Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

PIX Static Problem

Posted on 2006-04-07
38
Medium Priority
?
634 Views
Last Modified: 2013-11-16
Hi,

i have a pix 515 and i get problem while i configure static rule for that

Kindly help me on this

static (inside,outside) 66.10.10.224 192.168.150.23
access-list acl_out permit tcp any host 66.10.10.224 eq https
access-list acl_out permit tcp any host 66.10.10.224 eq www
access-group acl_out in interface outside

But this ip is not exposing outside public internet.

Thanks
Balaji


0
Comment
Question by:Balaji Kubendran
  • 21
  • 9
  • 7
  • +1
38 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16402704
static (inside,outside) 66.10.10.224 192.168.150.23 netmask 255.255.255.255 0 0
access-list acl_out permit tcp any host 66.10.10.224 eq https
access-list acl_out permit tcp any host 66.10.10.224 eq www
access-group acl_out in interface outside
0
 

Author Comment

by:Balaji Kubendran
ID: 16402734
hi keith

i have given the same

Thanks
Balaji
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16402777
Given the same?

On your post you had left out the subnet mask. Are you saying it is still not working?
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 

Author Comment

by:Balaji Kubendran
ID: 16402829
yes
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16402854
Your not giving me much info to work on here.

please post your sanitised configuration.
0
 

Author Comment

by:Balaji Kubendran
ID: 16403101
Hi,

This is my  conf

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 9jddfNfZuG3TC5tCVH0 encrypted
passwd ta.qizy4RsdCdhdqQH encrypted
hostname pixdel
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
access-list acl_in permit icmp any any
access-list acl_in permit tcp 192.168.144.0 255.255.254.0 any eq www
access-list acl_in permit udp 192.168.144.0 255.255.254.0 any eq domain
access-list acl_in permit tcp 192.168.144.0 255.255.254.0 any eq https
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 66.10.10.224 eq https
access-list acl_out permit tcp any host 66.10.10.224 eq www
access-list acl_dmz permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 66.10.10.1 255.255.255.224
ip address inside 172.20.20.1 255.255.255.0
ip address dmz 192.168.150.1 255.255.255.0
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 66.10.10.224 https 192.168.150.23 https netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 66.10.10.2 1
route inside 192.168.144.0 255.255.254.0 172.20.20.2 1
route inside 192.168.146.0 255.255.255.0 172.20.20.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

Thanks
Balaji
0
 

Author Comment

by:Balaji Kubendran
ID: 16403139
From Inside i could able to browse internet

from dmz i could able to ping outside
0
 
LVL 6

Expert Comment

by:campbelc
ID: 16403156
What are the log files showing?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16403236
66.10.10.224 is outside of your subnet. You only have 32 addresses (30 useable)
ip address outside 66.10.10.1 255.255.255.224

0
 

Author Comment

by:Balaji Kubendran
ID: 16403260
i haven't log. do anybody find config prob
0
 

Author Comment

by:Balaji Kubendran
ID: 16403376
hi keith,

that u leave it their is no prob on that

i have change it

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16403412
add
# conf t
# no sysopt noproxarp
# cl xlate
0
 

Author Comment

by:Balaji Kubendran
ID: 16403504
i have put

no sysopt noproxyarp inside and outside

it not solved
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16403580
OK. You have an access list
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 66.10.10.224 eq https
access-list acl_out permit tcp any host 66.10.10.224 eq www

Then you have a PAT static
static (inside,outside) tcp 66.10.10.224 https 192.168.150.23 https netmask 255.255.255.255 0 0

Change this to

static (inside,outside) 66.10.10.224 192.168.150.23 netmask 255.255.255.255 0 0
0
 

Author Comment

by:Balaji Kubendran
ID: 16403651
i have already used this first,

any how i will change and see
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16403674
Also will need a clear xlate afterwards as you are chaning the settings for the outside
0
 

Author Comment

by:Balaji Kubendran
ID: 16403690
i have enable debug packet in outside and dmz

i found that what ever packets get in. their is no reply for that packet

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16403719
On the web server you are publishing, does it know the route back to the outside?
0
 

Author Comment

by:Balaji Kubendran
ID: 16403741
yes i could able to ping yahoo from web server.

and also i could able to open web server in inside network.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 150 total points
ID: 16405925
Hold on a sec. The config looks wrong to me.

static (inside,outside) tcp 66.10.10.224 https 192.168.150.23 https netmask 255.255.255.255 0 0

The above statement couldn't be correct because the 192.168.150.x network is on your DMZ, so your static should read this;

static (dmz,outside) tcp 66.10.10.224 https 192.168.150.23 https netmask 255.255.255.255 0 0

Make the change and it should be okay.

Cheers,
Rajesh
0
 

Author Comment

by:Balaji Kubendran
ID: 16405957
hi Rajesh,

That's right i got it.

