Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1347
  • Last Modified:

501 Pix config

I have a 501 pix that I've erased the original configuration of.  I used to be able to get a cool URL GUI via https://192.168.1.1/startup.html, but I can't anymore.  It would be nice if I get that back but what I really want to do is this:

Put a single PC outside this firewall and our STATIC IP network on the inside (I want to plug a patch cord from our wall to the ethernet1 interface).  From our network I want be able to remote desktop to the PC on the outside.  I want the PC on the outside to get Windows updates from one of our Windows update servers and virus definitions from our symantec parent server.  How do I do this without taking a Cisco course?

Our network:      138.187.0.0
The PC we want to put outside and remote to:  138.187.32.47
0
imherson
Asked:
imherson
  • 11
  • 7
  • 2
2 Solutions
 
lrmooreCommented:
Once you erase the config, try going to the console and running "setup" to give you access back into the GUI.
It get's kind of tricky to allow an outside host to the inside to get updates. I would prever letting this host get its updates directly from Microsoft and Symantec, but that's your call.

Given:
Windows Update server = 192.168.1.11, requires ports 443 and 80
Symantec server = 192.168.1.12, requires port 21 ?
PC on the outside = 138.187.32.47

On the PIX:
  access-list outside_in permit tcp host 138.187.32.47 interface outside eq 443
  access-list outside_in permit tcp host 138.187.32.47 interface outside eq 80
  access-list outside_in permit tcp host 138.187.32.47 interface outside eq 21

  static (inside,outside) tcp interface 443 192.168.1.11 443 netmask 255.255.255.255
  static (inside,outside) tcp interface 80 192.168.1.11 80 netmask 255.255.255.255
  static (inside,outside) tcp interface 21 192.168.1.12 21 netmask 255.255.255.255
  static (inside,outside) tcp interface 20 192.168.1.12 20 netmask 255.255.255.255

  access-group outside_in in interface outside

The RDP session from inside to the host is automatically allowed, no rules needed.




0
 
imhersonAuthor Commented:
Here the show config:

pix> enable
Password:
pix# show config
: Saved
: Written by enable_15 at 13:35:28.903 UTC Wed Dec 1 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any
access-list outside_in permit udp any any eq domain
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.1 255.255.255.0
ip address inside 138.187.32.47 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (inside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) 138.187.31.97 192.168.0.3 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
Cryptochecksum:1ce40a5fd2547ac5e578f3ab6e9f7491
0
 
grbladesCommented:
This question is a continuation from a previous one.

Sorry about this. I was trying to be clever by calling the interface the 'PC' was on the outside interface but just ended up confusing myself and causing complications with NAT.

Here is another PIX configuration with the interfaces renamed (no need to move cables) that should hopefully work.

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 inside security0
nameif ethernet1 outside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host 138.187.31.97
access-list outside_in permit icmp any any
access-list inside_in permit udp any any eq domain
access-list inside_in permit icmp any any
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address inside 192.168.0.1 255.255.255.0
ip address outside 138.187.32.47 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 138.187.31.97 192.168.0.3 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group inside_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
grbladesCommented:
You have lrmoore on the case now aswell so between us we should get it working ;)
0
 
imhersonAuthor Commented:
I appreciate the good will
0
 
lrmooreCommented:
>interface ethernet1 100full shutdown
First problem is that the inside interface is shutdown.
Enable it with:
  interface ethernet1 100full

>access-list outside_in permit udp any any eq domain
Do you have your own DNS server? If not leave this out

>ip address outside 192.168.0.1 255.255.255.0
>ip address inside 138.187.32.47 255.255.0.0
Now I'm confused. Which network is the inside? I would expect public IP's on theoutside and private IP's on the inside.
0
 
grbladesCommented:
The 192 address is the 'outside' interface. The server is publically accessible I believe but a 3rd party comapny has remote access to it so the idea of the PIX is to stop the machine from being able to access the rest of the network.

lrmoore - I have just posted a question in the VPN area which I would greatly appreciate if you could have a look at.
0
 
imhersonAuthor Commented:
I haven't tried anything else yet - got a bit busy here on something else.  

grblades is right.  A vender dials directly into the server via a modem  We want him out of our network.  But we want to remote desktop to the server from our side.  It would be nice if we the server could still get its windows and nvirus updates from ourside but if that's too complicated we could forget that.

