Solved

Problem with PIX501 Open Ports

Posted on 2006-11-27
4
282 Views
Last Modified: 2010-04-09
Hi everybody,

I currently have a problem with a PIX501 firewall. I have tried to add a couple of statements to allow external access through the PIX to a host on my inside network. By executing a "sh access-list" statement i can see the hit count increasing on my PIX as i test. However i have doubled checked the static statements and cannot find anything wrong. This would suggest to me that the access list entry is correct but i am missing another necessary statement or something. The only other bit of information i can provide is that i am testing access from the other side of the planet, i wondered if the latency across the internet could cause a timeout somewhere.

I have copied the PIX configuration and output of the sh access-list below. Any help resolving this problem would be appreciated.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.17.2.0 Inside_LAN
object-group icmp-type allowedICMP
  icmp-object unreachable
  icmp-object echo-reply
  icmp-object time-exceeded
object-group network http-hosts
  network-object host 202.82.203.2
  network-object host 202.82.203.3
access-list outside_in permit tcp any object-group http-hosts eq www
access-list outside_in permit tcp any object-group http-hosts eq https
access-list outside_in permit icmp any object-group http-hosts object-group allowedICMP
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 202.82.203.1 255.255.255.240
ip address inside 172.17.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 202.82.203.3 172.17.2.152 netmask 255.255.255.255 0 0
static (inside,outside) 202.82.203.2 172.17.2.153 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 202.82.203.190 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
floodguard enable
ssh timeout 5
console timeout 0

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list outside_in; 10 elements
access-list outside_in line 1 permit tcp any object-group http-hosts eq www
access-list outside_in line 1 permit tcp any host 202.82.203.2 eq www (hitcnt=0)
access-list outside_in line 1 permit tcp any host 202.82.203.3 eq www (hitcnt=1)
access-list outside_in line 2 permit tcp any object-group http-hosts eq https
access-list outside_in line 2 permit tcp any host 202.82.203.2 eq https (hitcnt=2)
access-list outside_in line 2 permit tcp any host 202.82.203.3 eq https (hitcnt=0)
access-list outside_in line 3 permit icmp any object-group http-hosts object-group allowedICMP
access-list outside_in line 3 permit icmp any host 202.82.203.2 unreachable (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.2 echo-reply (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.2 time-exceeded (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 unreachable (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 echo-reply (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 time-exceeded (hitcnt=0)
0
Comment
Question by:satchelllowe
  • 2
4 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18028140
So can you do this;

telnet 202.82.203.2 80

see if you get a connected kinda prompt.

Cheers,
Rajesh
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18030855
>that i am testing access from the other side of the planet, i wondered if the latency across the internet could cause a timeout somewhere.

Latency should not affect this. Your configuration appears correct. That fact that the hitcounters are increasing means that the requests are getting to, then through the PIX.
Perhaps the servers' IP config is incorrect. What is the default gateway of the servers? Does the subnet mask match that of the PIX inside interface? Is the www publishing service even running on those servers?


0
 

Author Comment

by:satchelllowe
ID: 18033565
Excellent, it was the default gateway on the servers pointing at our mpls router rather than the PIX. Thanks for your assistance, i am on a tight schedule and staring at that PIX configuration for 6 hours was doing my head in. Not being a PIX administrator convinced me that there must be something wrong with the PIX configuration.



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18035136
Glad to help!
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now