Solved

Continued question for Irmoore PIX515e replacing linksys router

Posted on 2004-10-03
39
372 Views
Last Modified: 2010-08-05
Irmoore, after adding config lines below still cannot get Extranet VPN client to work or Secure FTP connection to work. If I plug linksys back in they work fine. I enabled logging on pix so maybe you can look at logs and tell me what is going on. Sorry I closed the last question (I did not know that when you hit accept to give points it closes the question)

________________
Good job!

Sorry about that, I had to leave for a while..
>extranet vpn client and secure ftp
Try adding the command (same as IPSEC passthrough on the Linksys):
MYPIX(config)#   isakmp nat-traversal 30

>are there logs I can check to see what is trying to access outside so I can build a rule
First, you have to enable logging to buffer:
MYPIX(config)# logging on
MYPIX(config)# logging buffered informational

Then you can use "show log" to see if anything in particular is being denied...

>How can I see what IP is configured for http inside browser access
 just add the following:
MYPIX(config)# http server enable
MYPIX(config)# http 10.10.10.0 255.255.255.0 inside   <== any system on the inside can http to it.

When you get prompted for username/password, leave the username blank and use the enable password. Didn't set an enable password? Just hit enter..

>prompts me for password but I did not think I had a password
You have to set a telnet password:
MYPIX(config)# passwd <password>
0
Comment
Question by:streamline1
  • 24
  • 15
39 Comments
 

Author Comment

by:streamline1
ID: 12214295
Irmoore
I get a cisco PDM did not understand this command
>access-list aclout permit icmp any any
let me know what you think
 
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12216267
If you can post the logs next time you try this we might be able to find something.
Secure FTP is your server, or is it a client?

What VPN client are you using?

0
 

Author Comment

by:streamline1
ID: 12216953
what is my easiest way to post the log
>show log and cut and paste?

VPN is an extranet vpn client
it is a pc on the inside trying to establish a VPN connection to a hospital
inside PC IP is 10.10.10.249, when you launch Extranet it says connecting to 63.136.96.3 then after about 1 minute it will say unable to connect, (when I hook the linksys backup it will connect in about 2 seconds)

the secure FTP is the host, I have Serv-U FTP application running on 10.10.10.198
it is waiting for a FTP connection and should recieve one every 3 minutes from an outside PC, once pix is in place I see no connections in activity log?

I will be back onsite this wednesday early AM and then all day to get this up and running, Also Wednesday Im going to post a new question and work on VPN connections thru PIX

Thanks for your help
0
 

Author Comment

by:streamline1
ID: 12240001
Irmoore, Hello, Im onsite and praying you are available.
Would like to see if you can telnet in from the outside if I give you a password, but i dont want to post it, or I can just cut and paste logs, whatever is best for you
Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12240309
How about we start with posting the logs...

0
 

Author Comment

by:streamline1
ID: 12240340
Thanks for responding ;)
Im going to disonnect the linksys, hook up the pix, try extranet and then send you the logs
do I just do a show log and then cut and paste, or is there another way?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12240417
That's probably the best way... my email is in my profile...

I've only got about an hour before I have to go into a long meeting...

0
 

Author Comment

by:streamline1
ID: 12240521
just sent you email, just tried to connect extranet so logs should show
thanks
0
 

Author Comment

by:streamline1
ID: 12240622
111007: Begin configuration: 10.10.10.203 reading from terminal
111008: User 'enable_15' executed the 'configure t' command.
305012: Teardown dynamic TCP translation from inside:10.10.10.203/1280 to outsid
e:64.174.111.89/1225 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:10.10.10.203/1281 to outsid
e:64.174.111.89/1226 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:10.10.10.203/1283 to outsid
e:64.174.111.89/1228 duration 0:00:31
305011: Built dynamic TCP translation from inside:10.10.10.211/4108 to outside:6
4.174.111.89/1237
302013: Built outbound TCP connection 244 for outside:66.151.158.177/8200 (66.15
1.158.177/8200) to inside:10.10.10.211/4108 (64.174.111.89/1237)
305011: Built dynamic TCP translation from inside:10.10.10.211/4109 to outside:6
4.174.111.89/1238
302013: Built outbound TCP connection 245 for outside:66.151.150.190/8200 (66.15
1.150.190/8200) to inside:10.10.10.211/4109 (64.174.111.89/1238)
302014: Teardown TCP connection 244 for outside:66.151.158.177/8200 to inside:10
.10.10.211/4108 duration 0:00:01 bytes 88 TCP FINs
302014: Teardown TCP connection 245 for outside:66.151.150.190/8200 to inside:10
.10.10.211/4109 duration 0:00:01 bytes 428 TCP FINs
305012: Teardown dynamic TCP translation from inside:10.10.10.211/4104 to outsid
e:64.174.111.89/1230 duration 0:00:32
305012: Teardown dynamic TCP translation from inside:10.10.10.211/4105 to outsid
e:64.174.111.89/1231 duration 0:00:31
MYPIX(config)#                                                                
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12240654
That doesn't really tell me anything except that your trying to connect to a pacbell client, through NAT and you should be bypassing nat altogether with the clients..
Go ahead and post the complete config (minus passwords and real IP)

