dfalldien
asked on
move of a public server behind a PIX 515E
Hello,
I am trying to set up a web server behind a PIX 515E. there are 2 interfaces on the PIX, public and private. on the pirvate interface (eth1) i have 2 subnets one publicy accessable(App 192.168.2.x) (via web and ssh ports) and one which can only be contacted by the first subnet(database 192.168.3.x). Or at least that is the plan. I have attached my config below. when i try to ssh into the box in the app subnet (192.168.2.100) i get denyed by public access in. however I have a rule allowing that access, any ideas?
here is my config file
!
PIX Version 7.1(1)
!
hostname HCAS-pix515E
domain-name housing.dal.ca
enable password H7cwc.H8mjpjab44 encrypted
names
!
interface Ethernet0
description public access interface
nameif public
security-level 0
ip address 129.173.45.228 255.255.255.0
!
interface Ethernet1
description default interfance for use for management only
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface Ethernet1.276
description VLAN for app servers that are publicly accessable
vlan 276
nameif AppVLAN
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1.277
description Vlan for db servers or other servers that can not be publicly accessed.
vlan 277
nameif dbVLAN
security-level 50
ip address 192.168.3.1 255.255.255.0
!
passwd H7cwc.H8mjpjab44 encrypted
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
dns domain-lookup public
dns domain-lookup inside
dns server-group DefaultDNS
name-server 129.173.1.100
name-server 129.173.5.100
domain-name housing.dal.ca
same-security-traffic permit inter-interface
access-list public_access_in extended permit tcp any host 192.168.2.100 eq https
access-list public_access_in extended permit tcp any host 192.168.2.100 eq ssh
access-list public_access_in extended permit tcp any host 192.168.2.100 eq www
access-list AppVLAN_access_out extended permit tcp any host 192.168.2.100
access-list AppVLAN_access_out extended permit tcp any any
access-list AppVLAN_access_in extended permit tcp any any
access-list dbVLAN_access_in extended permit tcp any any
access-list dbVLAN_access_out extended permit tcp any any
access-list AppVLAN_nat0_outbound extended permit ip host 192.168.2.100 any
access-list dbVLAN_nat0_outbound extended permit ip host 192.168.3.100 any
pager lines 24
logging enable
logging asdm informational
logging from-address david.falldien@dal.ca
logging recipient-address david.falldien@dal.ca level critical
mtu public 1500
mtu inside 1500
mtu AppVLAN 1500
mtu dbVLAN 1500
ip verify reverse-path interface AppVLAN
ip verify reverse-path interface dbVLAN
ip audit name attack attack action alarm drop
ip audit name attackINFO info action alarm drop
ip audit interface dbVLAN attackINFO
ip audit interface dbVLAN attack
icmp permit host 129.173.45.171 public
icmp permit host 129.173.1.10 public
icmp permit host 129.173.45.129 public
icmp permit host 129.173.45.129 inside
icmp permit any inside
asdm image flash:/asdm
asdm location 129.173.1.10 255.255.255.255 inside
asdm location 192.168.1.10 255.255.255.255 inside
asdm location 129.173.45.172 255.255.255.255 inside
asdm location 129.173.45.216 255.255.255.255 inside
asdm location 129.173.1.10 255.255.255.255 public
asdm location 129.173.45.171 255.255.255.255 public
asdm location 129.173.0.0 255.255.0.0 public
asdm location 129.173.47.151 255.255.255.255 public
asdm location 129.173.55.61 255.255.255.255 public
asdm location 192.168.2.100 255.255.255.255 AppVLAN
asdm location 192.168.3.100 255.255.255.255 public
asdm location 192.168.3.100 255.255.255.255 dbVLAN
asdm location 129.173.1.100 255.255.255.255 public
no asdm history enable
arp timeout 14400
global (inside) 100 192.168.1.10-192.168.1.100
global (AppVLAN) 150 192.168.3.101-192.168.3.25
global (dbVLAN) 200 192.168.2.101-192.168.2.25
nat (AppVLAN) 0 access-list AppVLAN_nat0_outbound
nat (dbVLAN) 0 access-list dbVLAN_nat0_outbound
static (public,AppVLAN) 192.168.2.100 129.173.45.216 netmask 255.255.255.255
static (public,dbVLAN) 192.168.3.100 129.173.45.218 netmask 255.255.255.255
static (AppVLAN,public) 129.173.45.216 192.168.2.100 netmask 255.255.255.255
static (dbVLAN,public) 129.173.45.218 192.168.3.100 netmask 255.255.255.255
