[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 662
  • Last Modified:

Cisco 506E - Desperate for configuration help

I purchased a Cisco 506E over Ebay a week ago, and I've been trying to configure it ever since.  I'm not any type of PIX expert or even amature, I had configured Watchguard firewalls and even a few Symantec Gateways, so I figured I could configure this Cisco 506E router.  But try and try I do, I can't get anywhere with it.

I'm depserate for help to get ths up and running.  Not even sure what to ask or where to start. I can tell you what my goal is though.

I have 5 external IP addresses, I could like to foward those to specific internal addresses.  All all outbound, and I would like to allow inbound on certain ports to go to specific internal addresses.

Let me give out some detail.  I can not figure out how to setup the firewall to do the following.

My External Network (From ISP)

IP Address1: 64.1.0.14
IP Address2: 64.1.0.15
IP Address3: 64.1.0.16
IP Address4: 64.1.0.17
IP Address5: 64.1.0.18
Subnet: 255.255.255.0
Gateway: 64.1.0.1
DNS1: 64.1.5.5
DNS2: 64.1.5.6


Internal Network (My Private)
IP Range: 10.1.0.x
Subnet: 255.255.255.0
Gateway: 10.1.0.1
DNS1: 64.1.5.5
DNS2: 64.1.5.6

Web Server on 10.1.0.200
Mail Server on 10.1.0.201
App Server on 10.1.0.202
DNS1 Server on 10.1.0.203
DNS2 Server on 10.1.0.204


Firewall:
Inside Interface: 10.1.0.1 255.255.255.0
Outside Interface: 64.1.0.14 255.255.255.0

What I'm trying to do is...

Allow all 10.1.0.x outbound to anyport

Now if 10.1.0.x goes outbound I dont care what IP it NAT's as, unless it's one of the servers
10.1.0.200 should go out as 64.1.0.14
10.1.0.201 should go out as 64.1.0.15
10.1.0.202 should go out as 64.1.0.16
10.1.0.203 should go out as 64.1.0.17
10.1.0.204 should go out as 64.1.0.18

Coming Inbound...
64.1.0.14 > 10.1.0.200
64.1.0.15 > 10.1.0.201
64.1.0.16 > 10.1.0.202
64.1.0.17 > 10.1.0.203
64.1.0.18 > 10.1.0.204

For the most part that's what I'm looking for.
I would like to properly apply a rule for each port coming in and not allow all traffic. So example, RDP TCP 3389, if it comes in on 64.1.0.17 I'll send it to 10.1.0.100 say, but if it's port 80 I'll send it to another box.
0
fredmastro
Asked:
fredmastro
  • 12
  • 9
1 Solution
 
fredmastroAuthor Commented:
Also want to mention I can't even figure out how to bind all 5 IP's to the outside interface, I add them to host and networks but they are never pingable.
0
 
lrmooreCommented:
OK, let's make sure we have a clean default config on the PIX to start from:
pix#write erase
pix#reload

You might have to answer questions at the startup to put in an enable password, confirm IP address, and date/time...
Once you get that done, rebooted, and back to the pixfirewall# prompt...

ip address inside 10.1.0.1 255.255.255.0
ip address outside 64.1.0.14  <== you must have one IP from your group assigned to the outside interface
route outside 0.0.0.0 0.0.0.0 64.1.0.?
global (outside) 1 interface
nat (inside) 1 0 0
\\-- see if you can follow the logic and the syntax in the following port-forwarding rules
static (inside,outside) tcp 64.1.0.17 3389 10.1.0.100 3389 netmask 255.255.255.255  <== RDP session
static (inside,outside) tcp 64.1.0.17 http 10.1.0.203 http netmask 255.255.255.255   <== www to a different box
\\-- *alternate*
static (inside,outside) tcp interface 3389 10.1.0.100 3389 netmask 255.255.255.255
static (inside,outside) tcp interface http 10.1.0.203 http netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.1.0.200 smtp netmask 255.255.255.255
\\-- create static 1-1 nat map for the servers.  Note that I'm not using .17 (using PAT) or .14 (interface)
static (inside,outside) 64.1.0.15 10.1.0.201 netmask 255.255.255.255
static (inside,outside) 64.1.0.16 10.1.0.202 netmask 255.255.255.255
static (inside,outside) 64.1.0.18 10.1.0.204 netmask 255.255.255.255