0
 

Author Comment

by:streamline1
ID: 12240669
okay how do I do that, post complete config?
pacbell is the DSL provider here
0
 

Author Comment

by:streamline1
ID: 12240915
great news my email server is having issues
I added new aaa config statements you sent
I tried vpn again and it hangs at "getting configuration" and then errors with timeout
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12240959
Add this again....

ssh 0.0.0.0 0.0.0.0 outside

Once you add that, save the config, and reboot the PIX.

I've got to run and give a presentation, I'll be back as soon as possible..

To post the complete config just use "write term" and cut/paste..
0
 

Author Comment

by:streamline1
ID: 12241004
MYPIX(config)# ssh 0.0.0.0 0.0.0.0 outside
ERROR: entry for address/mask = 0.0.0.0/0.0.0.0 exists

Im going to hook back up linksys so customer can work
post back when you are back
thanks!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12241537
I'm baaaaakkkk....
0
 

Author Comment

by:streamline1
ID: 12241594
okay let me rehook up pix and get back with you,
Im might run across the street and pick up a sandwich im starving
I thought you were going to be a bit longer
0
 

Author Comment

by:streamline1
ID: 12241894
customer needs me to wait another 15-20 minutes before I take linksys out and hook up pix, how long are you availble this afternoon
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12241942
No problem, I'll be around the rest of the afternoon...
0
 

Author Comment

by:streamline1
ID: 12242657
okay pix is back in
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:streamline1
ID: 12242669
how can I see if ssh is enabled?
0
 

Author Comment

by:streamline1
ID: 12242701
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password removed
passwd removed
hostname MYPIX
domain-name threetinc.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
<--- More --->                                                                
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list aclout permit icmp any any
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 990
access-list outside_in permit tcp any interface outside range 2000 2010
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 64.174.111.89 255.255.255.248
ip address inside 10.10.10.252 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.10.2 255.255.255.255 inside
pdm location 10.10.10.198 255.255.255.255 inside
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 1 interface
<--- More --->                                                                
.255 0 0
static (inside,outside) tcp interface 2004 10.10.10.198 2004 netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface 2005 10.10.10.198 2005 netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface 2006 10.10.10.198 2006 netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface 2007 10.10.10.198 2007 netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface 2008 10.10.10.198 2008 netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface 2009 10.10.10.198 2009 netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface 2010 10.10.10.198 2010 netmask 255.255.255
.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.174.111.94 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
<--- More --->                                                                
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp nat-traversal 30
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname vicken3t@sbcglobal.net
vpdn group pppoex ppp authentication pap
vpdn username vicken3t@sbcglobal.net password *********
terminal width 80
Cryptochecksum:3a37a232c15eab77b85c65434e024472
: end
[OK]
MYPIX(config)#                                                                
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12242745
MYPIX#write term

Look for
ssh 0.0.0.0 0.0.0.0 outside

Try adding:

aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0.0 outside

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12242823
Looks like the other changes didn't get saved before you shut it down...

