Solved

PIX 515e replacing Linksys DSL Router

Posted on 2004-09-28
28
565 Views
Last Modified: 2013-11-16
customer has static DSL circuit with a linksys router currently configured
as follows

WAN IP  64.174.111.89
WAN SUBNET 255.255.255.248
WAN GATEWAY 64.174.111.94
DNS 206.13.29.12
DNS 206.13.30.12

Current Internal IP scheme is 10.10.10.xxx subnet 255.255.255.0
I have a DHCP server running internally and also have some workstations
static.

Linksys Router IP is 10.10.10.252
it has UPNP port forwarding for External Port 990 (TCP Protocol) to Internal
Port 990 to IP address 10.10.10.198
--this is for a secure FTP static route to a HL7 interface PC I need
Also it has port range forwarding for:
port 3389-3389 TCP to 10.10.10.2 for Terminal Server Access
port 2000-2010 TCP/UDP to 10.10.10.198 for Servu-FTP software access


I need to now how to program the PIX to be programmed exactly the same way as the linksys with
everything else blocked.

Let me know the best way to proceed
0
Comment
Question by:streamline1
  • 15
  • 13
28 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12178846
Do you have any experience at all with Cisco command line, PIX in particular? Do you know how to get to the command line via console cable?
I just need to know where to start. I can post a complete config that you can pretty much cut/paste if you want...

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12179439
When you first boot up the PIX with console cable connected, Hyperterm open (9600, 8,n,1, no flow control) you will be presented with questions for the initial setup. Answer the questions. Questions include what hostname you want to use, what the domain name is, whether or not you want to use the PDM (GUI), what IP address you want on the interfaces, etc:

Pre-configure PIX Firewall now through interactive prompts [yes]

Enable password [<use current password>]: <password>
Clock (UTC):
  Year [2004]:
  Month [Sep]:
  Day [29]:
  Time [08:13:43]:
Inside IP address []:10.10.10.252
Inside network mask []:255.255.255.0
Host name [Pixfirewall]:MYPIX
Domain name [cisco.com]: mydomain.com

IP address of host running PIX Device Manager: <enter>

The following configuration will be used:
Enable password: <current password>
Clock (UTC): 08:13:43 Sep 29 2004
Inside IP address: 10.10.10.252
Inside network mask: 255.255.255.0
Host name: MYPIX
Domain name: mydomain.com

Use this configuration and write to flash? YES
PIX will reboot, come up to MYPIX>
MYPIX>enable
Password:
MYPIX#config term
MYPIX(config)#

Now you can enter these commands exactly as they are, or cut/paste-to-host into hyperterm:

interface ethernet0 auto
interface ethernet1 auto

ip address outside 64.174.111.89 255.255.255.248
ip address inside 10.10.10.252 255.255.255.0
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 64.174.111.94

static (inside,outside) tcp interface 990 10.10.10.198 990
static (inside,outside) tcp interface 3389 10.10.10.2 3389
static (inside,outside) tcp interface 2000 10.10.10.198 2000
static (inside,outside) tcp interface 2000 10.10.10.198 2001
static (inside,outside) tcp interface 2000 10.10.10.198 2002
static (inside,outside) tcp interface 2000 10.10.10.198 2003
static (inside,outside) tcp interface 2000 10.10.10.198 2004
static (inside,outside) tcp interface 2000 10.10.10.198 2005
static (inside,outside) tcp interface 2000 10.10.10.198 2006
static (inside,outside) tcp interface 2000 10.10.10.198 2007
static (inside,outside) tcp interface 2000 10.10.10.198 2008
static (inside,outside) tcp interface 2000 10.10.10.198 2009
static (inside,outside) tcp interface 2000 10.10.10.198 2010


access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 990
access-list outside_in permit tcp any interface outside range 2000 2010

access-group outside_in in interface outside

MYPIX(config)#exit

MYPIX#write mem     <=== SAVE YOUR WORK
0
 

Author Comment

by:streamline1
ID: 12183248
lrmoore,
thank you for the feedback, thats exactly what I was looking for, Im onsite right now and will cut and paste this config in and test it.

Question on access lists for VPN connectivity. This pix will be used for VPN connections and I dont know whether to have the access list on the pix or on the domain, do you have any input on this? Im very new to cisco & vpn but completely understand you post on the config.

Also this is supposed to have a GUI interface, I have connect my laptop directly to a hub then hub to E1 (which i think should be 10.10.10.252) I cannot ping 10.10.10.252 or open with a browser, am I missing something?

One last item, beings i just signed up with experts-exchange with the premium $99 per year subscription, how do the points work? I have answered some other post that were worth 50 points last night,,,

Thanks
Butch
0
 

Author Comment

by:streamline1
ID: 12183268
one more the customers domain name is 3tinc.com, the pix does not like the number, is there anyway around this?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12183371
Let me answer some of your questions. How about we get the PIX up and running first, then you can post a new question to get the VPN going?

