• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 563
  • Last Modified:

PIX 515E CONFIGURATION QUESTION

I am trying to do Online Credit Card transactions using a HTTPS post to the CC Approval service's website.  Here is a description on how the method works - from their development Manual.

This HTTPS interface offers expanded transaction options, including support for
sale, void, credit, settle, voice authorization, debit card and ACH transaction
types. Transaction data is entered on an online payment form or application
developed by you or a third party. Using sample code that TransFirst provides,
transaction data is sent to Transaction Central through an SSL connection for
processing. Transaction data is saved on your servers. Responses are returned
to a designated URL or passed back as a post string.

The designated URL that the post string is sent to (on my side) is HTTP://192.168.1.49/chargeapprove.asp

I have talked to their technical support guys - the responses can be returned to an IP address - which is what I am using.  The problem is I am not getting any response back at my server - which happens to be behind the firewall.  Their technical staff believes that the firewall is the roadblock.  I don't know...

I would like to keep it behind the firewall for security reasons.

I am needing assistance on the config of the PIX to allow the Credit Card transactions responses to be sent directly to the origination webserver.

Here is my current config:

PIXFIREWALL# show run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password NA3kCu/6slD/O7aS level 10 encrypted
enable password rOx8.Y2f6t2O2J6d encrypted
passwd CchT5YiB9kSAWob1 encrypted
hostname PIXFIREWALL
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl deny tcp any any eq ftp
access-list outside_acl permit tcp any host 24.1.3.36 eq 10000
access-list outside_acl deny tcp any any eq telnet
*****I added the following line to allow the server sending the CC Transaction response to get through the firewall directly to the webserver.
>>>access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 192.168.1.49 eq www<<<
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
*****I added the following line to allow the server sending the CC Transaction response to get through the firewall directly to the webserver.
<<<<static (inside,outside) tcp 24.1.3.37 www 192.168.1.49 www netmask 255.255.255.255 0 0>>>>
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 24.227.133.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username USER password epNzeQOJEcyLcSzn encrypted privilege 15
terminal width 90
Cryptochecksum:6af7661efd134230309d2d1be65111f5
: end


Being that the HTTP request is getting to the TRANSACTION WEBSITE successfully (this has been verified by their technical staff), do I need to do anything with the firewall?  My thoughts were that the webserver sending the response back to my server would need to be able to send incoming traffic through the firewall - but, being that the outbound connection is successfully connecting to the transaction server, shouldn't the same connection be open to receive the HTTPS post being sent from the webserver?  I don't know exactly how this works and need some help...

Thanks!

Sean
0
saladart
Asked:
saladart
  • 26
  • 20
1 Solution
 
nodiscoCommented:
Hi there

The access-list you applied is incorrect -
access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 192.168.1.49 eq www
should be
access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www

the reason is that the outside client needs to be able to access the internal server at your site - the 192.168.1.49 is a private address behind your firewall.  He cannot see it - no way, no how.  If he sends to the 24.x.x.x address, it will be translated at the pix to the 192.168.1.49 internal server.

To do this on the pix:
conf t
no access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 192.168.1.49 eq www
access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www

write mem

hope this helps
0
 
saladartAuthor Commented:
nodisco,

I did as you recommended - that still doesn't resolve the issue...

Sean
0
 
saladartAuthor Commented:
Do I need to modify the ACCESS-LIST to reflect the public IP address as well?

Sean
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
saladartAuthor Commented:
FORGET THE LAST POST...BRAIN FART...

Sean
0
 
nodiscoCommented:
hi again

Is the remote company using the public ip to access you? e.g. http://24.1.3.37 /chargeapprove.asp
Post the output of sh access-list to see if you are getting hits on the acl.

Can you draw up a quick diagram of the network so as to make sure i'm not missing something

e.g.

remote>>>>>>>>>internet>>>>>router>>>>>>pix>>>>>>internal server


0
 
saladartAuthor Commented:
Is the remote company using the public ip to access you? e.g. http://24.1.3.37 /chargeapprove.asp

Answer: Yes

Post the output of sh access-list to see if you are getting hits on the acl.

