Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Problem with PIX501 Open Ports

Posted on 2006-11-27
4
Medium Priority
?
293 Views
Last Modified: 2010-04-09
Hi everybody,

I currently have a problem with a PIX501 firewall. I have tried to add a couple of statements to allow external access through the PIX to a host on my inside network. By executing a "sh access-list" statement i can see the hit count increasing on my PIX as i test. However i have doubled checked the static statements and cannot find anything wrong. This would suggest to me that the access list entry is correct but i am missing another necessary statement or something. The only other bit of information i can provide is that i am testing access from the other side of the planet, i wondered if the latency across the internet could cause a timeout somewhere.

I have copied the PIX configuration and output of the sh access-list below. Any help resolving this problem would be appreciated.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.17.2.0 Inside_LAN
object-group icmp-type allowedICMP
  icmp-object unreachable
  icmp-object echo-reply
  icmp-object time-exceeded
object-group network http-hosts
  network-object host 202.82.203.2
  network-object host 202.82.203.3
access-list outside_in permit tcp any object-group http-hosts eq www
access-list outside_in permit tcp any object-group http-hosts eq https
access-list outside_in permit icmp any object-group http-hosts object-group allowedICMP
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 202.82.203.1 255.255.255.240
ip address inside 172.17.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 202.82.203.3 172.17.2.152 netmask 255.255.255.255 0 0
static (inside,outside) 202.82.203.2 172.17.2.153 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 202.82.203.190 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
floodguard enable
ssh timeout 5
console timeout 0

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list outside_in; 10 elements
access-list outside_in line 1 permit tcp any object-group http-hosts eq www
access-list outside_in line 1 permit tcp any host 202.82.203.2 eq www (hitcnt=0)
access-list outside_in line 1 permit tcp any host 202.82.203.3 eq www (hitcnt=1)
access-list outside_in line 2 permit tcp any object-group http-hosts eq https
access-list outside_in line 2 permit tcp any host 202.82.203.2 eq https (hitcnt=2)
access-list outside_in line 2 permit tcp any host 202.82.203.3 eq https (hitcnt=0)
access-list outside_in line 3 permit icmp any object-group http-hosts object-group allowedICMP
access-list outside_in line 3 permit icmp any host 202.82.203.2 unreachable (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.2 echo-reply (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.2 time-exceeded (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 unreachable (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 echo-reply (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 time-exceeded (hitcnt=0)
0
Comment
Question by:satchelllowe
  • 2
4 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18028140
So can you do this;

telnet 202.82.203.2 80

see if you get a connected kinda prompt.

Cheers,
Rajesh
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 18030855
>that i am testing access from the other side of the planet, i wondered if the latency across the internet could cause a timeout somewhere.

Latency should not affect this. Your configuration appears correct. That fact that the hitcounters are increasing means that the requests are getting to, then through the PIX.
Perhaps the servers' IP config is incorrect. What is the default gateway of the servers? Does the subnet mask match that of the PIX inside interface? Is the www publishing service even running on those servers?


0
 

Author Comment

by:satchelllowe
ID: 18033565
Excellent, it was the default gateway on the servers pointing at our mpls router rather than the PIX. Thanks for your assistance, i am on a tight schedule and staring at that PIX configuration for 6 hours was doing my head in. Not being a PIX administrator convinced me that there must be something wrong with the PIX configuration.



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18035136
Glad to help!
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question