PIX Static Problem

Hi,

i have a pix 515 and i get problem while i configure static rule for that

Kindly help me on this

static (inside,outside) 66.10.10.224 192.168.150.23
access-list acl_out permit tcp any host 66.10.10.224 eq https
access-list acl_out permit tcp any host 66.10.10.224 eq www
access-group acl_out in interface outside

But this ip is not exposing outside public internet.

Thanks
Balaji


Balaji KubendranSr. ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
static (inside,outside) 66.10.10.224 192.168.150.23 netmask 255.255.255.255 0 0
access-list acl_out permit tcp any host 66.10.10.224 eq https
access-list acl_out permit tcp any host 66.10.10.224 eq www
access-group acl_out in interface outside
0
Balaji KubendranSr. ManagerAuthor Commented:
hi keith

i have given the same

Thanks
Balaji
0
Keith AlabasterEnterprise ArchitectCommented:
Given the same?

On your post you had left out the subnet mask. Are you saying it is still not working?
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Balaji KubendranSr. ManagerAuthor Commented:
yes
0
Keith AlabasterEnterprise ArchitectCommented:
Your not giving me much info to work on here.

please post your sanitised configuration.
0
Balaji KubendranSr. ManagerAuthor Commented:
Hi,

This is my  conf

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 9jddfNfZuG3TC5tCVH0 encrypted
passwd ta.qizy4RsdCdhdqQH encrypted
hostname pixdel
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
access-list acl_in permit icmp any any
access-list acl_in permit tcp 192.168.144.0 255.255.254.0 any eq www
access-list acl_in permit udp 192.168.144.0 255.255.254.0 any eq domain
access-list acl_in permit tcp 192.168.144.0 255.255.254.0 any eq https
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 66.10.10.224 eq https
access-list acl_out permit tcp any host 66.10.10.224 eq www
access-list acl_dmz permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 66.10.10.1 255.255.255.224
ip address inside 172.20.20.1 255.255.255.0
ip address dmz 192.168.150.1 255.255.255.0
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 66.10.10.224 https 192.168.150.23 https netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 66.10.10.2 1
route inside 192.168.144.0 255.255.254.0 172.20.20.2 1
route inside 192.168.146.0 255.255.255.0 172.20.20.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

Thanks
Balaji
0
Balaji KubendranSr. ManagerAuthor Commented:
From Inside i could able to browse internet

from dmz i could able to ping outside
0
campbelcCommented:
What are the log files showing?
0
Keith AlabasterEnterprise ArchitectCommented:
66.10.10.224 is outside of your subnet. You only have 32 addresses (30 useable)
ip address outside 66.10.10.1 255.255.255.224

0
Balaji KubendranSr. ManagerAuthor Commented:
i haven't log. do anybody find config prob
0
Balaji KubendranSr. ManagerAuthor Commented:
hi keith,

that u leave it their is no prob on that

i have change it

0
Keith AlabasterEnterprise ArchitectCommented:
add
# conf t
# no sysopt noproxarp
# cl xlate
0
Balaji KubendranSr. ManagerAuthor Commented:
i have put

no sysopt noproxyarp inside and outside

it not solved
0
Keith AlabasterEnterprise ArchitectCommented:
OK. You have an access list
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 66.10.10.224 eq https
access-list acl_out permit tcp any host 66.10.10.224 eq www

Then you have a PAT static
static (inside,outside) tcp 66.10.10.224 https 192.168.150.23 https netmask 255.255.255.255 0 0

Change this to

static (inside,outside) 66.10.10.224 192.168.150.23 netmask 255.255.255.255 0 0
0
Balaji KubendranSr. ManagerAuthor Commented:
i have already used this first,

any how i will change and see
0
Keith AlabasterEnterprise ArchitectCommented:
Also will need a clear xlate afterwards as you are chaning the settings for the outside
0
Balaji KubendranSr. ManagerAuthor Commented:
i have enable debug packet in outside and dmz

i found that what ever packets get in. their is no reply for that packet

0
Keith AlabasterEnterprise ArchitectCommented:
On the web server you are publishing, does it know the route back to the outside?
0
Balaji KubendranSr. ManagerAuthor Commented:
yes i could able to ping yahoo from web server.

and also i could able to open web server in inside network.
0
rsivanandanCommented:
Hold on a sec. The config looks wrong to me.

static (inside,outside) tcp 66.10.10.224 https 192.168.150.23 https netmask 255.255.255.255 0 0

The above statement couldn't be correct because the 192.168.150.x network is on your DMZ, so your static should read this;

static (dmz,outside) tcp 66.10.10.224 https 192.168.150.23 https netmask 255.255.255.255 0 0

Make the change and it should be okay.

Cheers,
Rajesh
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Balaji KubendranSr. ManagerAuthor Commented:
hi Rajesh,

That's right i got it.