0
 

Author Comment

by:streamline1
ID: 12242846
MYPIX(config)# aaa authentication http console LOCAL
Warning:local database is empty! Use 'username' command to define local users.
MYPIX(config)# http server enable
MYPIX(config)# http 0.0.0.0 0.0.0.0.0 outside
Invalid netmask: 0.0.0.0.0
Usage:  [no] http <local_ip> [<mask>] [<if_name>]
        [no] http server enable
0
 

Author Comment

by:streamline1
ID: 12242863
i dont think i did a write mem---D!OH!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12242869
It appears we're also missing:

nat (inside) 1 10.10.10.0 255.255.255.0

0
 

Author Comment

by:streamline1
ID: 12242894
Duplicate NAT entry
MYPIX(config)#  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12242916
>MYPIX(config)# http 0.0.0.0 0.0.0.0.0 outside
>Invalid netmask: 0.0.0.0.0

one too many zeros...

MYPIX(config)# http 0.0.0.0 0.0.0.0 outside
0
 

Author Comment

by:streamline1
ID: 12242930
ERROR: entry for address/mask = 0.0.0.0/0.0.0.0 exists
0
 

Author Comment

by:streamline1
ID: 12243069
when I try to connect via https://10.10.10.252
it now prompts for password?
any ideas
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12243090
Version 6.3(1) will have to be upgraded to 6.3(4) for the nat-traversal to work properly.

Added:

object-group service Servu-FTP tcp-udp
  port-object range 2000 2010
access-list outside_in permit tcp any interface outside object-group Servu-FTP

Added this in case your VPN client is using PPTP:
  fixup protocol pptp 1723
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12243121
Seeing hitcounts on the ServU FTP acl now. Does that mean this part is working?

access-list outside_in line 2 permit tcp any interface outside eq 990 (hitcnt=4)
access-list outside_in line 3 permit tcp any interface outside object-group Servu-FTP
access-list outside_in line 3 permit tcp any interface outside range 2000 2010 (hitcnt=4)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12243134
>it now prompts for password?

Yes, the username/password that we put in earlier..
0
 

Author Comment

by:streamline1
ID: 12243193
from ftp log

[5] Wed 06Oct04 13:57:44 - (000167) Connected to 208.179.136.100 (Local address 10.10.10.198)
[5] Wed 06Oct04 13:57:44 - (000167) User TRANSMED logged in
[4] Wed 06Oct04 13:57:45 - (000167) Receiving file c:\transmed\upload\hl7adt.1097095980
[4] Wed 06Oct04 13:57:46 - (000167) Received file c:\transmed\upload\hl7adt.1097095980 successfully (151 kB/sec - 156938 Bytes)
[3] Wed 06Oct04 13:57:46 - (000167) Sending file c:\transmed\download\reports.1097095980.zip
[3] Wed 06Oct04 13:57:47 - (000167) Sent file c:\transmed\download\reports.1097095980.zip successfully (60.0 kB/sec - 65707 Bytes)
[5] Wed 06Oct04 13:57:47 - (000167) Closing connection for user TRANSMED (00:00:03 connected)
[5] Wed 06Oct04 14:57:46 - (000168) Connected to 208.179.136.100 (Local address 10.10.10.198)
[5] Wed 06Oct04 14:57:46 - (000168) User TRANSMED logged in
[4] Wed 06Oct04 14:57:46 - (000168) Receiving file c:\transmed\upload\hl7adt.1097099580
[4] Wed 06Oct04 14:57:47 - (000168) Received file c:\transmed\upload\hl7adt.1097099580 successfully (166 kB/sec - 191631 Bytes)
[5] Wed 06Oct04 14:57:47 - (000168) Closing connection for user TRANSMED (00:00:01 connected)
[5] Wed 06Oct04 15:00:31 - (000169) Connected to 65.208.22.35 (Local address 10.10.10.198)
[5] Wed 06Oct04 15:00:39 - Unable to establish SSL connection ((null))
[5] Wed 06Oct04 15:00:40 - (000169) Closing connection
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12243299
Looks good now, huh?

I've gotta run for now, be back on line in about an hour...


0
 

Author Comment

by:streamline1
ID: 12243315
not yet still no FTP and VPN
0
 

Author Comment

by:streamline1
ID: 12243424
https inside is working with your user name and pass
FTP still down
VPN still down
Talk to you in a little bit
0
 

Author Comment

by:streamline1
ID: 12243690
I see your conected via PDM
0
 

Author Comment

by:streamline1
ID: 12258913
Got it lrmoore, thanks for all your help! could not have done it without your help!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now