138.187 is our network using STATIC IPs, and static DNS.  

We want the server outside to be accessible from the inside via one of our static IPs via NAT is guess, even it must have a private IP for other reasons (gr explained earlier) We want to be able to remote desktop to it from the inside using an IP our DNS servers have in their tables.  We can't use a 192 private. for this.
0
 
imhersonAuthor Commented:
I pasted the config.  I got back a couple of messages this time:

pixfirewall(config)# nameif ethernet0 inside security0
interface name "inside" is reserved for interface with security100
pixfirewall(config)# nameif ethernet1 outside security100
security 100 is reserved for the "inside" interface
0
 
grbladesCommented:
Sorry forgot to change those parameters:-
nameif ethernet0 inside security100
nameif ethernet1 outside security0
0
 
imhersonAuthor Commented:
I think we're getting somewhere.  I can ping 138.187.32.47 (the Pix??)  from the PC 138.187.31.97 on ethernet0, but I cannot reach the PC or the router from our network.
0
 
grbladesCommented:
From a pc on your network you cannot ping 138.187.31.97?
Can you log into the PIX while the ping is happening and type 'show log' and paste the output here.
0
 
imhersonAuthor Commented:
I mean I cannot reach the 32.47 (pix?)  or the PC (31.97) from our network on ethernet1
0
 
grbladesCommented:
I am not sure if the PIX will respond to a PING from the outside interface anyway. Post the log and I will have a look when I get to work tomorrow (its 10:30pm in the UK now)
0
 
imhersonAuthor Commented:
It does respond from the outside but not from the inside. I can ping 32.47 from the server( 138.187.31.97) connected to ethernet0 but not from any PC on the inside (our 138.187 network)  I also cannot ping the outside server (31.97) from our network.

 I'm going to post the log tomorrow anyway.  Time to go home.
0
 
imhersonAuthor Commented:
I erased everything and then reapplied the last config.

I can ping the beast from the inside not from the outside (this is good!)
But, I cannot ping the PC (31.97) outside

Should the PC outside be using 31.97 or the private IP??  I have it using 31.97.  I want us to be able to access via 31.97 not via the private.

Here's the show config:

pix# show config
: Saved
: Written by enable_15 at 12:50:56.457 UTC Thu Dec 2 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 inside security100
nameif ethernet1 outside security0
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host 138.187.31.97
access-list outside_in permit icmp any any
access-list inside_in permit udp any any eq domain
access-list inside_in permit icmp any any
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu inside 1500
mtu outside 1500
ip address inside 192.168.0.1 255.255.255.0
ip address outside 138.187.32.47 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 138.187.31.97 192.168.0.3 netmask 255.255.255.255 0 0
access-group inside_in in interface inside
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
Cryptochecksum:ccaed19464c5cd922e327549500a19d3
0
 
imhersonAuthor Commented:
OK I put the private IP (192.168.0.3) on Outside PC and it responds to a "ping 138.187.31.97"  from the inside- This is good!

But I can also ping and nslookup every IP on our inside network from the PC that is outside!  [We can fix this later]

I did notice a mistake on my part:  When I asked this question originally I referred to the PC on the outside as having the IP of 32.47, but that is really the PIX.  The PC outside is 138.187.31.97

What I'm really interested in is remoting to the PC that is outside from our inside network and allowing it to get WUs and NVirus updates.
0
 
imhersonAuthor Commented:
I thought we could do this in parts, so I gave points for what parts have been solved.  I'll post the remaining parts in other questions.
0
 
grbladesCommented:
It would help if you could post the URL to the other questions here so that I dont miss it :)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 11
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now