\\-- you can see that you're short an IP address if you only have 5
\\-- create access-rules for inbound (NONE are needed for outbound)
access-list inbound permit tcp any host 64.1.0.17 eq 3389
access-list inbound permit tcp any host 64.1.0.17 eq http
access-list inbound permit tcp any host 64.1.0.15 eq smtp
access-list inbound permit tcp any host 64.1.0.16 eq https

\\-- in order to ping from inside the pix to outside hosts:
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable

\\-- apply the access-list
access-group inbound in interface outside

\\-- save the config
pixfirewall#write mem

! done !

>I add them to host and networks but they are never pingable.
Correct. That is by default, by design. Do you really want your hosts pingable? Only the ones with static 1-1 entries will be pingable, and only if you allow icmp echo in via the access-list. You can *never* ping the public IP's from the inside LAN...




0
 
fredmastroAuthor Commented:
Hmm ok i'm going to try this, I'm assuming I can copy your commands.

So I can't use 64.1.0.14 because it's on the interface? As far as the pinging I thought you could bind it to the outside interface then you could ping it, maybe not.

Also I notice your inside outside stuff seem backwards to what I would think it is.

Ex.

"static (inside,outside) tcp 64.1.0.17 3389 10.1.0.100 3389 netmask 255.255.255.255  <== RDP session"

inside is 64? and outside is 10? that right?
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
lrmooreCommented:
The syntax takes some getting used to. It does look backwards, but that's the way it is...

  static (inside,outside) tcp <outside ip> <port> <inside ip> <port> netmask 255.255.255.255

>So I can't use 64.1.0.14 because it's on the interface? As far as the pinging I thought you could bind it to the outside interface then you could ping it, maybe not.
If you assign .14 to the interface, you can then ping that IP from the Internet, but not from inside the LAN.
If you assign .15 to an internal host with a static, you cannot ping that ip from the Internet unless you expressly permit icmp echo in an access-list

You can use the interface IP to to port redirects as much as you whish, so yes, you really can use it. I demonstrated that with the *alternate* static configuration above..

static (inside,outside) tcp interface 3389 10.1.0.100 3389 netmask 255.255.255.255
static (inside,outside) tcp interface http 10.1.0.203 http netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.1.0.200 smtp netmask 255.255.255.255
access-list inbound permit tcp any interface outside eq 3389
access-list inbound permit tcp any interface outside eq http
access-list inbound permit tcp any interface outside eq smtp

Yes, you can copy/paste into notepad, edit, then copy/paste right into the PIX...
0
 
fredmastroAuthor Commented:
Ok well I think I did what you said, but I can't load up any webpage.

Maybe I can increase my points and you can telnet into the box, if I couldn't figure out how to turn that on.


This is what I tried...


pix#write erase
pix#reload

then it ask me for internal address so I put that in

ip address inside 10.1.0.1 255.255.255.0 (Did this the first time but not 2nd time)
(this right?)  ip address outside 64.1.0.14  (ok I tried this, but it assigns it a subnet of 255.0.0.0, when my ISP has given me 255.255.255.0 and no gateway.  First time I tried this, second time I did it in the gui, I assigned it 255.255.255.0 and gave it a gateway. not sure if that's right)

route outside 0.0.0.0 0.0.0.0 64.1.0.?  (worked first, time, secondtime I was told it will overlap and can't be done.  I'm assuming your asking me what IP I want general stuff to go out as? So I put .14)
global (outside) 1 interface (done)
nat (inside) 1 0 0 (done)

(Then I do this..)

access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-group inbound in interface outside
pixfirewall#write mem

(around this point is when my server can see thet internet again and also I can ping the interface .14)

So then I try these out.  This last time I did these...
static (inside,outside) 64.1.0.15 10.1.0.201 netmask 255.255.255.255
static (inside,outside) 64.1.0.16 10.1.0.202 netmask 255.255.255.255

static (inside,outside) tcp interface http 10.1.0.200 http netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.1.0.201 smtp netmask 255.255.255.255
pixfirewall#write mem


Then this is where I assume I should be able to load up the webpage going to .14 and fowards to .200 but I can not.

