Solved

PIX501 ACL problems

Posted on 2004-09-02
4
344 Views
Last Modified: 2006-11-17
Hi, I have set a home network behind a PIX-501.
I am able to connect, out and run the email server properly FTP in from outside;  however
I cannot connect using NetOp port 6502, RDP 3389 or the WWW server. (an odd ball line route outside 0.0.0.0 0.0.0.0 0.0.0.1 205 has also shownup and all fails without it)

How can I get the www/6502/and 3389 though?

TIA for any tips
MM

My conf file;

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password HsssGTqhzkLZBb5WRJc encrypted
passwd .5ZW/fDGvy.sssH4CpJ encrypted
hostname pix
domain-name blah.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit tcp any any eq www
access-list inbound permit tcp any host 200.200.xx.xx6 eq smtp
access-list inbound permit tcp any host 200.200.xx.xx6 eq www
access-list inbound permit tcp any host 200.200.xx.xx6 eq ftp
access-list inbound permit tcp any host 200.200.xx.xx6 eq 30000
access-list inbound permit tcp any host 200.200.xx.xx6 eq 30001
access-list inbound permit tcp any any eq 6502
pager lines 24
logging history warnings
icmp deny any echo outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe
ip address inside 192.168.123.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.1.240-192.168.1.250
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.199 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.123.200 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8080 192.168.123.100 8080 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 9090 192.168.123.100 9090 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8383 192.168.123.200 8383 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.123.100 ftp netmask 255.255.255.255 0 0
static (inside,outside) udp interface 6502 192.168.123.100 6502 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 30000 192.168.123.200 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 30001 192.168.123.100 3389 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 205.200.72.156 1
route outside 0.0.0.0 0.0.0.0 0.0.0.1 205
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.123.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt noproxyarp inside
telnet timeout 60
ssh 123.123.123.123 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 10
console timeout 60
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname joeblah@blahbla.net
vpdn group pppoe_group ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 192.168.123.100
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username joeblah@blahbla.net password *********
terminal width 80
banner login blah
banner motd Attention:
0
Comment
Question by:mothman999
  • 2
  • 2
4 Comments
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Hi mothman999,
You are using ppoe for your Internet connection. Do you have a fixed IP address or does it vary.

Your inbound access-list does not correspond with your 'static' lines so that is why NetOp is not working. www should work though but your ISP may be blocking it.

Let me know if you have a fixed IP address and also give a list of all the ports you want to permit inbound and I will give you a list of commands to type.
0
 

Author Comment

by:mothman999
Comment Utility
Hi, I have a fixed static IP and all worked fine prior to the PIX.
I am interested in ports, 25, 110, 3389, 9090, and 80.

Thanks
0
 
LVL 36

Accepted Solution

by:
grblades earned 125 total points
Comment Utility
You need to recreate the inbound access list to permit these tcp ports in :-

no access-list inbound
access-list inbound permit tcp any any eq www
access-list inbound permit tcp any any eq smtp
access-list inbound permit tcp any any eq pop3
access-list inbound permit tcp any any eq 3389
access-list inbound permit tcp any any eq 9090
access-group inbound in interface outside

Then you need to ensure that you have 'static' commands to route the ports to the particular internal machines. You seem to have entries for all these ports apart from 110 (pop3). Assuming you want it directed to the same machine that smtp is directed to then add the following :-

static (inside,outside) tcp interface pop3 192.168.123.200 pop3 netmask 255.255.255.255 0 0
0
 

Author Comment

by:mothman999
Comment Utility
Thanks this worked the magic, I dont know where I picked up the whacky lines I was trying must cutback on the meds while at the console I guess. Thanks again MM
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now