There are no hits on the ACCESS-LIST entry for the public IP...

access-list outside_acl line 9 permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www (hitcnt=0)

The config is as follows: (INBOUND)

REMOTE WEB SERVER 66.1.2.58 >>>>> INTERNET>>>>>>ISP EQUIP - (24.1.3.33 ROADRUNNER ROUTER)>>>>> FIREWALL 24.1.3.37 / 192.168.1.1 (internal) >>>>>>>>> 192.168.1.2 ROUTER(INTERNAL) >>>>>>> SWITCH >>>>>>> WEB SERVER (192.168.1.49)

Sean
0
 
nodiscoCommented:
Just noticed -
<<<<<<<<<I am trying to do Online Credit Card transactions using a HTTPS >>
                                                                                                       ^^^

HTTPS works on 443 - not www however you may need both protocols

As a test can you do the following:
no access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www


no static (inside,outside) tcp 24.1.3.37 www 192.168.1.49 www netmask 255.255.255.255
static (inside,outside) 24.1.3.37 192.168.1.49 netmask 255.255.255.255
access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www
access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq 443

then get them to try it again - make sure with the other company that the 66.1.2.58/31 address range is definetly correct

hth



0
 
saladartAuthor Commented:
Did what you recommended - I am getting no hits against the IP Address 24.1.3.37 still.  If the firewall is not allowing the data to go through, would I still expect to hits? (just asking...).

Thanks for your assistance.

Sean
0
 
nodiscoCommented:
No but you should see hits incrementing on the deny at the bottom.

Can you post the full config as it is now and the full sh access-list and I'll have a look - I am wondering if there is anything that your outbound access-list may be blocking - You can remove this as it is allowing all ip, tcp/udp out and is blocking very little out - to remove it:

conf t
no access-group inside_acl in interface inside

But post the above and we'll sort it

0
 
saladartAuthor Commented:
PIXFIREWALL(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list inside_acl; 3 elements
access-list inside_acl line 1 permit tcp any any (hitcnt=2238512)
access-list inside_acl line 2 permit ip any any (hitcnt=962907)
access-list inside_acl line 3 permit udp any any (hitcnt=0)
access-list outside_acl; 10 elements
access-list outside_acl line 1 permit gre any host 24.1.3.35 (hitcnt=81)
access-list outside_acl line 2 permit ah any host 24.1.3.35 (hitcnt=0)
access-list outside_acl line 3 permit esp any host 24.1.3.35 (hitcnt=0)
access-list outside_acl line 4 permit tcp any host 24.1.3.35 eq pptp (hitcnt=784)
access-list outside_acl line 5 deny tcp any any eq netbios-ssn (hitcnt=86450)
access-list outside_acl line 6 deny tcp any any eq ftp (hitcnt=344)
access-list outside_acl line 7 permit tcp any host 24.1.3.36 eq 10000 (hitcn
t=5126)
access-list outside_acl line 8 deny tcp any any eq telnet (hitcnt=38)
access-list outside_acl line 9 permit tcp any host 24.1.3.37 eq www (hitcnt=
0)
access-list outside_acl line 10 permit tcp any host 24.1.3.37 eq 433 (hitcnt
=0)
0
 
saladartAuthor Commented:
PIXFIREWALL(config)# show config
: Saved
: Written by enable_15 at 12:35:40.820 UTC Tue Mar 21 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password level 10 encrypted
enable password encrypted
passwd encrypted
hostname PIXFIREWALL
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl deny tcp any any eq ftp
access-list outside_acl permit tcp any host 24.1.3.36 eq 10000
access-list outside_acl deny tcp any any eq telnet
access-list outside_acl permit tcp any host 24.1.3.37 eq www
access-list outside_acl permit tcp any host 24.1.3.37 eq 433
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.37 192.168.1.49 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 24.1.3.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.1.3.38 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username username password encrypted privilege 15
terminal width 90
Cryptochecksum:9f965f9e12fdf59faaf8573fb43fc300
0
 
nodiscoCommented:
Ok test time

no access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq www
no access-list outside_acl permit tcp 66.1.2.58 255.255.255.254 host 24.1.3.37 eq 443

access-list outside_acl permit tcp any host 24.1.3.37 eq www
access-list outside_acl permit tcp any host 24.1.3.37 eq 443

If you can use the clear xlate below - it will disconnect all connections through your pix momentarily.  Its safe to do after hours but will cause connections to drop - they will work again straight away though.
clear xlate
Advise when you have done this


0
 
nodiscoCommented:
Ignore!  but run the clear xlate if you can
0
 
saladartAuthor Commented:
I just ran the cleara xlate.