Thanks rajesh
0
 

Author Comment

by:Balaji Kubendran
ID: 16405963
Hi keith,

Thank guy for taking ur precious time to me

balaji
0
 

Author Comment

by:Balaji Kubendran
ID: 16405993
Hi Guys,

i have one more problem with Port scan,

as per the above config only 443 and 80 should be open.

but when i make port scan on 66.10.10.224.

it shows 21, 25, 80,110, 443.

how could be possible.

Balaji
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16406146
Morning Rajesh. I missed the obvious... nice one.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16407476
Morning Keith, just fresh eyes thatz all, nothing gr8 about it :-)

Balaji,

  Port scan, what tool and how did you do the port scan? Do this, open up a command window and telnet to all those ports and see if you can connect like in;

telnet 66.10.10.224 21
telnet 66.10.10.224 80 etc...

I bet you couldn't connect. Also can you post your latest config?

Cheers,
Rajesh

0
 

Author Comment

by:Balaji Kubendran
ID: 16407522
Hey rajesh,

i used the look@lan tool which show the open port and from that i can able to launch telnet to that port. it says the port is open

and one more is that now i am not able to do anything fully screwup.

i will reconfigure and send u config. :)

Thanks
Balaji.T.K



0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16408069
Uh ????

Look@Lan, I assumed so, I am wondering about that tool myself because whatever you choose it shows up that ftp, telnet and www is open. I ran it on my own machine and it says so! I'm damn sure there is no telnet or ftp running on my machine.

Can you try with nmap or something like that?

Cheers,
Rajesh
0
 

Author Comment

by:Balaji Kubendran
ID: 16408096
nmap shows all port are filtered.

rajesh, is their is any rule that first we need to give outside rule and then inside rule.

because once i add inside rule. all the rules are not working including what it was working as we discussed before

Thanks
Balaji.T.K
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16409799
Do you happen to have the old configuration? Prior to all the changes ? If so, just copy and paste it onto your PIX, do a save and reboot it. It should come back up fine.

Cheers,
Rajesh
0
 

Author Comment

by:Balaji Kubendran
ID: 16428365
Hi rajesh,

Actually as i said i am having problem with exposing ip outside.

and from inside i could able to browse outside. and from dmz i could able to reach outside.

Now i have reconfigured firewall even tough i am not able to expose my static ip outside.

can you tell me where i did mistake on configuration. With this same config 2 days back it worked.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 9jddfNfZuG3TC5tCVH0 encrypted
passwd ta.qizy4RsdCdhdqQH encrypted
hostname PIX
domain-name domain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_in permit icmp any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 66.10.10.224 eq www
access-list acl_out permit tcp any host 66.10.10.224 eq https
access-list acl_dmz permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 66.10.10.1 255.255.255.224
ip address inside 172.20.20.1 255.255.255.0
ip address dmz 192.168.150.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) tcp 66.10.10.224 https 192.168.150.23 https netmask 255.255
.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 61.12.12.225 1
route inside 192.168.144.0 255.255.254.0 172.20.20.2 1
route inside 192.168.146.0 255.255.255.0 172.20.20.2 1
route inside 192.168.150.0 255.255.255.0 172.20.20.2 1
route inside 192.168.151.0 255.255.255.0 172.20.20.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Thanks
Balaji
0
 

Author Comment

by:Balaji Kubendran
ID: 16428555
route outside 0.0.0.0 0.0.0.0 66.10.10.2 1

sorry the route for outside as above, their is a wrong in conf

Balaji
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16430058
Include this also;

access-list acl_dmz permit tcp any host 192.168.150.23 eq https
access-group acl_dmz in interface dmz

see if that solves the problem.

Cheers,
Rajesh

0
 

Author Comment

by:Balaji Kubendran
ID: 16430137
Hi rajesh,

1 thing i have found is that

a) i could able to ping from any linux or router box to this exposed ip ( from untrusted network )
b) if i access this exposed ip page, the hitcounter get increase in pix, but i could not get the web page.
c) when i enable debug packet outside and ping to interface the request goes in and their is no reply from web server.
d) If we think their is no route to outside from webserver. then i tried with pinging from pix to webserver it work and from pix to outside it work. even though i tried from remote server router to ping to this exposed ip i could able to ping. so their could not be route problem  :)

where could be problem ?

Thanks
Balaji

0
 

Author Comment

by:Balaji Kubendran
ID: 16430146
i included ur lines, it doesn't work
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16430193
What is the default gateway setup on this webserver? Does this point to the PIX DMZ interface?

Cheers,
Rajesh
0
 

Author Comment

by:Balaji Kubendran
ID: 16430209
yes, the pix dmz is 148.1 and the web server GW point to this ip.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16430227
Doesn't ring a bell. Open up another question exactly stating this and post the configuration. That way you will get more eyes to look at it.

Cheers,
Rajesh

PS: Include the comments you posted above too (The numbered one).

0
 

Author Comment

by:Balaji Kubendran
ID: 16430288
does could be image problem or what ? let me reimage the PIX and i will reconfigure and see
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month13 days, 20 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question