If you have E1 plugged into a hub, and your laptop also plugged into the hub, and you get green lights on both ports, then you should be able to ping 10.10.10.252 (assuming you went through the setup routine). If you can't ping it, then the port may not be enabled. To enable a port, issue this command:

>interface ethernet1 auto

To get to the web gui, use https://<ip address>
                                           ^^
Just say yes to any Security alerts..

There are two different types of points. Question points (which you pay for and should get unlimited), and Expert points. Whenever you post a question worth xx points, and you are satisfied that you have solved the issue, you have to use the "accept" button next to the comment that helped you most. You will then be asked to assign a grade A, B or C. The expert will be awarded the question points, multiplied by the grade. For example, this Q has a value of 500 points. If you accept one of my comments and assign an A, I will received 2000 (4x value) expert points. Accumulation of Expert points puts us up the ladder in the point standings within specific topic areas, and in the overall "hall of fame". That is all we recieve for our efforts. A grade of "B" gives us 3x value, and most experts feel that a "C" is a "failing" grade and might complain, even though they will still get 2x the point value. We are all volunteers and work for points only.

The PIX domain name is virtually irrelevent. You can put in threetinc.com in that space if you want. The only reason it needs it is to generate a RSA key which you then import into your browser to keep from seeing the security alerts whenever you open the GUI... it serves no other purpose.
0
 

Author Comment

by:streamline1
ID: 12183608
RESULTS AND ERROR OF CUT AND PASTE

Use this configuration and write to flash? yes
Building configuration...
Cryptochecksum: a65562ce 67c6a228 18876ffc 3d0cb727
[OK]
MYPIX(config)# interface ethernet0 auto
MYPIX(config)# interface ethernet1 auto
MYPIX(config)#
MYPIX(config)# ip address outside 64.174.111.89 255.255.255.248
MYPIX(config)# ip address inside 10.10.10.252 255.255.255.0
MYPIX(config)# global (outside) 1 interface
global for this range already exists
MYPIX(config)# nat (inside) 1 10.10.10.0 255.255.255.0
MYPIX(config)#
MYPIX(config)# route outside 0.0.0.0 0.0.0.0 64.174.111.94
MYPIX(config)#
MYPIX(config)# static (inside,outside) tcp interface 990 10.10.10.198 990
MYPIX(config)# static (inside,outside) tcp interface 3389 10.10.10.2 3389
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2000
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2001
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2002
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2003
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2004
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2005
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2006
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2007
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2008
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2009
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)# static (inside,outside) tcp interface 2000 10.10.10.198 2010
ERROR: static overlaps with 64.174.111.89/2000 to 10.10.10.198/2000
Usage:  [no] static [(internal_if_name, external_if_name)]
                {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
        [no] static [(internal_if_name, external_if_name)] {tcp|udp}
                {<global_ip>|interface} <global_port>
                <local_ip> <local_port> [dns] [netmask <mask>]
                [<max_conns> [<emb_limit> [<norandomseq>]]]
MYPIX(config)#
MYPIX(config)#
MYPIX(config)# access-list outside_in permit tcp any interface outside eq 3389
MYPIX(config)# access-list outside_in permit tcp any interface outside eq 990
MYPIX(config)# access-list outside_in permit tcp any interface outside range 2$
MYPIX(config)#
MYPIX(config)# access-group outside_in in interface outside
MYPIX(config)#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12183859
D'OH! My bad...

Paste this in:

static (inside,outside) tcp interface 2001 10.10.10.198 2001
static (inside,outside) tcp interface 2002 10.10.10.198 2002
static (inside,outside) tcp interface 2003 10.10.10.198 2003
static (inside,outside) tcp interface 2004 10.10.10.198 2004
static (inside,outside) tcp interface 2005 10.10.10.198 2005
static (inside,outside) tcp interface 2006 10.10.10.198 2006
static (inside,outside) tcp interface 2007 10.10.10.198 2007
static (inside,outside) tcp interface 2008 10.10.10.198 2008
static (inside,outside) tcp interface 2009 10.10.10.198 2009
static (inside,outside) tcp interface 2010 10.10.10.198 2010

0
 

Author Comment

by:streamline1
ID: 12184051
okay pasted that in with no errors
do I need to rerun previous config you sent?
How can I check to make sure all is well in pix configuration?
I did write mem and [OK]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12184113
No need to re-run anything.
Use "show config" to make sure everything is in place, and "show interface" to make sure you get the interface "up"

If you can connect your pc and the PIX to the hub (make sure nothing else is plugged into the hub), and assign your PC an IP address in the same 10.10.10.x range, can you now ping the PIX IP 10.10.10.252? If yes, then you should be golden.
It'll be tricky to test out as long as the Linksys router is in place. You'll just have
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12184137
Oops.. didn't finish my thoughts here:

You'll just have to wait until you can shut off the Linksys and put the PIX in its place to test any further.
Note: don't try to use PING as test. We have not allowed the ping responses to come back in. You should be able to open up a browswer and go to any web page, or do anything else on the net.