Sean
0
 
saladartAuthor Commented:
Tried the post again - same result.

Sean
0
 
nodiscoCommented:
Using your 192.168.1.49 machine - go on the web and go to whatismyip.com and check your ip address
Also pls remove the access-list applied to your inside interface:

conf t
no access-group inside_acl in interface inside
0
 
saladartAuthor Commented:
Ok.  When I follow your instructions - Using your 192.168.1.49 machine - go on the web and go to whatismyip.com and check your ip address
- I get 24.1.3.37 (the address that I have statically mapped to this system via firewall).

I also removed the access-list applied to the inside interface.

Sean
0
 
nodiscoCommented:
FIREWALL 24.1.3.37 / 192.168.1.1 (internal) >>>>>>>>> 192.168.1.2 ROUTER(INTERNAL) >>>>>>> SWITCH >>>>>>> WEB SERVER (192.168.1.49)

Why is the webserver on a different internal network to the pix inside?  
This would explain why you can get out to the internet (whatismyip showing the static nat) but not get any return traffic.

If you add the following to the pix -
route inside 192.168.1.49 255.255.255.255 192.168.1.2


0
 
saladartAuthor Commented:
Did as you suggested - add the following to the pix - route inside 192.168.1.49 255.255.255.255 192.168.1.2
still get the same results...

You asked - Why is the webserver on a different internal network to the pix inside?   It isn't on a different internal network - 192.168.1 is the network for both...or am I missing something?

If I were to register a domain name and redirect the REGISTERED NAME to this IP address, would I open the door for attacks (being that it is behind the firewall)?  The credit card processing company is now saying that SSL doesn't work with an IP address - which they first told me that it would...  Is this true?

Sean
0
 
nodiscoCommented:
<<You asked - Why is the webserver on a different internal network to the pix inside?   It isn't on a different internal network - 192.168.1 is the network for both...or am I missing something?
Your network diagram showed that the 192.168.1.49 host was on the other side of a router from the pix.  So it is not locally connected to the pix - is the diagram accurate?
Where are the other servers (192.168.1.50, 100) located?


<<If I were to register a domain name and redirect the REGISTERED NAME to this IP address, would I open the door for attacks (being that it is behind the firewall)?  
No - DNS is just name resolution of an ip address.  Whether an outside host accesses you by ip or dns name it makes no difference - you would be just as secure/unsecure.

<<The credit card processing company is now saying that SSL doesn't work with an IP address - which they first told me that it would...  Is this true?
Absolutely not!  I don't know where they got that from.

I have to sign out as its v late here but will check on this tomorrow.  Can you try removing the acls to .137 and recreating them at line1 of the acls.  Also reapply the access-list to the interface by typing :
access-group outside_acl in interface outside

let me know how it goes




0
 
saladartAuthor Commented:
So it is not locally connected to the pix - is the diagram accurate?

Yes, the diagram is accurate...I see now what you mean.

Am I going to need to put the server in a DMZ?  If so, I will need to know how to configure the PIX to allow inside clients access to the server.

Can I do this without putting the server in a DMZ (keep it behind the firewall)?

I also put the ACL's to .37 as number 1 and number 2 (www is #1, 443 is #2) and still getting no hits on either.  I even went as far as to set up a new domain and redirected it to the .37 address - the domain name is in fact redirected to the .37 but I still get no hits on the access-list for .37.

Thanks for your help on this...

Sean
0
 
nodiscoCommented:
Yes - putting the servers in the DMZ is no problem - you just need to give the DMZ an ip address and create the statics accordingly

e.g

ip address dmz 192.168.20.1 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz, outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255
access-list outside_acl permit tcp any host 24.1.3.37 eq www
access-list outside_acl permit tcp any host 24.1.3.37 eq 443

Where 192.168.20.49 is the ip address of your host machine.  (Its gateway address would be 192.168.20.1
0
 
saladartAuthor Commented:
Nodisco - question.

If my internal network is 192.168.1 - wouldn't I need to configure the IP address for the DMZ with the same subnet (192.168.1.25 for example)?  I am trying to make sense of this - understanding it makes things a whole lot easier for me...

