Solved

move of a public server behind a PIX 515E

Posted on 2006-11-30
12
396 Views
Last Modified: 2010-05-18
Hello,

I am trying to set up a web server behind a PIX 515E. there are 2 interfaces on the PIX, public and private. on the pirvate interface (eth1) i have 2 subnets one publicy accessable(App 192.168.2.x) (via web and ssh ports) and one which can only be contacted by the first subnet(database 192.168.3.x). Or at least that is the plan. I have attached my config below. when i try to ssh into the box in the app subnet (192.168.2.100) i get denyed by public access in. however I have a rule allowing that access, any ideas?

here is my config file

!
PIX Version 7.1(1)
!
hostname HCAS-pix515E
domain-name housing.dal.ca
enable password H7cwc.H8mjpjab44 encrypted
names
!
interface Ethernet0
 description public access interface
 nameif public
 security-level 0
 ip address 129.173.45.228 255.255.255.0
!
interface Ethernet1
 description default interfance for use for management only
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
interface Ethernet1.276
 description VLAN for app servers that are publicly accessable
 vlan 276
 nameif AppVLAN
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1.277
 description Vlan for db servers or other servers that can not be publicly accessed.
 vlan 277
 nameif dbVLAN
 security-level 50
 ip address 192.168.3.1 255.255.255.0
!
passwd H7cwc.H8mjpjab44 encrypted
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
dns domain-lookup public
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 129.173.1.100
 name-server 129.173.5.100
 domain-name housing.dal.ca
same-security-traffic permit inter-interface
access-list public_access_in extended permit tcp any host 192.168.2.100 eq https
access-list public_access_in extended permit tcp any host 192.168.2.100 eq ssh
access-list public_access_in extended permit tcp any host 192.168.2.100 eq www
access-list AppVLAN_access_out extended permit tcp any host 192.168.2.100
access-list AppVLAN_access_out extended permit tcp any any
access-list AppVLAN_access_in extended permit tcp any any
access-list dbVLAN_access_in extended permit tcp any any
access-list dbVLAN_access_out extended permit tcp any any
access-list AppVLAN_nat0_outbound extended permit ip host 192.168.2.100 any
access-list dbVLAN_nat0_outbound extended permit ip host 192.168.3.100 any
pager lines 24
logging enable
logging asdm informational
logging from-address david.falldien@dal.ca
logging recipient-address david.falldien@dal.ca level critical
mtu public 1500
mtu inside 1500
mtu AppVLAN 1500
mtu dbVLAN 1500
ip verify reverse-path interface AppVLAN
ip verify reverse-path interface dbVLAN
ip audit name attack attack action alarm drop
ip audit name attackINFO info action alarm drop
ip audit interface dbVLAN attackINFO
ip audit interface dbVLAN attack
icmp permit host 129.173.45.171 public
icmp permit host 129.173.1.10 public
icmp permit host 129.173.45.129 public
icmp permit host 129.173.45.129 inside
icmp permit any inside
asdm image flash:/asdm
asdm location 129.173.1.10 255.255.255.255 inside
asdm location 192.168.1.10 255.255.255.255 inside
asdm location 129.173.45.172 255.255.255.255 inside
asdm location 129.173.45.216 255.255.255.255 inside
asdm location 129.173.1.10 255.255.255.255 public
asdm location 129.173.45.171 255.255.255.255 public
asdm location 129.173.0.0 255.255.0.0 public
asdm location 129.173.47.151 255.255.255.255 public
asdm location 129.173.55.61 255.255.255.255 public
asdm location 192.168.2.100 255.255.255.255 AppVLAN
asdm location 192.168.3.100 255.255.255.255 public
asdm location 192.168.3.100 255.255.255.255 dbVLAN
asdm location 129.173.1.100 255.255.255.255 public
no asdm history enable
arp timeout 14400
global (inside) 100 192.168.1.10-192.168.1.100
global (AppVLAN) 150 192.168.3.101-192.168.3.254 netmask 255.255.255.0
global (dbVLAN) 200 192.168.2.101-192.168.2.254 netmask 255.255.255.0
nat (AppVLAN) 0 access-list AppVLAN_nat0_outbound
nat (dbVLAN) 0 access-list dbVLAN_nat0_outbound
static (public,AppVLAN) 192.168.2.100 129.173.45.216 netmask 255.255.255.255
static (public,dbVLAN) 192.168.3.100 129.173.45.218 netmask 255.255.255.255
static (AppVLAN,public) 129.173.45.216 192.168.2.100 netmask 255.255.255.255
static (dbVLAN,public) 129.173.45.218 192.168.3.100 netmask 255.255.255.255
access-group public_access_in in interface public
access-group AppVLAN_access_in in interface AppVLAN
access-group AppVLAN_access_out out interface AppVLAN
access-group dbVLAN_access_in in interface dbVLAN
access-group dbVLAN_access_out out interface dbVLAN
route public 0.0.0.0 0.0.0.0 129.173.45.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 129.173.55.61 255.255.255.255 public
http 129.173.45.0 255.255.255.128 public
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 AppVLAN
http 192.168.3.0 255.255.255.0 dbVLAN
snmp-server host inside 129.173.55.61 community PIX
snmp-server location B028 Risley Hall
snmp-server contact Dalcard Office
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 129.173.55.61 255.255.255.255 public
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 AppVLAN
telnet 192.168.3.0 255.255.255.0 dbVLAN
telnet timeout 15
ssh 192.168.55.61 255.255.255.255 public
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd address 192.168.2.101-192.168.2.254 AppVLAN
dhcpd address 192.168.3.101-192.168.3.254 dbVLAN
dhcpd dns 129.173.1.100 129.173.5.100
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain housing.dal.ca
dhcpd auto_config dbVLAN
dhcpd enable inside
dhcpd enable AppVLAN
dhcpd enable dbVLAN
smtp-server 129.173.1.130 129.173.5.72
Cryptochecksum:191adbb3b5d2e25edd5e4cb019a7e147

any help would be great, as it is urgent that I get this working, and have limited knowledge of working with the PIX.