Thanks rajesh
0
Balaji KubendranSr. ManagerAuthor Commented:
Hi keith,

Thank guy for taking ur precious time to me

balaji
0
Balaji KubendranSr. ManagerAuthor Commented:
Hi Guys,

i have one more problem with Port scan,

as per the above config only 443 and 80 should be open.

but when i make port scan on 66.10.10.224.

it shows 21, 25, 80,110, 443.

how could be possible.

Balaji
0
Keith AlabasterEnterprise ArchitectCommented:
Morning Rajesh. I missed the obvious... nice one.
0
rsivanandanCommented:
Morning Keith, just fresh eyes thatz all, nothing gr8 about it :-)

Balaji,

  Port scan, what tool and how did you do the port scan? Do this, open up a command window and telnet to all those ports and see if you can connect like in;

telnet 66.10.10.224 21
telnet 66.10.10.224 80 etc...

I bet you couldn't connect. Also can you post your latest config?

Cheers,
Rajesh

0
Balaji KubendranSr. ManagerAuthor Commented:
Hey rajesh,

i used the look@lan tool which show the open port and from that i can able to launch telnet to that port. it says the port is open

and one more is that now i am not able to do anything fully screwup.

i will reconfigure and send u config. :)

Thanks
Balaji.T.K



0
rsivanandanCommented:
Uh ????

Look@Lan, I assumed so, I am wondering about that tool myself because whatever you choose it shows up that ftp, telnet and www is open. I ran it on my own machine and it says so! I'm damn sure there is no telnet or ftp running on my machine.

Can you try with nmap or something like that?

Cheers,
Rajesh
0
Balaji KubendranSr. ManagerAuthor Commented:
nmap shows all port are filtered.

rajesh, is their is any rule that first we need to give outside rule and then inside rule.

because once i add inside rule. all the rules are not working including what it was working as we discussed before

Thanks
Balaji.T.K
0
rsivanandanCommented:
Do you happen to have the old configuration? Prior to all the changes ? If so, just copy and paste it onto your PIX, do a save and reboot it. It should come back up fine.

Cheers,
Rajesh
0
Balaji KubendranSr. ManagerAuthor Commented:
Hi rajesh,

Actually as i said i am having problem with exposing ip outside.

and from inside i could able to browse outside. and from dmz i could able to reach outside.

Now i have reconfigured firewall even tough i am not able to expose my static ip outside.

can you tell me where i did mistake on configuration. With this same config 2 days back it worked.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 9jddfNfZuG3TC5tCVH0 encrypted
passwd ta.qizy4RsdCdhdqQH encrypted
hostname PIX
domain-name domain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_in permit icmp any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 66.10.10.224 eq www
access-list acl_out permit tcp any host 66.10.10.224 eq https
access-list acl_dmz permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 66.10.10.1 255.255.255.224
ip address inside 172.20.20.1 255.255.255.0
ip address dmz 192.168.150.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) tcp 66.10.10.224 https 192.168.150.23 https netmask 255.255
.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 61.12.12.225 1
route inside 192.168.144.0 255.255.254.0 172.20.20.2 1
route inside 192.168.146.0 255.255.255.0 172.20.20.2 1
route inside 192.168.150.0 255.255.255.0 172.20.20.2 1
route inside 192.168.151.0 255.255.255.0 172.20.20.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Thanks
Balaji
0
Balaji KubendranSr. ManagerAuthor Commented:
route outside 0.0.0.0 0.0.0.0 66.10.10.2 1

sorry the route for outside as above, their is a wrong in conf

Balaji
0
rsivanandanCommented:
Include this also;

access-list acl_dmz permit tcp any host 192.168.150.23 eq https
access-group acl_dmz in interface dmz

see if that solves the problem.

Cheers,
Rajesh

0
Balaji KubendranSr. ManagerAuthor Commented:
Hi rajesh,

1 thing i have found is that

a) i could able to ping from any linux or router box to this exposed ip ( from untrusted network )
b) if i access this exposed ip page, the hitcounter get increase in pix, but i could not get the web page.
c) when i enable debug packet outside and ping to interface the request goes in and their is no reply from web server.
d) If we think their is no route to outside from webserver. then i tried with pinging from pix to webserver it work and from pix to outside it work. even though i tried from remote server router to ping to this exposed ip i could able to ping. so their could not be route problem  :)

where could be problem ?

Thanks
Balaji

0
Balaji KubendranSr. ManagerAuthor Commented:
i included ur lines, it doesn't work
0
rsivanandanCommented:
What is the default gateway setup on this webserver? Does this point to the PIX DMZ interface?

Cheers,
Rajesh
0
Balaji KubendranSr. ManagerAuthor Commented:
yes, the pix dmz is 148.1 and the web server GW point to this ip.
0
rsivanandanCommented:
Doesn't ring a bell. Open up another question exactly stating this and post the configuration. That way you will get more eyes to look at it.

Cheers,
Rajesh

PS: Include the comments you posted above too (The numbered one).

0
Balaji KubendranSr. ManagerAuthor Commented:
does could be image problem or what ? let me reimage the PIX and i will reconfigure and see
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.