Solved

Config for PIX

Posted on 2004-09-10
12
500 Views
Last Modified: 2013-11-29
I have a PIX 501 and I want to set up the following:

Head office (10.1.0.0 /16) <--> Router<--> Remote Office (10.17.0.0 /16) <--> PIX <--> Wireless network (10.193.0.0 /16)

The head office has a server (10.1.0.101) that the devices inside the wireless network must be able to telnet to.
The remote office has a server (10.17.0.111) that the devices inside the wireless network must be able to telnet to.
The remote office and head office must be able to ping the inside devices.

It seems pretty strightforward, but so far I've had no luck.

So far I have this:

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Quebecfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list wireless_out permit tcp telnet

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.193.0.1 255.255.0.0
ip address inside 10.17.0.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 10.193.0.99-10.193.0.105
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.17.0.111 10.193.0.99 netmask 255.255.255.255 0 0
static (inside,outside) 10.1.0.101 10.193.0.100 netmask 255.255.255.255 0 0
access-group wireless_out interface outside
route inside 0.0.0.0 0.0.0.0 10.17.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.17.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Can someone help me figure out what I'm doing wrong here?

Thanks...
0
Comment
Question by:Robing66066
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 3

Expert Comment

by:frieked
ID: 12027078
Ok, first off... never and I mean NEVER post your passwords on a forum even if they are encrypted, replace them with ********.  Most cisco passwords are easily cracked.

Next, do you have a dedicated line between these 2 offices?  I don't see a public IP address anywhere in your config so I'm going to assume the answer is yes.

Please explain what the connection is between the router at the head office and the pix at the remote office. (internet, dedicated line...)
0
 
LVL 7

Author Comment

by:Robing66066
ID: 12027197
I usually do replace the passwords with *, but in this case I haven't set one, so it doesn't matter.  If you came across this firewall, you'd have an easy time guessing 'no password'.  :)  But thanks...

It is a dedicated line.  
0
 
LVL 5

Accepted Solution

by:
epylko earned 300 total points
ID: 12027923
Your statics are backwards... You need to switch the order of the IP addresses.

Also, do you really want to NAT your traffic going to the wireless side of things? If this is all your own network you might not have to do that. Change your "nat (inside) 1" to a "nat (inside) 0"

Finally, you'll probably need an access-list on there to allow traffic from the lower security interface to the higher security interface.

Make sure you do a "clear xlate" after making any changes so the PIX will reset its translation tables.

-Eric
0
 
LVL 7

Author Comment

by:Robing66066
ID: 12028108
I don't need NAT running, but I will probably want to be able to ping the devices inside the wireless network.  What changes should I make?

(God I hate configuring these little buggers...)
0
 
LVL 5

Expert Comment

by:epylko
ID: 12028261
To change the nat, you would do:

config t
no nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 0.0.0.0 0.0.0.0
exit
clear xlate

Change your statics by having the outside address first such as:
config t
no static (inside,outside) 10.17.0.111 10.193.0.99 netmask 255.255.255.255 0 0
no static (inside,outside) 10.1.0.101 10.193.0.100 netmask 255.255.255.255 0 0
static (inside,outside) 10.193.0.99 10.17.0.111 netmask 255.255.255.255 0 0
static (inside,outside) 10.193.0.100 10.1.0.101 netmask 255.255.255.255 0 0
exit
clear xlate

then check to see how things work.

-Eric
0
 
LVL 7

Author Comment

by:Robing66066
ID: 12028822
OK.  Things have gone from not working at all to working too well!  :)

I've decided to keep the nat for now -- hard to say what I'll want to access.

Here's what I have now...

hostname Quebecfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list wireless_out permit tcp any any eq telnet
access-list wireless_out deny ip any any
access-list wireless_in permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.193.0.1 255.255.0.0
ip address inside 10.17.0.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.193.0.100 10.1.0.101 netmask 255.255.255.255 0 0
static (inside,outside) 10.193.0.99 10.17.0.111 netmask 255.255.255.255 0 0
access-group wireless_out in interface outside
access-group wireless_in in interface inside
route inside 0.0.0.0 0.0.0.0 10.17.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.17.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

At this point, I can telnet to my server and I can do anything I want to the devices in the wireless area, but they can also pass any traffic they want to the server!  I want to ensure that they can only telnet to that device and do nothing else to any other device on the inside.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 150 total points
ID: 12029054
easy with an access-list...

