• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 653
  • Last Modified:

PIX 515e replacing Linksys DSL Router

customer has static DSL circuit with a linksys router currently configured
as follows

WAN IP  64.174.111.89
WAN SUBNET 255.255.255.248
WAN GATEWAY 64.174.111.94
DNS 206.13.29.12
DNS 206.13.30.12

Current Internal IP scheme is 10.10.10.xxx subnet 255.255.255.0
I have a DHCP server running internally and also have some workstations
static.

Linksys Router IP is 10.10.10.252
it has UPNP port forwarding for External Port 990 (TCP Protocol) to Internal
Port 990 to IP address 10.10.10.198
--this is for a secure FTP static route to a HL7 interface PC I need
Also it has port range forwarding for:
port 3389-3389 TCP to 10.10.10.2 for Terminal Server Access
port 2000-2010 TCP/UDP to 10.10.10.198 for Servu-FTP software access


I need to now how to program the PIX to be programmed exactly the same way as the linksys with
everything else blocked.

Let me know the best way to proceed
0
streamline1
Asked:
streamline1
  • 15
  • 13
1 Solution
 
lrmooreCommented:
Do you have any experience at all with Cisco command line, PIX in particular? Do you know how to get to the command line via console cable?
I just need to know where to start. I can post a complete config that you can pretty much cut/paste if you want...

0
 
lrmooreCommented:
When you first boot up the PIX with console cable connected, Hyperterm open (9600, 8,n,1, no flow control) you will be presented with questions for the initial setup. Answer the questions. Questions include what hostname you want to use, what the domain name is, whether or not you want to use the PDM (GUI), what IP address you want on the interfaces, etc:

Pre-configure PIX Firewall now through interactive prompts [yes]

Enable password [<use current password>]: <password>
Clock (UTC):
  Year [2004]:
  Month [Sep]:
  Day [29]:
  Time [08:13:43]:
Inside IP address []:10.10.10.252
Inside network mask []:255.255.255.0
Host name [Pixfirewall]:MYPIX
Domain name [cisco.com]: mydomain.com

IP address of host running PIX Device Manager: <enter>

The following configuration will be used:
Enable password: <current password>
Clock (UTC): 08:13:43 Sep 29 2004
Inside IP address: 10.10.10.252
Inside network mask: 255.255.255.0
Host name: MYPIX
Domain name: mydomain.com

Use this configuration and write to flash? YES
PIX will reboot, come up to MYPIX>
MYPIX>enable
Password:
MYPIX#config term
MYPIX(config)#

Now you can enter these commands exactly as they are, or cut/paste-to-host into hyperterm:

interface ethernet0 auto
interface ethernet1 auto

ip address outside 64.174.111.89 255.255.255.248
ip address inside 10.10.10.252 255.255.255.0
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 64.174.111.94

static (inside,outside) tcp interface 990 10.10.10.198 990
static (inside,outside) tcp interface 3389 10.10.10.2 3389
static (inside,outside) tcp interface 2000 10.10.10.198 2000
static (inside,outside) tcp interface 2000 10.10.10.198 2001
static (inside,outside) tcp interface 2000 10.10.10.198 2002
static (inside,outside) tcp interface 2000 10.10.10.198 2003
static (inside,outside) tcp interface 2000 10.10.10.198 2004
static (inside,outside) tcp interface 2000 10.10.10.198 2005
static (inside,outside) tcp interface 2000 10.10.10.198 2006
static (inside,outside) tcp interface 2000 10.10.10.198 2007
static (inside,outside) tcp interface 2000 10.10.10.198 2008
static (inside,outside) tcp interface 2000 10.10.10.198 2009
static (inside,outside) tcp interface 2000 10.10.10.198 2010


access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 990
access-list outside_in permit tcp any interface outside range 2000 2010

access-group outside_in in interface outside

MYPIX(config)#exit

MYPIX#write mem     <=== SAVE YOUR WORK
0
 
streamline1Author Commented:
lrmoore,
thank you for the feedback, thats exactly what I was looking for, Im onsite right now and will cut and paste this config in and test it.

Question on access lists for VPN connectivity. This pix will be used for VPN connections and I dont know whether to have the access list on the pix or on the domain, do you have any input on this? Im very new to cisco & vpn but completely understand you post on the config.

Also this is supposed to have a GUI interface, I have connect my laptop directly to a hub then hub to E1 (which i think should be 10.10.10.252) I cannot ping 10.10.10.252 or open with a browser, am I missing something?

One last item, beings i just signed up with experts-exchange with the premium $99 per year subscription, how do the points work? I have answered some other post that were worth 50 points last night,,,

Thanks
Butch
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
streamline1Author Commented:
one more the customers domain name is 3tinc.com, the pix does not like the number, is there anyway around this?
0
 
lrmooreCommented:
Let me answer some of your questions. How about we get the PIX up and running first, then you can post a new question to get the VPN going?

