit udp any any eq ntp
access-list ACL-OUT permit tcp host Protected-Prod1 any eq 5505
access-list ACL-OUT permit tcp host Protected-Prod1 any eq 5506
access-list ACL-OUT permit tcp host Protected-Prod1 any eq 6505
access-list ACL-OUT permit tcp host Protected-Prod1 any eq 6506
access-list ACL-OUT deny ip any any log
static (inside,outside) tcp Protected-Prod6 5000 Protected-Prod5 5000 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-Prod6 6000 Protected-Prod6 6000 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-Prod6 ssh Protected-Prod6 ssh netmask 255.255.255.255 0 0
static (inside,outside) Protected-Prod1 Protected-Prod1 netmask 255.255.255.255 0 0
static (inside,outside) Protected-Prod2 Protected-Prod2 netmask 255.255.255.255 0 0
static (inside,outside) Protected-Prod3 Protected-Prod3 netmask 255.255.255.255 0 0
static (inside,outside) Protected-Prod4 Protected-Prod4 netmask 255.255.255.255 0 0
static (inside,outside) Protected-Prod5 Protected-Prod5 netmask 255.255.255.255 0 0
static (inside,outside) Protected-Prod7 Protected-Prod7 netmask 255.255.255.255 0 0
static (inside,outside) Protected-Ns Protected-Ns netmask 255.255.255.255 0 0
static (inside,outside) Protected-Ns2 Protected-Ns2 netmask 255.255.255.255 0 0
access-group ACL-IN in interface outside
access-group ACL-OUT in interface inside

I noticed when trying to ssh into Protected-Prod6, that it was taking a long time to login. Further investigation
revealed that DNS lookups are failing, because the machine can't establish any outgoing connections. This is
obviously a bad thing...

Things like this are now appearing in the syslog:
Apr 30 15:00:12 177-if.gnarly.core.hosteurope.net Apr 30 2004 15:00:12: %PIX-3-305005: No translation group found for tcp src inside:Protected-Prod6/32828 dst outside:Trusted-1/25

So, what are the magical runes needed to allow outgoing connections?
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 10966813
Protected-Prod needs PAT setup to access the outside world, so:

global (outside) 1 interface
nat (inside) 1 Protected-Prod6 255.255.255.255

Static NAT only allows 'the Internet' to connect to your host.
PAT (global statments) allows your host to talk to the Internet.
0
 
LVL 2

Author Comment

by:j_dyer
ID: 10984664
Thanks for that - it was the final piece of the puzzle.
All now appears to be working as we wanted - thanks.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now