access-list outside_in permit tcp 10.1.0.0 255.255.0.0 host 10.193.0.99 eq 23
access-list outside_in permit tcp 10.1.0.0 255.255.0.0 host 10.193.0.101 eq 23
access-list outside_in permit icmp 10.1.0.0 255.255.0.0 host 10.193.0.99 echo
access-list outside_in permit icmp 10.1.0.0 255.255.0.0 host 10.193.0.101 echo

access-group outside_in in interface outside

0
 
LVL 7

Author Comment

by:Robing66066
ID: 12029563
I tried it, but it's still the same -- I can access everything on the inside from the outside.

I'm really not getting this at all.  Maybe you can help me understand how these things work.

If I understand it right, you can apply an access list in four different ways.  Inside in, inside out, outside in, outside out.

Inside in = traffic coming from somewhere, destined for a device connected to the inside port
Inside out = traffic coming from a device connected to the inside port, destined for somewhere else
Outside in = traffic coming from somewhere, destined for a device connected to the outside port
Outside out = traffic coming from a device connected to the outside port, destined for somewhere else

If that's the case, then it seems that I need to apply only one access-list.

Inside in ==> Permit Telnet to the server, deny all other traffic that didn't come from the NAT connection.  

Everything else should be a permit all.

Is that right?  I'm really starting to get lost here...  I know NAT makes some funky things happen, but I'm really not getting it at all right now...

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12030026
>If I understand it right, you can apply an access list in four different ways.
Not on a PIX. You can only apply an acl "in" on any interface

I erroneously used .101 in my example access-list instead of .100....

Default behavior of a PIX:

ALL inbound traffic to any inside host is blocked unles it is traffic that is in reponse to an outbound request, i.e. a web server returning traffic to a URL request from an inside client, and an xlate already exists. Only traffic that is explicitly permitted with an access-list rule, or conduit (deprecated) is permitted in. The exception to that is ICMP traffic. You must specifically permit icmp echo-replys in your inbound acl. Your posted acl should be only permitting outside hosts to establish telnet sessions and nothing else, but you just don't specify the exact inside hosts or outside subnets, which is OK..
  >access-list wireless_out permit tcp any any eq telnet
  >access-list wireless_out deny ip any any
  >access-group wireless_out in interface outside

>I can access everything on the inside from the outside
This absolutely should not be happening since you are explicitly permitting ONLY telnet, and ONLY to the two hosts that have static entries. You are not allowing ICMP either, so you should not be able to ping anything on the inside, nor even ping anything on the outside from an inside host.

I would expect that if it was the other way around, that the INside hosts can access everything on the OUTside, that would be a true statement, as it is permitted by you access-list :

ALL outbound traffic from any host inside is permitted to any host outside unless and until an access-list is applied to the inside interface to restrict it.
In your case:
  >access-list wireless_in permit ip any any
  >access-group wireless_in in interface inside
These entries are identical to the default behavior and are redundant. You can remove them both

>it seems that I need to apply only one access-list.
 Correct. Only one acl applied to the outside interface "in"

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12030105
I take back one comment. Because you have no global (outside) command, no connections initiated from the inside should be working....add the following:

global (outside) 1 interface

The "1" matches your nat (inside) 1
                                                 ^
0
 

Assisted Solution

by:boozydaboozer
boozydaboozer earned 50 total points
ID: 12030891
Note.

Traffic from 'inside' can by default always go to 'outside' unless you explicitly deny it by attaching an access-list to the inside interface.

0
 
LVL 7

Author Comment

by:Robing66066
ID: 12030909
Got it.

I had the config working for a long time and didn't know it.  When I was testing to see if a connection could be made from outside to inside was nbtstat.  Unfortunately, I tested it both ways, from in to out and then back again.  What I didn't know was that by doing the test first from in to out, I made it possible for the untrusted machine to get the nbtstat information.  Learn something new every day...

Thanks for your help.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Route summarization 5 23
server plus 2 46
ethernet cat5e lenght 80m 9 34
DNS Scavenging configuration 5 19
Please see preceding article here: http://www.experts-exchange.com/Networking/Operating_Systems/A_11209-Root-Bridge-Election.html Figure 1 After Root Bridge has been elected, then what?..... Let's start by defining a Root Port in la…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now