access-group public_access_in in interface public
access-group AppVLAN_access_in in interface AppVLAN
access-group AppVLAN_access_out out interface AppVLAN
access-group dbVLAN_access_in in interface dbVLAN
access-group dbVLAN_access_out out interface dbVLAN
route public 0.0.0.0 0.0.0.0 129.173.45.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 129.173.55.61 255.255.255.255 public
http 129.173.45.0 255.255.255.128 public
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 AppVLAN
http 192.168.3.0 255.255.255.0 dbVLAN
snmp-server host inside 129.173.55.61 community PIX
snmp-server location B028 Risley Hall
snmp-server contact Dalcard Office
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 129.173.55.61 255.255.255.255 public
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 AppVLAN
telnet 192.168.3.0 255.255.255.0 dbVLAN
telnet timeout 15
ssh 192.168.55.61 255.255.255.255 public
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd address 192.168.2.101-192.168.2.25
dhcpd address 192.168.3.101-192.168.3.25
dhcpd dns 129.173.1.100 129.173.5.100
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain housing.dal.ca
dhcpd auto_config dbVLAN
dhcpd enable inside
dhcpd enable AppVLAN
dhcpd enable dbVLAN
smtp-server 129.173.1.130 129.173.5.72
Cryptochecksum:191adbb3b5d
any help would be great, as it is urgent that I get this working, and have limited knowledge of working with the PIX.
Dave
I am trying to set up a web server behind a PIX 515E. there are 2 interfaces on the PIX, public and private. on the pirvate interface (eth1) i have 2 subnets one publicy accessable(App 192.168.2.x) (via web and ssh ports) and one which can only be contacted by the first subnet(database 192.168.3.x). Or at least that is the plan. I have attached my config below. when i try to ssh into the box in the app subnet (192.168.2.100) i get denyed by public access in. however I have a rule allowing that access, any ideas?
here is my config file
!
PIX Version 7.1(1)
!
hostname HCAS-pix515E
domain-name housing.dal.ca
enable password H7cwc.H8mjpjab44 encrypted
names
!
interface Ethernet0
description public access interface
nameif public
security-level 0
ip address 129.173.45.228 255.255.255.0
!
interface Ethernet1
description default interfance for use for management only
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface Ethernet1.276
description VLAN for app servers that are publicly accessable
vlan 276
nameif AppVLAN
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1.277
description Vlan for db servers or other servers that can not be publicly accessed.
vlan 277
nameif dbVLAN
security-level 50
ip address 192.168.3.1 255.255.255.0
!
passwd H7cwc.H8mjpjab44 encrypted
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
dns domain-lookup public
dns domain-lookup inside
dns server-group DefaultDNS
name-server 129.173.1.100
name-server 129.173.5.100
domain-name housing.dal.ca
same-security-traffic permit inter-interface
access-list public_access_in extended permit tcp any host 192.168.2.100 eq https
access-list public_access_in extended permit tcp any host 192.168.2.100 eq ssh
access-list public_access_in extended permit tcp any host 192.168.2.100 eq www
access-list AppVLAN_access_out extended permit tcp any host 192.168.2.100
access-list AppVLAN_access_out extended permit tcp any any
access-list AppVLAN_access_in extended permit tcp any any
access-list dbVLAN_access_in extended permit tcp any any
access-list dbVLAN_access_out extended permit tcp any any
access-list AppVLAN_nat0_outbound extended permit ip host 192.168.2.100 any
access-list dbVLAN_nat0_outbound extended permit ip host 192.168.3.100 any
pager lines 24
logging enable
logging asdm informational
logging from-address david.falldien@dal.ca
logging recipient-address david.falldien@dal.ca level critical
mtu public 1500
mtu inside 1500
mtu AppVLAN 1500
mtu dbVLAN 1500
ip verify reverse-path interface AppVLAN
ip verify reverse-path interface dbVLAN
ip audit name attack attack action alarm drop
ip audit name attackINFO info action alarm drop
ip audit interface dbVLAN attackINFO
ip audit interface dbVLAN attack
icmp permit host 129.173.45.171 public
icmp permit host 129.173.1.10 public
icmp permit host 129.173.45.129 public
icmp permit host 129.173.45.129 inside