Then you can test inbound traffic for the rules.
Note: you cannot test from inside the network using the public IP like you can with the Linksys. You must be on the outside of the network to test.
0
 

Author Comment

by:streamline1
ID: 12184408
How can I wipe the pix config clean and re-paste your configs?
there is some left over pppoe settings that show up when I do a show config

Configured my laptop to 10.10.10.251 and can ping 252 but still not broswer https://10.10.10.252?
-not a big deal, just wondering why I cannot get GUI to work

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12184465
You can wipe the existing config:

MYPIX#write erase
then reboot.

You need to add:
  http server enable
  http 10.10.10.251 255.255.255.255 inside

Then you should be able to use the browser..

 
0
 

Author Comment

by:streamline1
ID: 12184603
making progress and just about ready to plug pix in
>you are sure that im not allowing any unauthorized access right :)

I did not wipe config clean, but I did get browser up and running and made sure pppoe was not enabled on the outside int
how can I delete http 10.10.10.251 255.255.255.255 inside and add http 10.10.10.203 255.255.255.255 inside
I get an error when I simply try to add 203 that exists
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12184655
you can delete just about any line with "no" in front:

  no http 10.10.10.251 255.255.255.255 inside
  ^

>you are sure that im not allowing any unauthorized access right :)
That depends on the existing config since this was not a new out-of-the-box PIX.
However, default behavior of PIX is to block ALL unsolicited incoming traffic unless and until it is explicitly permitted by an access-list.  Only those ports defined in the access-list will be permitted in, of course, with the exception of any responses back to inside hosts, ie. go to www.experts-exchange.com and the returning traffic from that site will be let in automagically...
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:streamline1
ID: 12184679
would you suggest that I do a write erase and paste your configs to make sure all is blocked?
by default is dhcp server enabled after a write erase?
How do I give you 10000 points?, you have been a huge help with this?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12184712
Yes, I personally would start from a clean slate.
The 515 does not enable the DHCP server by default

500 is the max points for any one question, but you are welcome to ask as many questions as you want...
0
 

Author Comment

by:streamline1
ID: 12184742
so I got a clean config, do I simply just add the second config statements you sent me to the first and run them all?
Will I get the same errors as before, is there anything I should correct in the 1st config before I run it again to resolve the errors?
0
 

Author Comment

by:streamline1
ID: 12185054
one more, How can I see what IP is configured for http inside browser access?
0
 

Author Comment

by:streamline1
ID: 12185375
lrmoore, im connected thru the pix sending you this message
working good so far, much faster than the linksys
still cannot get browser to work with new IP, but going to connect console cable to check
0
 

Author Comment

by:streamline1
ID: 12185448
more to update
internet is up
Secure FTP on port 900 is not working
Also found that I have an internal pc 10.10.10.249 that uses extranet vpn client to connect to the outside(63.136.96.3) and it fails.
Can I telnet into the pix from a inside workstation?
telnet 10.10.10.252 prompts me for password but I did not think I had a password
0
 

Author Comment

by:streamline1
ID: 12185529
browser is working now, still no go on extranet vpn client and secure ftp
are there logs I can check to see what is trying to access outside so I can build a rule
for now Im going to plug linksys back in to get customer back up
thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12185935
Good job!

Sorry about that, I had to leave for a while..
>extranet vpn client and secure ftp
Try adding the command (same as IPSEC passthrough on the Linksys):
MYPIX(config)#   isakmp nat-traversal 30

>are there logs I can check to see what is trying to access outside so I can build a rule
First, you have to enable logging to buffer:
MYPIX(config)# logging on
MYPIX(config)# logging buffered informational

Then you can use "show log" to see if anything in particular is being denied...

>How can I see what IP is configured for http inside browser access
 just add the following:
MYPIX(config)# http server enable
MYPIX(config)# http 10.10.10.0 255.255.255.0 inside   <== any system on the inside can http to it.

When you get prompted for username/password, leave the username blank and use the enable password. Didn't set an enable password? Just hit enter..

>prompts me for password but I did not think I had a password
You have to set a telnet password:
MYPIX(config)# passwd <password>
0
 

Author Comment

by:streamline1
ID: 12186302
ok, I had to hook back up linksys and will try to return back to this client tomorrow to add changes in config.
how do I give you points? (click on accept in your answers?)
if I end up going onsite sunday night, will you be available for help to get this going?
are you on PST
Thanks again
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12186312
Yes, you can simply click on "accept" on any one comment.
Yes, I should be available Sunday p.m. I'm on CST..

Glad I could be of assistance!
0
 

Author Comment

by:streamline1
ID: 12197595
irmoore, I will be onsite @ customers this sunday about 6pm pst, I will add statements to config and see if vpn and ftp work, I will let you know
Thanks
0
 

Author Comment

by:streamline1
ID: 12214150
Irmoore, Its sunday night 645pm pst Im onsite are you available?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12216190
So sorry I missed your post... how'd it go?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12240808
Using the PDM?  File | show running config in new window
Cut/paste into EE, edit, then submit..

0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now