Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

testing Pix configuration inbound traffic

Posted on 2004-11-06
10
Medium Priority
?
300 Views
Last Modified: 2010-08-05
All once again I'm back, now i am trying to test my configuration, below is my pix config for your perusal. I can ping with all my inside host pcs outbound to the internet, what I can't do is ping from the outside to the inside. whats is the proper test to verify that end users can access my servers?

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any echo-reply
access-list outside_in permit tcp any host 207.xxxxx.3 eq www
access-list outside_in permit tcp any host 207.xxxxx4 eq www
access-list outside_in permit tcp any host 207.xxxxx.5 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 207.xxxxxx.2 255.255.255.0
ip address inside 192.xxxxx1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.xxxxx.10 255.255.255.255 inside
pdm location 192.xxxxx.11 255.255.255.255 inside
pdm location 192.xxxxx.25 255.255.255.255 inside
pdm location 192.xxxxx254 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 207.xxxxx15-207.xxxxxx.253
global (outside) 1 207.xxxxxx.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 207.xxxxxxxx3 192.xxxxx.25 netmask 255.255.255.255 0 0
static (inside,outside) 207.xxxxxxxx.4 192.xxxxx.10 netmask 255.255.255.255 0 0
static (inside,outside) 207.xxxxxxxx.5 192.xxxxx.11 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 207.xxxxxx.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.xxxxxxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.xxxxxxx.254 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:0d5d38dea3a8eccbb53b947038f26596
: end
[OK]
0
Comment
Question by:ramosen
  • 5
  • 4
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12514025
>what I can't do is ping from the outside to the inside.
With your access-list permits and your static nat xlates, you should be able to ping those three IP's that have static statements, but no others, if you add another line to acl 100
   access-list 100 pemit icmp any any echo


>whats is the proper test to verify that end users can access my servers?
Have someone try it, then use 'show access-list' to see the hit counts on each acl line

They can't access them the way you have your acl. Apply access-list outside_in rather than acl 100:
   access-gropu outside_in in interface outside
0
 

Author Comment

by:ramosen
ID: 12514879
sorry lrmoore tried you fix but no help still ping from the outside in
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12514893
Did you re-apply the access-list to the interface?

   access-group 100 in interface outside

You are trying this from a host that is actually outside the PIX, right? Not just trying to ping the public IP's from inside the LAN?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:ramosen
ID: 12515098
I remove the access-list 100 and reapplied the access-list ouyside_in and also the access-group outside_in.

and had a friend try to ping me outside my netowrk from his home
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12515154
Did you add the icmp to outside_in?

access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any echo
access-list outside_in permit tcp any host 207.xxxxx.3 eq www
access-list outside_in permit tcp any host 207.xxxxx4 eq www
access-list outside_in permit tcp any host 207.xxxxx.5 eq www
0
 

Author Comment

by:ramosen
ID: 12515472
Yes and still the same problem here is a relook at the config after changes;
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxxxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host 207.xxxxxxxx.3 eq www
access-list outside_in permit tcp any host 207.xxxxxxxx.4 eq www
access-list outside_in permit tcp any host 207.xxxxxxxx.5 eq www
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 207.xxxxxxx.2 255.255.255.0
ip address inside 192.xxxxxxx.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.xxxxxxx.10 255.255.255.255 inside
pdm location 192.xxxxxxx.11255.255.255.255 inside
pdm location 192.xxxxxxx.25 255.255.255.255 inside
pdm location 192.xxxxxxx.254 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 207.xxxxxx.15-207.xxxxxxxxx.253
global (outside) 1 207.xxxxxxx.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 207.xxxxx.3 192.xxxxxxxxx.25 netmask 255.255.255.255 0 0
static (inside,outside) 207.xxxxxxxx.4 192.xxxxxx.10 netmask 255.255.255.255 0 0
static (inside,outside) 207.xxxxxxxx.5 192.xxxxxx.11 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 207.xxxxxxx.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.xxxxxxxxx.254 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:667d3ed9fa2b64f11d141bdd7b912809
: end
[OK]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12515523
You still need to add this:
   access-list outside_in permit icmp any any echo
0
 
LVL 3

Expert Comment

by:cnewgaard
ID: 12517933
You have access group 100 applied to the outside interface.  To allow both pings and access to the web sites (denoted by the access lists and static nats) you will need to take out the access-group 100 in interface outside and instead put in access-group outside_in in interface outside   That will allow you to do both of the things you are trying to accomplish.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12517973
good catch, cnewgaard..

Going by the askers previous post, I didn't even look to see which one was still being applied:
>>I remove the access-list 100 and reapplied the access-list ouyside_in and also the access-group outside_in.

Let me break this down for you, ramosen. You must do this - exactly - if you want it to work:
We have merged acl 100 which you defined just for icmp, with the acl "outside_in" which defines your inbound www traffic. I assume that you want both to work:

   access-list outside_in permit tcp any host 207.xxxxxxxx.3 eq www
   access-list outside_in permit tcp any host 207.xxxxxxxx.4 eq www
   access-list outside_in permit tcp any host 207.xxxxxxxx.5 eq www
   access-list outside_in permit icmp any any unreachable
   access-list outside_in permit icmp any any echo-reply
   access-list outside_in permit icmp any any time-exceeded
/-- plus, we have to permit "echo" else nobody on the outside can ping you which is what you are now saying does not work. It will never work until you add this line:
   access-list outside_in permit icmp any any echo

/-- now, remove all references to acl 100:
    no access-list 100
    no access-group 100 in interface outside

/-- now, re-apply the fully merged outside_in acl to the outside interface:
    access-group outside_in in interface outside.


0
 

Author Comment

by:ramosen
ID: 12518206
thanks lrmoore it's up and running
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Make the most of your online learning experience.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question