Dave
0
Comment
Question by:dfalldien
  • 7
  • 5
12 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18053222
for ssh access to the box you need the following command

ssh 192.168.2.0 255.255.255.0 AppVLAN

That will allow any client from the AppVLAN ip range coming in thru that interface to access the box

Also, btw
access-list public_access_in extended permit tcp any host 192.168.2.100 eq https
access-list public_access_in extended permit tcp any host 192.168.2.100 eq ssh
access-list public_access_in extended permit tcp any host 192.168.2.100 eq www

means that traffic will be denied if the dest. ip is not 192.168.2.100, is that what you wanted?
0
 
LVL 2

Author Comment

by:dfalldien
ID: 18053241
yes all accross the board.. I didnt want to open the entire subnet to it, just that server. so looking at my config it should have worked? this is what i get in my log, even after running that command

Dec 01 2006 09:05:25|106023: Deny tcp src public:129.173.55.61/4790 dst AppVLAN:129.173.45.216/22 by access-group "public_access_in" [0x0, 0x0]
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 18053274
oh, sorry I thought you wanted ssh access to the pix.  I'm sorry.
run
no ssh 192.168.2.0 255.255.255.0 AppVLAN
access-list public_access_in extended permit tcp any host 129.173.45.216 eq https
access-list public_access_in extended permit tcp any host 129.173.45.216 eq ssh
access-list public_access_in extended permit tcp any host 129.173.45.216 eq www
no access-list public_access_in extended permit tcp any host 192.168.2.100 eq https
no access-list public_access_in extended permit tcp any host 192.168.2.100 eq ssh
no access-list public_access_in extended permit tcp any host 192.168.2.100 eq www

that will close off ssh access to the pix from the AppVLAN I had you open, then insert the correct rules for the AppVLAN server and get rid of the incorrect ones
0
 
LVL 2

Author Comment

by:dfalldien
ID: 18053306
hmm...

nah, no access to the pix, the server i am moving behind it had a public address of 129.173.45.216, when i move it behind the pix, it will have the address 192.168.2.100. i need to have public ssh and www and https access to that machine, through the PIX.

0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18053379
Right, the packets are being rejected by the public_access_in ACL so you need to allow them there.  You were allowing 192.168.2.100 which is the internal address, you need to allow the public IP which is what is being seen at the time of ACL evaluation
0
 
LVL 2

Author Comment

by:dfalldien
ID: 18053529
so basicly i had it right behind the pix, however i had to make the exception for the public interface as well, so that public requests could make it through the pix and not get bounce first?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 2

Author Comment

by:dfalldien
ID: 18053555
is there a timeout period you have to wait after that last config (i used the commands you gave) but now when i try to ssh into it, i dont even see the attempt to attach fail (or pass) in the log.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18053566
not as well, only.  when the packet gets evaluated by the acl on the outside interface the static translation hasn't occurred yet so the dst. IP is still the public IP of that server, only after that acl is processed and the static translation occurs is the dst IP then the internal IP.  Going the other way, the internal IP will be the source IP until the static translation occurs.  This happens between interfaces.  So coming in thru the outside interface the outside acl is processed, the translation occurs, and the packet get routed out the AppVLAN interface, and vice versa for the return traffic
0
 
LVL 2

Author Comment

by:dfalldien
ID: 18053590
Thanks for the most usefull help i have had in a long time.
0
 
LVL 2

Author Comment

by:dfalldien
ID: 18053617
i know i accepted, however one more question...so to avoid my confusion later on...what commands (assuming blank start) would be needed to allow public access to a server that i moved behind a PIX515E but want to keep its public access. as far as access rules go. It took me a very long time to get what i got, and it didnt work right, if you could give the commands (one simple list) allowing access for SSH for a server behind the pix that would be awesome.
rule allowing public access, rule allowing through pix, and rule allowing from pix to the machien behind the pix.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18053889
a few things

1) Static entries to allow the translation of a public IP to your internal IP
static (<inside int>,<outside int>) <public IP> <internal IP>
clear xlate

The clear xlate is to clear the translation table since you have modified it.  If you don't do that you can get unexpected behavior

2) Add acls to allow traffic
access-list <acl name> permit <protocol> <source> <dest> eq <port>
examples
access-list public_allow permit tcp any host 1.2.3.4 eq smtp
that allows all tcp traffic to IP 1.2.3.4 for port smtp to come in.  The any means that the source can be anything, there is then an implied any for the source port as well.
access-list public_all permit ip any 1.2.3.0 mask 255.255.255.0
this allows all ip traffic (udp or tcp) from any source to any ip on the 1.2.3.0/24 network

3) Apply the acls to the interface
access-group <acl-name> in interface <int name>
The "in" can actually be "out" as well as of 7.x OS.  Just keep in mind that if you use in the acl is only processed if the packet is coming into the interface <int name> (from other host to pix).  If you use "out", then it is only processed if the packet being looked at is going out of that interface (from pix out)
0
 
LVL 2

Author Comment

by:dfalldien
ID: 18054208
I am now getting this in my log..

good that it is trying to connect, bad that it isn't. any ideas?
2|Dec 01 2006 11:22:31|106001: Inbound TCP connection denied from 129.173.55.61/1637 to 129.173.45.216/22 flags SYN  on interface public
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now