satchelllowe
asked on
Problem with PIX501 Open Ports
Hi everybody,
I currently have a problem with a PIX501 firewall. I have tried to add a couple of statements to allow external access through the PIX to a host on my inside network. By executing a "sh access-list" statement i can see the hit count increasing on my PIX as i test. However i have doubled checked the static statements and cannot find anything wrong. This would suggest to me that the access list entry is correct but i am missing another necessary statement or something. The only other bit of information i can provide is that i am testing access from the other side of the planet, i wondered if the latency across the internet could cause a timeout somewhere.
I have copied the PIX configuration and output of the sh access-list below. Any help resolving this problem would be appreciated.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.17.2.0 Inside_LAN
object-group icmp-type allowedICMP
icmp-object unreachable
icmp-object echo-reply
icmp-object time-exceeded
object-group network http-hosts
network-object host 202.82.203.2
network-object host 202.82.203.3
access-list outside_in permit tcp any object-group http-hosts eq www
access-list outside_in permit tcp any object-group http-hosts eq https
access-list outside_in permit icmp any object-group http-hosts object-group allowedICMP
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 202.82.203.1 255.255.255.240
ip address inside 172.17.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 202.82.203.3 172.17.2.152 netmask 255.255.255.255 0 0
static (inside,outside) 202.82.203.2 172.17.2.153 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 202.82.203.190 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
floodguard enable
ssh timeout 5
console timeout 0
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list outside_in; 10 elements
access-list outside_in line 1 permit tcp any object-group http-hosts eq www
access-list outside_in line 1 permit tcp any host 202.82.203.2 eq www (hitcnt=0)
access-list outside_in line 1 permit tcp any host 202.82.203.3 eq www (hitcnt=1)
access-list outside_in line 2 permit tcp any object-group http-hosts eq https
access-list outside_in line 2 permit tcp any host 202.82.203.2 eq https (hitcnt=2)
access-list outside_in line 2 permit tcp any host 202.82.203.3 eq https (hitcnt=0)
access-list outside_in line 3 permit icmp any object-group http-hosts object-group allowedICMP
access-list outside_in line 3 permit icmp any host 202.82.203.2 unreachable (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.2 echo-reply (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.2 time-exceeded (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 unreachable (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 echo-reply (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 time-exceeded (hitcnt=0)
I currently have a problem with a PIX501 firewall. I have tried to add a couple of statements to allow external access through the PIX to a host on my inside network. By executing a "sh access-list" statement i can see the hit count increasing on my PIX as i test. However i have doubled checked the static statements and cannot find anything wrong. This would suggest to me that the access list entry is correct but i am missing another necessary statement or something. The only other bit of information i can provide is that i am testing access from the other side of the planet, i wondered if the latency across the internet could cause a timeout somewhere.
I have copied the PIX configuration and output of the sh access-list below. Any help resolving this problem would be appreciated.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.17.2.0 Inside_LAN
object-group icmp-type allowedICMP
icmp-object unreachable
icmp-object echo-reply
icmp-object time-exceeded
object-group network http-hosts
network-object host 202.82.203.2
network-object host 202.82.203.3
access-list outside_in permit tcp any object-group http-hosts eq www
access-list outside_in permit tcp any object-group http-hosts eq https
access-list outside_in permit icmp any object-group http-hosts object-group allowedICMP
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 202.82.203.1 255.255.255.240
ip address inside 172.17.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 202.82.203.3 172.17.2.152 netmask 255.255.255.255 0 0
static (inside,outside) 202.82.203.2 172.17.2.153 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 202.82.203.190 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
floodguard enable
ssh timeout 5
console timeout 0
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list outside_in; 10 elements
access-list outside_in line 1 permit tcp any object-group http-hosts eq www
access-list outside_in line 1 permit tcp any host 202.82.203.2 eq www (hitcnt=0)
access-list outside_in line 1 permit tcp any host 202.82.203.3 eq www (hitcnt=1)
access-list outside_in line 2 permit tcp any object-group http-hosts eq https
access-list outside_in line 2 permit tcp any host 202.82.203.2 eq https (hitcnt=2)
access-list outside_in line 2 permit tcp any host 202.82.203.3 eq https (hitcnt=0)
access-list outside_in line 3 permit icmp any object-group http-hosts object-group allowedICMP
access-list outside_in line 3 permit icmp any host 202.82.203.2 unreachable (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.2 echo-reply (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.2 time-exceeded (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 unreachable (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 echo-reply (hitcnt=0)
access-list outside_in line 3 permit icmp any host 202.82.203.3 time-exceeded (hitcnt=0)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent, it was the default gateway on the servers pointing at our mpls router rather than the PIX. Thanks for your assistance, i am on a tight schedule and staring at that PIX configuration for 6 hours was doing my head in. Not being a PIX administrator convinced me that there must be something wrong with the PIX configuration.
Glad to help!
telnet 202.82.203.2 80
see if you get a connected kinda prompt.
Cheers,
Rajesh