If you have E1 plugged into a hub, and your laptop also plugged into the hub, and you get green lights on both ports, then you should be able to ping 10.10.10.252 (assuming you went through the setup routine). If you can't ping it, then the port may not be enabled. To enable a port, issue this command:

>interface ethernet1 auto

To get to the web gui, use https://<ip address>
                                           ^^
Just say yes to any Security alerts..

There are two different types of points. Question points (which you pay for and should get unlimited), and Expert points. Whenever you post a question worth xx points, and you are satisfied that you have solved the issue, you have to use the "accept" button next to the comment that helped you most. You will then be asked to assign a grade A, B or C. The expert will be awarded the question points, multiplied by the grade. For example, this Q has a value of 500 points. If you accept one of my comments and assign an A, I will received 2000 (4x value) expert points. Accumulation of Expert points puts us up the ladder in the point standings within specific topic areas, and in the overall "hall of fame". That is all we recieve for our efforts. A grade of "B" gives us 3x value, and most experts feel that a "C" is a "failing" grade and might complain, even though they will still get 2x the point value. We are all volunteers and work for points only.

The PIX domain name is virtually irrelevent. You can put in threetinc.com in that space if you want. The only reason it needs it is to generate a RSA key which you then import into your browser to keep from seeing the security alerts whenever you open the GUI... it serves no other purpose.
0
 
streamline1Author Commented:
RESULTS AND ERROR OF CUT AND PASTE

Use this configuration and write to flash? yes
Building configuration...
Cryptochecksum: a65562ce 67c6a228 18876ffc 3d0cb727
[OK]
MYPIX(config)# interface ethernet0 auto
MYPIX(config)# interface ethernet1 auto
MYPIX(config)#
MYPIX(config)# ip address outside 64.174.111.89 255.255.255.248
MYPIX(config)# ip address inside 10.10.10.252 255.255.255.0
MYPIX(config)# global (outside) 1 interface
global for this range already exists
MYPIX(config)# nat (inside) 1 10.10.10.0 255.255.255.0
MYPIX(config)#
MYPIX(config)# route outside 0.0.0.0 0.0.0.0 64.174.111.94
MYPIX(config)#
MYPIX(config)# static (inside,outside) tcp interface 990 10.10.10.198 990
MYPIX(config)# static (inside,outside) tcp interface 3389 10.10.10.2 3389
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2000
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2001
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2002
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2003
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2004
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2005
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2006
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2007
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2008
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2009
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2010
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)#
MYPIX(config)#
MYPIX(config)# access-list outside_in permit tcp any interface outside eq 3389
MYPIX(config)# access-list outside_in permit tcp any interface outside eq 990
MYPIX(config)# access-list outside_in permit tcp any interface outside range 2$
MYPIX(config)#
MYPIX(config)# access-group outside_in in interface outside
MYPIX(config)#
0
 
lrmooreCommented:
D'OH! My bad...

Paste this in:

static (inside,outside) tcp interface 2001 10.10.10.198 2001
static (inside,outside) tcp interface 2002 10.10.10.198 2002
static (inside,outside) tcp interface 2003 10.10.10.198 2003
static (inside,outside) tcp interface 2004 10.10.10.198 2004
static (inside,outside) tcp interface 2005 10.10.10.198 2005
static (inside,outside) tcp interface 2006 10.10.10.198 2006
static (inside,outside) tcp interface 2007 10.10.10.198 2007
static (inside,outside) tcp interface 2008 10.10.10.198 2008
static (inside,outside) tcp interface 2009 10.10.10.198 2009
static (inside,outside) tcp interface 2010 10.10.10.198 2010

0
 
streamline1Author Commented:
okay pasted that in with no errors
do I need to rerun previous config you sent?
How can I check to make sure all is well in pix configuration?
I did write mem and [OK]
0
 
lrmooreCommented:
No need to re-run anything.
Use "show config" to make sure everything is in place, and "show interface" to make sure you get the interface "up"

If you can connect your pc and the PIX to the hub (make sure nothing else is plugged into the hub), and assign your PC an IP address in the same 10.10.10.x range, can you now ping the PIX IP 10.10.10.252? If yes, then you should be golden.
It'll be tricky to test out as long as the Linksys router is in place. You'll just have
0
 
lrmooreCommented:
Oops.. didn't finish my thoughts here:

You'll just have to wait until you can shut off the Linksys and put the PIX in its place to test any further.
Note: don't try to use PING as test. We have not allowed the ping responses to come back in. You should be able to open up a browswer and go to any web page, or do anything else on the net.