icmp permit any inside
asdm image flash:/asdm
asdm location 129.173.1.10 255.255.255.255 inside
asdm location 192.168.1.10 255.255.255.255 inside
asdm location 129.173.45.172 255.255.255.255 inside
asdm location 129.173.45.216 255.255.255.255 inside
asdm location 129.173.1.10 255.255.255.255 public
asdm location 129.173.45.171 255.255.255.255 public
asdm location 129.173.0.0 255.255.0.0 public
asdm location 129.173.47.151 255.255.255.255 public
asdm location 129.173.55.61 255.255.255.255 public
asdm location 192.168.2.100 255.255.255.255 AppVLAN
asdm location 192.168.3.100 255.255.255.255 public
asdm location 192.168.3.100 255.255.255.255 dbVLAN
asdm location 129.173.1.100 255.255.255.255 public
no asdm history enable
arp timeout 14400
global (inside) 100 192.168.1.10-192.168.1.100
global (AppVLAN) 150 192.168.3.101-192.168.3.25
global (dbVLAN) 200 192.168.2.101-192.168.2.25
nat (AppVLAN) 0 access-list AppVLAN_nat0_outbound
nat (dbVLAN) 0 access-list dbVLAN_nat0_outbound
static (public,AppVLAN) 192.168.2.100 129.173.45.216 netmask 255.255.255.255
static (public,dbVLAN) 192.168.3.100 129.173.45.218 netmask 255.255.255.255
static (AppVLAN,public) 129.173.45.216 192.168.2.100 netmask 255.255.255.255
static (dbVLAN,public) 129.173.45.218 192.168.3.100 netmask 255.255.255.255
access-group public_access_in in interface public
access-group AppVLAN_access_in in interface AppVLAN
access-group AppVLAN_access_out out interface AppVLAN
access-group dbVLAN_access_in in interface dbVLAN
access-group dbVLAN_access_out out interface dbVLAN
route public 0.0.0.0 0.0.0.0 129.173.45.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 129.173.55.61 255.255.255.255 public
http 129.173.45.0 255.255.255.128 public
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 AppVLAN
http 192.168.3.0 255.255.255.0 dbVLAN
snmp-server host inside 129.173.55.61 community PIX
snmp-server location B028 Risley Hall
snmp-server contact Dalcard Office
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 129.173.55.61 255.255.255.255 public
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 AppVLAN
telnet 192.168.3.0 255.255.255.0 dbVLAN
telnet timeout 15
ssh 192.168.55.61 255.255.255.255 public
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd address 192.168.2.101-192.168.2.25
dhcpd address 192.168.3.101-192.168.3.25
dhcpd dns 129.173.1.100 129.173.5.100
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain housing.dal.ca
dhcpd auto_config dbVLAN
dhcpd enable inside
dhcpd enable AppVLAN
dhcpd enable dbVLAN
smtp-server 129.173.1.130 129.173.5.72
Cryptochecksum:191adbb3b5d
any help would be great, as it is urgent that I get this working, and have limited knowledge of working with the PIX.
Dave
ASKER
yes all accross the board.. I didnt want to open the entire subnet to it, just that server. so looking at my config it should have worked? this is what i get in my log, even after running that command
Dec 01 2006 09:05:25|106023: Deny tcp src public:129.173.55.61/4790 dst AppVLAN:129.173.45.216/22 by access-group "public_access_in" [0x0, 0x0]
Dec 01 2006 09:05:25|106023: Deny tcp src public:129.173.55.61/4790 dst AppVLAN:129.173.45.216/22 by access-group "public_access_in" [0x0, 0x0]
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hmm...
nah, no access to the pix, the server i am moving behind it had a public address of 129.173.45.216, when i move it behind the pix, it will have the address 192.168.2.100. i need to have public ssh and www and https access to that machine, through the PIX.
nah, no access to the pix, the server i am moving behind it had a public address of 129.173.45.216, when i move it behind the pix, it will have the address 192.168.2.100. i need to have public ssh and www and https access to that machine, through the PIX.
Right, the packets are being rejected by the public_access_in ACL so you need to allow them there. You were allowing 192.168.2.100 which is the internal address, you need to allow the public IP which is what is being seen at the time of ACL evaluation
ASKER
so basicly i had it right behind the pix, however i had to make the exception for the public interface as well, so that public requests could make it through the pix and not get bounce first?