Also my server has to go out and in, in order to get to it's websites, because DNS is setup that way to point it to the external addresses.

Going to wipe and try again.
0
 
lrmooreCommented:
> you can telnet into the box, if I couldn't figure out how to turn that on.
Can't. You cannot allow telnet from the outside. However, you can allow SSH from the outside, or https from the outside...

>route outside 0.0.0.0 0.0.0.0 64.1.0.?  (worked first, time, secondtime I was told it will overlap and can't be done.  I'm assuming your asking me what IP I want general stuff to go out as? So I put .14)
Basic problem here. What is your default gateway supposed to be for your external connection? If the ISP gave you the subnet mask 255.255.255.0, use of IP addresses .14-.18, then I would expect the gateway to be .1 -- 64.1.0.1

>Then this is where I assume I should be able to load up the webpage going to .14 and fowards to .200 but I can not.
You need to go the next step and add access-list permissions.
Given this:
>(Then I do this..)

access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-group inbound in interface outside
pixfirewall#write mem
>
You need to do this:
  access-list inbound permit tcp any host 64.1.0.14 eq www
  access-group inbound in interface outside

Any time you make changes to the access-list, you need to re-apply it to the interface.
Easy troubleshooting commands:
  logging on
  logging trap debug
  logging buffer

Then you can use "show log" and see what packets are doing
Also use "show access-list" to see the (hitcount xx) counters.

Make sure that the PIX inside IP address is the default gateway for all the servers/PC's.

>Also my server has to go out and in, in order to get to it's websites, because DNS is setup that way to point it to the external addresses.
I'm not quite sure what you mean by this. Is your server the primary DNS server for the domain/websites?
Is that same server the primary DNS server for your internal hosts? You may have "issues" that we can discuss after we get you working..
0
 
fredmastroAuthor Commented:
argh I'm about to give up and put it up on ebay.

I'm doing something wrong I'm sure.
Here's a copy of my telnet session.

Let me translate the numbers into real ones.

68.238.170.74 Outside Interface 255.255.255.0
10.1.0.1 Inside Interface 255.255.255.0

68.238.170.74   10.1.0.200
68.238.170.75   10.1.0.201      
68.238.170.76   10.1.0.202      
68.238.170.77   10.1.0.203      
68.238.170.78   10.1.0.204

So how I tried setting it up was,
any http to .64 goes to .200
any smtp to .64 goes to .201
any smtp to .65 goes to .201
all traffic to .65 goes to .201
all traffic to .66 goes to .202

then I figured I could figure the rest out.

-----------------------------------------------------------------------------


Inside IP address: 10.1.0.1
Inside network mask: 255.255.255.0
Host name: gateway
Domain name: hostedforyou.com
IP address of host running PIX Device Manager: 10.1.0.5

Use this configuration and write to flash? y
Building configuration...
Cryptochecksum: bff7aab5 141a9648 b5b31dd7 46962917
[OK]



gateway> en
Password:
gateway# conf term
gateway(config)#


/*
At this point I go into the GUI PDM, and I go through the setup wizard and enter in the Static IP Information for the outside connection.

68.238.170.74 / 255.255.255.0 / 68.238.170.1

It defaults to "do not use translation" and I leave it there and finish.
It comes back with this msg and error
*/

[OK] route outside 0 0 68.238.170.1 1
[ERR]nat (inside) 0 0.0.0.0 0.0.0.0
      nat 0 0.0.0.0 will be identity translated for outbound
[OK] interface ethernet0 auto
[OK] ip address outside 68.238.170.74 255.255.255.0