Also, once I create the DMZ, will I need another router on the DMZ interface at the PIX?  

Do I need to connect the servers ethernet connection to the PIX DMZ interface or can I leave it on the network as it is now?  Just need to know how to do this properly - haven't had a need for a DMZ just yet...learn as I go is what I am doing...

Thanks again for your guidance!

Sean
0
 
saladartAuthor Commented:
One more question...

The clients behind the firewall - on the 192.168.1 network - will they be able to access the server in the DMZ?  They will need to...

Sean
0
 
nodiscoCommented:
<<If my internal network is 192.168.1 - wouldn't I need to configure the IP address for the DMZ with the same subnet (192.168.1.25 for example)?  I am trying to make sense of this - understanding it makes things a whole lot easier for me...
No - has to be a different subnet as its a different interface on the PIX.  PIX interfaces all have different security levels - to protect the individual networks from each other.  By default inside is most secure, then DMZ, then outside. See the lines at the top of your config:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10

The security no dicates how the traffic should go -  higher can go to lower by default once natted - but lower cannot go to higher unless specified by an access-list

<<Also, once I create the DMZ, will I need another router on the DMZ interface at the PIX?  

No - you can connect the machine straight to the dmz network.  This was why i was wondering why you had an internal router inside your pix - and then your clients inside the router.  The pix inside interface is as secure as you are going to get already - I didn't get the router.

<<Do I need to connect the servers ethernet connection to the PIX DMZ interface or can I leave it on the network as it is now?  Just need to know how to do this properly - haven't had a need for a DMZ just yet...learn as I go is what I am doing...

If you want to move the server to the dmz, then you will have to physically connect it to the dmz network.  Most dmzs have a switch that the pix dmz interface connects to - and then the servers sit on the switch.

<<The clients behind the firewall - on the 192.168.1 network - will they be able to access the server in the DMZ?  They will need to...
Yes - you can setup internal users to be able to hit the dmz - its just a static nat.

hope this helps

0
 
saladartAuthor Commented:
Another question...

This webserver uses Active Directory for authentication.  Will implementing what you propose create any issues with the authenticaiton side?  The server is a member of a domain that resides behind the firewall...  Do any other ports need to be opened between the DMZ and INSIDE interface?  In addition, this webserver accesses a SQL database - same question for this server.

I would be more than happy to open a new post if needed...

Sean
0
 
nodiscoCommented:
Regarding AD - you can authenticate servers between the dmz and inside - likewise the SQL server.

Q - where are 192.168.1.50 and 192.168.1.100 located - I take it these servers work fine as regards access from outside
0
 
saladartAuthor Commented:
The 192.168.1.50 and .100 servers are behind the firewall and do in fact work fine from the outside.

Sean
0
 
nodiscoCommented:
Yes - but are they also inside the router?  what i mean is that the .49 machine is on the inside of the router - are these 2 servers also located on the same subnet?  
0
 
saladartAuthor Commented:
I just posted an add on to this post.

http://www.experts-exchange.com/Security/Firewalls/Q_21784446.html

Sean
0
 
saladartAuthor Commented:
but are they also inside the router?

Both servers are inside the router - on the same subnet (192.168.1.0).

>>>>INTERNET>>>>>>FIREWALL>>>>>>ROUTER>>>>>>SERVERS .50 and .100

Sean
0
 
nodiscoCommented:
Can you advise where the 2 other servers are located - are they inside the router or just inside the firewall?  As they seem to be getting hits on the access-lists from outside so they are working correctly
0
 
nodiscoCommented:
Sorry - didn't refresh
0
 
nodiscoCommented:
Can you post the router config - there must be something stopping the third address receiving the traffic back in as it is able to get out properly
0
 
saladartAuthor Commented:
Look at post http://www.experts-exchange.com/Security/Firewalls/Q_21784446.html - I just posted the latest config for the firewall...