ASKER
is there a timeout period you have to wait after that last config (i used the commands you gave) but now when i try to ssh into it, i dont even see the attempt to attach fail (or pass) in the log.
not as well, only. when the packet gets evaluated by the acl on the outside interface the static translation hasn't occurred yet so the dst. IP is still the public IP of that server, only after that acl is processed and the static translation occurs is the dst IP then the internal IP. Going the other way, the internal IP will be the source IP until the static translation occurs. This happens between interfaces. So coming in thru the outside interface the outside acl is processed, the translation occurs, and the packet get routed out the AppVLAN interface, and vice versa for the return traffic
ASKER
Thanks for the most usefull help i have had in a long time.
ASKER
i know i accepted, however one more question...so to avoid my confusion later on...what commands (assuming blank start) would be needed to allow public access to a server that i moved behind a PIX515E but want to keep its public access. as far as access rules go. It took me a very long time to get what i got, and it didnt work right, if you could give the commands (one simple list) allowing access for SSH for a server behind the pix that would be awesome.
rule allowing public access, rule allowing through pix, and rule allowing from pix to the machien behind the pix.
rule allowing public access, rule allowing through pix, and rule allowing from pix to the machien behind the pix.
a few things
1) Static entries to allow the translation of a public IP to your internal IP
static (<inside int>,<outside int>) <public IP> <internal IP>
clear xlate
The clear xlate is to clear the translation table since you have modified it. If you don't do that you can get unexpected behavior
2) Add acls to allow traffic
access-list <acl name> permit <protocol> <source> <dest> eq <port>
examples
access-list public_allow permit tcp any host 1.2.3.4 eq smtp
that allows all tcp traffic to IP 1.2.3.4 for port smtp to come in. The any means that the source can be anything, there is then an implied any for the source port as well.
access-list public_all permit ip any 1.2.3.0 mask 255.255.255.0
this allows all ip traffic (udp or tcp) from any source to any ip on the 1.2.3.0/24 network
3) Apply the acls to the interface
access-group <acl-name> in interface <int name>
The "in" can actually be "out" as well as of 7.x OS. Just keep in mind that if you use in the acl is only processed if the packet is coming into the interface <int name> (from other host to pix). If you use "out", then it is only processed if the packet being looked at is going out of that interface (from pix out)
1) Static entries to allow the translation of a public IP to your internal IP
static (<inside int>,<outside int>) <public IP> <internal IP>
clear xlate
The clear xlate is to clear the translation table since you have modified it. If you don't do that you can get unexpected behavior
2) Add acls to allow traffic
access-list <acl name> permit <protocol> <source> <dest> eq <port>
examples
access-list public_allow permit tcp any host 1.2.3.4 eq smtp
that allows all tcp traffic to IP 1.2.3.4 for port smtp to come in. The any means that the source can be anything, there is then an implied any for the source port as well.
access-list public_all permit ip any 1.2.3.0 mask 255.255.255.0
this allows all ip traffic (udp or tcp) from any source to any ip on the 1.2.3.0/24 network
3) Apply the acls to the interface
access-group <acl-name> in interface <int name>
The "in" can actually be "out" as well as of 7.x OS. Just keep in mind that if you use in the acl is only processed if the packet is coming into the interface <int name> (from other host to pix). If you use "out", then it is only processed if the packet being looked at is going out of that interface (from pix out)
ASKER
I am now getting this in my log..
good that it is trying to connect, bad that it isn't. any ideas?
2|Dec 01 2006 11:22:31|106001: Inbound TCP connection denied from 129.173.55.61/1637 to 129.173.45.216/22 flags SYN on interface public
good that it is trying to connect, bad that it isn't. any ideas?
2|Dec 01 2006 11:22:31|106001: Inbound TCP connection denied from 129.173.55.61/1637 to 129.173.45.216/22 flags SYN on interface public
ssh 192.168.2.0 255.255.255.0 AppVLAN
That will allow any client from the AppVLAN ip range coming in thru that interface to access the box
Also, btw
access-list public_access_in extended permit tcp any host 192.168.2.100 eq https
access-list public_access_in extended permit tcp any host 192.168.2.100 eq ssh
access-list public_access_in extended permit tcp any host 192.168.2.100 eq www
means that traffic will be denied if the dest. ip is not 192.168.2.100, is that what you wanted?