/* Then I go into the console again. */

gateway(config)# ip address outside 68.238.170.74
gateway(config)# route outside 0.0.0.0 0.0.0.0 68.238.170.74
cannot add route entry. possible conflict with existing routes
Usage:  [no] route <if_name> <foreign_ip> <mask> <gateway> [<metric>]

gateway(config)#
gateway(config)# global (outside) 1 interface
outside interface address added to PAT pool

gateway(config)# nat (inside) 1 0 0
ERROR: Duplicate NAT entry
ERROR: fail to insert nat entry
gateway(config)#


gateway(config)# static (inside,outside) tcp interface http 10.1.0.200 http ne$
gateway(config)# static (inside,outside) 68.238.170.75 10.1.0.201 netmask 255.$
gateway(config)# static (inside,outside) 68.238.170.76 10.1.0.202 netmask 255.$
gateway(config)#

gateway(config)# static (inside,outside) tcp interface smtp 10.1.0.201 smtp ne$
gateway(config)#
gateway(config)# access-list inbound permit tcp any host 68.238.170.74 eq http
gateway(config)# access-list inbound permit tcp any host 68.238.170.75 eq http
gateway(config)# access-list inbound permit tcp any host 68.238.170.75 eq smtp
gateway(config)# access-list inbound permit tcp any host 68.238.170.74 eq smtp
gateway(config)# access-list inbound permit tcp any host 68.238.170.74 eq https
gateway(config)# access-list inbound permit tcp any host 68.238.170.75 eq https
gateway(config)#

ateway(config)# access-list inbound permit icmp any any echo-reply
gateway(config)# access-list inbound permit icmp any any unreachable
gateway(config)#
gateway(config)# access-group inbound in interface outside
gateway(config)# write mem
Building configuration...
Cryptochecksum: 71297232 95ea3cf6 5b7ba4c8 8d90f732
[OK]
gateway(config)#



/* can't get out of the internal network, outside (.64)is pingable from my other internet connection */



gateway(config)# logging on
gateway(config)# logging trap debug
gateway(config)# logging buffer
Usage:  [no] logging on
        [no] logging timestamp
        [no] logging standby
        [no] logging host [<in_if>] <l_ip> [{tcp|6}|{udp|17}/port#]
                [format {emblem}]
        [no] logging console <level>
        [no] logging buffered <level>
        [no] logging monitor <level>
        [no] logging history <level>
        [no] logging trap <level>
        [no] logging message <syslog_id> level <level>
        [no] logging facility <fac>
        [no] logging device-id hostname | ipaddress <if_name>
                | string <text>
        logging queue <queue_size>
        show logging [{message [<syslog_id>|all]} | level | disabled]

gateway(config)# logging buffered
Usage:  [no] logging on
        [no] logging timestamp
        [no] logging standby
        [no] logging host [<in_if>] <l_ip> [{tcp|6}|{udp|17}/port#]
                [format {emblem}]
        [no] logging console <level>
        [no] logging buffered <level>
        [no] logging monitor <level>
        [no] logging history <level>
        [no] logging trap <level>
        [no] logging message <syslog_id> level <level>
        [no] logging facility <fac>
        [no] logging device-id hostname | ipaddress <if_name>
                | string <text>
        logging queue <queue_size>
        show logging [{message [<syslog_id>|all]} | level | disabled]
gateway(config)# logging buffered 1

gateway(config)# show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level alerts, 0 messages logged
    Trap logging: level debugging, 49 messages logged
    History logging: disabled
    Device ID: disabled
gateway(config)#


gateway(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list inbound; 8 elements
access-list inbound line 1 permit tcp any host 68.238.170.74 eq www (hitcnt=9)
access-list inbound line 2 permit tcp any host 68.238.170.75 eq www (hitcnt=0)
access-list inbound line 3 permit tcp any host 68.238.170.75 eq smtp (hitcnt=0)

access-list inbound line 4 permit tcp any host 68.238.170.74 eq smtp (hitcnt=0)

access-list inbound line 5 permit tcp any host 68.238.170.74 eq https (hitcnt=0)

access-list inbound line 6 permit tcp any host 68.238.170.75 eq https (hitcnt=0)

access-list inbound line 7 permit icmp any any echo-reply (hitcnt=0)
access-list inbound line 8 permit icmp any any unreachable (hitcnt=0)
gateway(config)#

/* had problems with logging as you can see.