Sean
0
 
saladartAuthor Commented:
PIXFIREWALL# show conf
: Saved
: Written by enable_15 at 11:20:26.763 UTC Wed Mar 22 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password NA3kCu/6slD/O7aS level 10 encrypted
enable password rOx8.Y2f6t2O2J6d encrypted
passwd CchT5YiB9kSAWob1 encrypted
hostname PIXFIREWALL
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_acl permit tcp any any
access-list inside_acl permit ip any any
access-list inside_acl permit udp any any
access-list outside_acl permit tcp any host 24.1.3.37 eq www
access-list outside_acl permit tcp any host 24.1.3.37 eq https
access-list outside_acl permit gre any host 24.1.3.35
access-list outside_acl permit ah any host 24.1.3.35
access-list outside_acl permit esp any host 24.1.3.35
access-list outside_acl permit tcp any host 24.1.3.35 eq pptp
access-list outside_acl deny tcp any any eq netbios-ssn
access-list outside_acl deny tcp any any eq ftp
access-list outside_acl permit tcp any host 24.1.3.36 eq 10000
access-list outside_acl deny tcp any any eq telnet
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 24.24.1.3.34 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 24.1.3.38
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.1.3.36 192.168.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.35 192.168.1.50 netmask 255.255.255.255 0 0
static (inside,outside) 24.1.3.37 192.168.1.49 netmask 255.255.255.255 0 0
static (dmz,outside) 24.1.3.37 192.168.20.49 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 24.1.3.33 1
route inside 10.0.0.0 255.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 24.1.3.38 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
username username password epNzeQOJEcyLcSzn encrypted privilege 15
terminal width 90
Cryptochecksum:7c94591755b1df876ae190b86fefe7aa
0
 
saladartAuthor Commented:
Oh - just noticed ROUTER....disregard my previous post...

Sean
0
 
saladartAuthor Commented:
I suppose you are wanting the INSIDE router config right? (192.168.1.2)

Sean
0
 
nodiscoCommented:
correct
0
 
saladartAuthor Commented:
RTR-Main>enable
Password:
RTR-Main#show conf
Using 1361 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-Main
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$W6Mb$bFJsTR5MyE9JoZwYlIonV/
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
!
!
!
class-map match-any voice-control
  match ip dscp af31
  match ip dscp af32
  match ip dscp cs3
  match ip precedence 6
class-map match-any voice
  match access-group 103
  match  dscp ef
  match  dscp cs5
  match ip precedence 6
!
!
policy-map wan-edge
  class voice
   priority 512
  class class-default
   fair-queue
policy-map shaper
  class class-default
   shape average 512000
   service-policy wan-edge
policy-map wan-edgte
!
!
!
interface FastEthernet0
 ip address 192.168.1.2 255.255.255.0
 ip route-cache flow
 speed auto
 full-duplex
!
interface Serial0
 description Connected to Warehouse
 ip address 10.0.0.1 255.255.255.252
 ip route-cache flow
 fair-queue
 service-module t1 framing sf
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 255.255.255.255 24.153.161.217
ip route 192.168.2.0 255.255.255.0 10.0.0.2
no ip http server
!
access-list 103 permit ip host 192.168.1.5 host 192.168.2.5
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
line aux 0
line vty 0 4
 password XXXXX
 login
!
!
end

RTR-Main#
0
 
nodiscoCommented:
Ok final Q - check the machines 192.168.1.49, 50, 100
What are their default gateways?

I am of the opinion that 50 and 100 are using 192.168.1.1 as its gateway and 49 is using 192.168.1.2

can you clarify?
0
 
saladartAuthor Commented:
.50 and 100 are both using 1.2 as the gateway.  I have already changed the IP address on .49 to the .20.49 address - and it's gateway is 20.1 - the DMZ address.

Sean
0
 
nodiscoCommented:
Is it now physically connected only to the dmz interface?
and can it ping the dmz interface?
0
 
saladartAuthor Commented:
It is now physically connected to the DMZ interface and it can ping the DMZ interface (.20.1)
0
 
nodiscoCommented:
I see the new Q open - and considering you have the DMZ interface on the pix, it is the best place to home publically accessed servers.  I am still at a loss as to why the 2 other servers are accessible and this one isn't.  Were you able to ping the .49 server from the pix when it was inside the router?
The only other thing i can think of is to have removed the access-list and reapplied it to the outside interface - thats the only thing we didn't do and considering you were not getting hits on the acl.

That said, the DMZ solution is a better one anyway as you are keeping the machine in a secured network that is designed for this.

0
 
saladartAuthor Commented:
Ok - thanks for your assistance!

Sean
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 26
  • 20
Tackle projects and never again get stuck behind a technical roadblock.
Join Now