Then you can test inbound traffic for the rules.
Note: you cannot test from inside the network using the public IP like you can with the Linksys. You must be on the outside of the network to test.
0
 
streamline1Author Commented:
How can I wipe the pix config clean and re-paste your configs?
there is some left over pppoe settings that show up when I do a show config

Configured my laptop to 10.10.10.251 and can ping 252 but still not broswer https://10.10.10.252?
-not a big deal, just wondering why I cannot get GUI to work

0
 
lrmooreCommented:
You can wipe the existing config:

MYPIX#write erase
then reboot.

You need to add:
  http server enable
  http 10.10.10.251 255.255.255.255 inside

Then you should be able to use the browser..

 
0
 
streamline1Author Commented:
making progress and just about ready to plug pix in
>you are sure that im not allowing any unauthorized access right :)

I did not wipe config clean, but I did get browser up and running and made sure pppoe was not enabled on the outside int
how can I delete http 10.10.10.251 255.255.255.255 inside and add http 10.10.10.203 255.255.255.255 inside
I get an error when I simply try to add 203 that exists
0
 
lrmooreCommented:
you can delete just about any line with "no" in front:

  no http 10.10.10.251 255.255.255.255 inside
  ^

>you are sure that im not allowing any unauthorized access right :)
That depends on the existing config since this was not a new out-of-the-box PIX.
However, default behavior of PIX is to block ALL unsolicited incoming traffic unless and until it is explicitly permitted by an access-list.  Only those ports defined in the access-list will be permitted in, of course, with the exception of any responses back to inside hosts, ie. go to www.experts-exchange.com and the returning traffic from that site will be let in automagically...
0
 
streamline1Author Commented:
would you suggest that I do a write erase and paste your configs to make sure all is blocked?
by default is dhcp server enabled after a write erase?
How do I give you 10000 points?, you have been a huge help with this?
0
 
lrmooreCommented:
Yes, I personally would start from a clean slate.
The 515 does not enable the DHCP server by default

500 is the max points for any one question, but you are welcome to ask as many questions as you want...
0
 
streamline1Author Commented:
so I got a clean config, do I simply just add the second config statements you sent me to the first and run them all?
Will I get the same errors as before, is there anything I should correct in the 1st config before I run it again to resolve the errors?
0
 
streamline1Author Commented:
one more, How can I see what IP is configured for http inside browser access?
0
 
streamline1Author Commented:
lrmoore, im connected thru the pix sending you this message
working good so far, much faster than the linksys
still cannot get browser to work with new IP, but going to connect console cable to check
0
 
streamline1Author Commented:
more to update
internet is up
Secure FTP on port 900 is not working
Also found that I have an internal pc 10.10.10.249 that uses extranet vpn client to connect to the outside(63.136.96.3) and it fails.
Can I telnet into the pix from a inside workstation?
telnet 10.10.10.252 prompts me for password but I did not think I had a password
0
 
streamline1Author Commented:
browser is working now, still no go on extranet vpn client and secure ftp
are there logs I can check to see what is trying to access outside so I can build a rule
for now Im going to plug linksys back in to get customer back up
thanks
0
 
lrmooreCommented:
Good job!

Sorry about that, I had to leave for a while..
>extranet vpn client and secure ftp
Try adding the command (same as IPSEC passthrough on the Linksys):
MYPIX(config)#   isakmp nat-traversal 30

>are there logs I can check to see what is trying to access outside so I can build a rule
First, you have to enable logging to buffer:
MYPIX(config)# logging on
MYPIX(config)# logging buffered informational

Then you can use "show log" to see if anything in particular is being denied...

>How can I see what IP is configured for http inside browser access
 just add the following:
MYPIX(config)# http server enable
MYPIX(config)# http 10.10.10.0 255.255.255.0 inside   <== any system on the inside can http to it.

When you get prompted for username/password, leave the username blank and use the enable password. Didn't set an enable password? Just hit enter..

>prompts me for password but I did not think I had a password
You have to set a telnet password:
MYPIX(config)# passwd <password>
0
 
streamline1Author Commented:
ok, I had to hook back up linksys and will try to return back to this client tomorrow to add changes in config.
how do I give you points? (click on accept in your answers?)
if I end up going onsite sunday night, will you be available for help to get this going?
are you on PST
Thanks again
0
 
lrmooreCommented:
Yes, you can simply click on "accept" on any one comment.
Yes, I should be available Sunday p.m. I'm on CST..

Glad I could be of assistance!
0
 
streamline1Author Commented:
irmoore, I will be onsite @ customers this sunday about 6pm pst, I will add statements to config and see if vpn and ftp work, I will let you know
Thanks
0
 
streamline1Author Commented:
Irmoore, Its sunday night 645pm pst Im onsite are you available?
0
 
lrmooreCommented:
So sorry I missed your post... how'd it go?
0
 
lrmooreCommented:
Using the PDM?  File | show running config in new window
Cut/paste into EE, edit, then submit..

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

  • 15
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now