0
 
fredmastroAuthor Commented:
$50 I'll send you over paypal if you walk me through this over the phone.  Would imagine it would take 10min or so.

Or if you want to name your price.
0
 
lrmooreCommented:
Add this to the PIX from telnet/console session:

ssh 0.0.0.0 0.0.0.0 outside

0
 
fredmastroAuthor Commented:
ok should get an email in a few min
0
 
lrmooreCommented:
You are closer than you think.

Change the subnet mask on the external interface to 255.255.255.0

  ip address outside 68.238.170.74 255.255.255.0

.75 gives me this, so it appears that it is working...
  SmarterMail Professional Edition 2.5  "please log in to SmarterMail"

Check/double-check the server 10.1.0.200 for the correct subnet mask and default gateway.

Are you testing from outside the firewall?
0
 
fredmastroAuthor Commented:
ok email sent.  woah you in already?

yeah this computer is on cable modem. which is a differnet ISP.
0
 
fredmastroAuthor Commented:
woah that never worked before.  I'll let you look around and test it out. Still confused on actually how to open up a port I may need down the road.
0
 
fredmastroAuthor Commented:
well it was working.

My server has to go out and back in for it to get to itself because the DNS it's using has to point to the outside world.
0
 
lrmooreCommented:
http://x.x.x.74
You are not authorized to view this page
0
 
fredmastroAuthor Commented:
yeah have to dot it by name I'll send you in email.
0
 
lrmooreCommented:
0
 
lrmooreCommented:
Final config
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname gateway
domain-name hostedforyou.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list inbound permit tcp any host 68.xxx.170.74 eq www
access-list inbound permit tcp any host 68.xxx.170.75 eq www
access-list inbound permit tcp any host 68.xxx.170.75 eq smtp
access-list inbound permit tcp any host 68.xxx.170.74 eq smtp
access-list inbound permit tcp any host 68.xxx.170.74 eq https
access-list inbound permit tcp any host 68.xxx.170.75 eq https
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit udp any host 68.xxx.170.78 eq domain
access-list inbound permit udp any host 68.xxx.170.77 eq domain
access-list inbound permit udp any host 68.xxx.170.74 eq domain
pager lines 24
logging on    
logging buffered debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside 68.xxx.170.74 255.0.0.0  <== should be 255.255.255.0
ip address inside 10.1.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.1.0.5 255.255.255.255 inside
pdm location 10.1.0.200 255.255.255.255 inside
pdm location 10.1.0.201 255.255.255.255 inside
pdm location 10.1.0.202 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.1.0.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 10.1.0.201 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.0.200 www dns netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 10.1.0.200 https dns netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 10.1.0.200 domain netmask 255.255.255.255 0 0
static (inside,outside) 68.xxx.170.75 10.1.0.201 netmask 255.255.255.255 0 0
static (inside,outside) 68.xxx.170.76 10.1.0.202 netmask 255.255.255.255 0 0
static (inside,outside) 68.xxx.170.77 10.1.0.203 netmask 255.255.255.255 0 0
static (inside,outside) 68.xxx.170.78 10.1.0.204 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 68.xxx.170.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http 10.1.0.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80


0
 
lrmooreCommented:
To add access to another service that is located on any of the 4 servers with static nat, simply add new lines to the inbound acl

example, to add RDP remote control service:

   access-list inbound permit tcp any host 68.xxx.xxx.77 eq 3389
   access-list inbound permit tcp any host 68.xxx.xxx.78 eq 3389

0
 
fredmastroAuthor Commented:
Do you think that dnsreport failing on the mail record is something on my server? or the firewall?

"
Connect to mail servers ERROR: I could not complete a connection to any of your mailservers!

mail.hostedforyou.com: Timed out [Last data sent: [Did not connect]]

If this is a timeout problem, note that the DNS report only waits about 30 seconds for responses, so your mail may work fine in this case but you will need to use testing tools specifically designed for such situations.
"
0
 
fredmastroAuthor Commented:
Ok got it.

It was my server.

Thanks.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 12
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now