Solved

Cisco PIX 501 - adding static group

Posted on 2004-04-27
15
570 Views
Last Modified: 2013-11-16
Hi all,

I am fairly new to Cisco PIX and purchased one for home just so I could learn.

Because the PIX is running as a PAT device, where the external IP is dynamic I am having difficulty enabling inbound access easily.

For example if I want to open my internal webserver to the out side I have successfully achieved this with the folling commands.

static (inside,outside) tcp interface www 192.168.10.220 www netmask 255.255.255.255 0 0

access-list inbound permit tcp any interface outside eq www

However I want to create a new rule for bittorrent (I know I know)

I created an object group (see below)

object-group service bittorrent tcp-udp
port-object range 6881 6999

But when I try adding this
static (inside,outside) tcp interface bittorrent 192.168.10.250 bittorrent netmask 255.255.255.255 0 0

It does not recognise the bittorrent group.

Help me, I have IOS 6.3(3)

Thanks,

A
0
Comment
Question by:chinster
  • 4
  • 3
  • 2
  • +3
15 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10929584
You can't use object-group names in static NAT rules.
However, you can use ACLs instead, so:

access-list bittorrent permit tcp any interface eq range 6881-6999
static (inside,outside) tcp interface 192.168.10.250 netmask 255.255.255.255 0 0 access-list bittorent

..not sure the syntax is right as don't have a PIX to play with, but you get the jist ??  ;)


0
 

Author Comment

by:chinster
ID: 10930012
access-list bittorrent permit tcp any interface outside eq range 6881-6999

gives me:

ERROR: invalid port range
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]

Am I being thick?
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10932436
I've looked up the correct syntax... sorry for the confusion !

access-list bittorrent permit tcp any interface outside range 6881 6999
0
 

Author Comment

by:chinster
ID: 10933591
Sorry dude, almost there!

access-list bittorrent permit tcp any interface outside range 6881 6999

worked, however when adding the second command

static (inside,outside) tcp interface 192.168.10.250 netmask 255.255.255.255 0 0 access-list bittorent

I get

invalid global port 192.168.10.250
Usage:  [no] static [(real_ifc, mapped_ifc)]
                {<mapped_ip>|interface}
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns] [norandomseq] [<max_conns> [<emb_lim>]]
0
 
LVL 13

Accepted Solution

by:
td_miles earned 63 total points
ID: 10934161
What you're wanting to do won't work. As you can see from the syntax, if you use a TCP static, you HAVE to specify the global_port (ie. the port on the outside interface). The access-list option is used for what is know as "policy NAT", where you can use an ACL to specify the local_ip/local_port as a source/destination pair rather than just the single ip/port.

rather than try to explain it all myself, have a look at the command reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801cd841.html

===============
static access-list (Policy NAT)
When you use an access list with the static command, then you enable policy NAT.

Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses (or ports) in an access list. Regular NAT uses source addresses/ports only, whereas policy NAT uses both source and destination addresses/ports.

With policy NAT, you can create multiple static statements that identify the same local address as long as the source/port and destination/port combination is unique for each statement. You can then match different global addresses to each source/port and destination/port pair.

While static PAT already allowed you to identify the local and global ports, policy NAT enhances this feature (as well as static NAT) by allowing you to identify the destination address for the local traffic.

Policy NAT Examples
The following example shows a Policy NAT configuration. In this example, traffic destined for the 172.16.1.0/24 from host 10.1.1.10 is translated as 192.150.49.10, and traffic destined for the 172.16.2.0/24 from host 10.1.1.10 is translated as 192.150.49.20:

access-list network-1 permit ip host 10.1.1.10 172.16.1.0 255.255.255.0
access-list network-2 permit ip host 10.1.1.10 172.16.2.0 255.255.255.0
static (inside,outside) 192.150.49.10 access-list network-1
static (inside,outside) 192.150.49.20 access-list network-2

===================

The only solution to your problem is to specify a LOT of singular port translations, or to do a one-to-one static NAT to a single internal IP address. I'm not sure that you can do a one-to-one NAT using the outside interface as the real IP, which doesn't leave you with too many options.

Sorry to be the bearer of bad news (just don't shoot the messenger !).
0
 
LVL 4

Expert Comment

by:hawgpig
ID: 10934442
It sounds like what you need is this
static (inside,outside) tcp interface 192.168.10.220 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 192.168.10.220 netmask 255.255.255.255 0 0
Plus
access-list inbound permit tcp any interface outside range 6881 6999
access-list inbound permit udp any interface outside range 6881 6999
access-list inbound permit tcp any interface outside eq www
access-group inbound in interface outside


This will allow all tcp and udp traffic to go to 192.168.10.220 via ports 6881-6999 and port 80
You can do this via an object-group buit it's kindof overkill
Good Luck
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 4

Expert Comment

by:hawgpig
ID: 10934455
oops just noticed you are running 6.3.3.....
DONT FORGET TO REBOOT AFTER ADDING THE STATICS...
6.3.3 has a static bug and a reboot is a work around...
also remember to do a
write mem
before you reboot or all will be lost...
Good Luck
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 62 total points
ID: 10935244
hawgpig,
If all tcp and udp are both static'd from interface to inside host, that will hose up all other connections, no?

Unless you can get another public IP and do a 1-1 static nat, you may have no choice except to use 100+ static lines:
static (inside,outside) tcp interface 6881 192.168.10.250 6881 netmask 255.255.255.255
static (inside,outside) tcp interface 6882 192.168.10.250 6882 netmask 255.255.255.255
static (inside,outside) tcp interface 6883 192.168.10.250 6883 netmask 255.255.255.255
static (inside,outside) tcp interface 6884 192.168.10.250 6884 netmask 255.255.255.255
static (inside,outside) tcp interface 6885 192.168.10.250 6885 netmask 255.255.255.255
<etc>
0
 
LVL 13

Expert Comment

by:td_miles
ID: 10935301
If you do decide to go the route of doing that, here is a tip that I use when I'm doing something like this.

Create a spreadsheet (eg. Excel) and create the columns like this:

column 1, row 1 = "static (inside,outside) tcp interface "
column 2, row 1 = "6881"
column 3, row 1 = " 192.168.10.250 "
column 4, row 1 = "6881"
column 5, row 1 = " netmask 255.255.255.255"

So that if you read across the first row, you have a single full ACL line spread out through the columns.

Next, you setup an incrementing sequence in the two columns that your port number is in (columns 2 & 4 in my example above) and make them increment up to the desired number. This is easy to do in Excel and the OpenOffice spreadsheet program simply by dragging the lower right hand corner of the cell downwards and it increments it as you go. Copy the other three columns downwards as you go.

Once you have it as you want it, export it as a "space delimited" file, which you can then import into your PIX config. Don't worry about any excess spaces, the PIX simply ignores them as whitespace.
0
 

Author Comment

by:chinster
ID: 10936759
Well I guess then the only answer is to add a static for each port, I was worried that was the answer!

Do any of you guys know whether this would slow the pix down having this many rules?

Again thanks for all your help!
0
 
LVL 4

Expert Comment

by:hawgpig
ID: 10938895
ooppps you are right.....
I missed that.....it looks like he is going to two different servers on the inside with a single IP ADDRESS
That can't be done....
WRITE the 100+ statics is the only way....
Sorry....
My comments will only work if all traffic is going to the same server....
0
 
LVL 4

Expert Comment

by:hawgpig
ID: 10938905
he does still need to do a reboot after all static changes.....
Good Luck...
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16027572
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
Split: td_mile & lrmoore

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

nodisco
EE Cleanup Volunteer
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now