Solved

Problem with PIX501 Open Ports

Posted on 2006-11-27
4
287 Views
Last Modified: 2010-04-09
Hi everybody,

I currently have a problem with a PIX501 firewall. I have tried to add a couple of statements to allow external access through the PIX to a host on my inside network. By executing a "sh access-list" statement i can see the hit count increasing on my PIX as i test. However i have doubled checked the static statements and cannot find anything wrong. This would suggest to me that the access list entry is correct but i am missing another necessary statement or something. The only other bit of information i can provide is that i am testing access from the other side of the planet, i wondered if the latency across the internet could cause a timeout somewhere.

I have copied the PIX configuration and output of the sh access-list below. Any help resolving this problem would be appreciated.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.17.2.0 Inside_LAN
object-group icmp-type allowedICMP
  icmp-object unreachable
  icmp-object echo-reply
  icmp-object time-exceeded
object-group network http-hosts
  network-object host 202.82.203.2
  network-object host 202.82.203.3
access-list outside_in permit tcp any object-group http-hosts eq www
access-list outside_in permit tcp any object-group http-hosts eq https
access-list outside_in permit icmp any object-group http-hosts object-group allowedICMP
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 202.82.203.1 255.255.255.240
ip address inside 172.17.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 202.82.203.3 172.17.2.152 netmask 255.255.255.255 0 0
static (inside,outside) 202.82.203.2 172.17.2.153 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 202.82.203.190 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
floodguard enable
ssh timeout 5
console timeout 0

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list outside_in; 10 elements
access-list outside_in line 1 permit tcp any object-group http-hosts eq www
access-list outside_in line 1 permit tcp any host 202.82.203.2 eq www (hitcnt=0)
access-list outside_in line 1 permit tcp any host 202.82.203.3 eq www (hitcnt=1)
access-list outside_in line 2 permit tcp any object-group http-hosts eq https
access-list outside_in line 2 permit tcp any host 202.82.203.2 eq https (hitcnt=2)
access-list outside_in line 2 permit tcp any host 202.82.203.3 eq https (hitcnt=0)
access-list outside_in line 3 permit icmp any object-group http-hosts object-group allowedICMP
access-list outside_in line 3 permit icmp any host 202.82.203.2 unreachable (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.2 echo-reply (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.2 time-exceeded (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 unreachable (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 echo-reply (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 time-exceeded (hitcnt=0)
0
Comment
Question by:satchelllowe
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18028140
So can you do this;

telnet 202.82.203.2 80

see if you get a connected kinda prompt.

Cheers,
Rajesh
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18030855
>that i am testing access from the other side of the planet, i wondered if the latency across the internet could cause a timeout somewhere.

Latency should not affect this. Your configuration appears correct. That fact that the hitcounters are increasing means that the requests are getting to, then through the PIX.
Perhaps the servers' IP config is incorrect. What is the default gateway of the servers? Does the subnet mask match that of the PIX inside interface? Is the www publishing service even running on those servers?


0
 

Author Comment

by:satchelllowe
ID: 18033565
Excellent, it was the default gateway on the servers pointing at our mpls router rather than the PIX. Thanks for your assistance, i am on a tight schedule and staring at that PIX configuration for 6 hours was doing my head in. Not being a PIX administrator convinced me that there must be something wrong with the PIX configuration.



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18035136
Glad to help!
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question