Solved

Allow traffic from an IP Range in through a Pix firewall

Posted on 2007-03-23
15
400 Views
Last Modified: 2010-04-09
I'm trying to setup a VOIP application on my network and it's not working.  The provider suggested that I add an exception to my PIX firewall (V. 7) for their IP range.  I know how to login to the pix and move around a bit, but that's about all.  I do know that there is already a few entries in an access list for my web and email servers.

Could anyone tell me how to let traffic in from their IP range?  They said just open all ports, but I'd like to try just opening the port their application runs on first if possible.  I'm guessing I just need to add an Access list entry and then save my configuration, but I"m not sure.  Any suggestions would be appreciated.
0
Comment
Question by:s_sykes
  • 7
  • 5
  • 3
15 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 18781786
These statements will allow you to do what you want...just substitute the appropriate ports for the ones you wish to allow, assuming the following example values:

provider IP range : 1.1.1.0/24
ports allowed : TCP 8000      <----just an example!
internal host you want to allow VOIP traffic to : 192.168.1.1
external public IP address mapped to internal host : 2.2.2.1

------BEGIN COMMANDS-----
access-list acl_outside_in permit tcp 1.1.1.0 255.255.255.0 host 2.2.2.1 eq 8000
static (inside,outside) 2.2.2.1 192.168.1.1 netmask 255.255.255.255
access-group acl_outside_in in interface outside
------END COMMANDS-----

The first command allows TCP 8000 inbound from any host on the 1.1.1.0/24 network to host 2.2.2.1 which is mapped to internal host 192.168.1.1 in the static command.  The last command applies your access list to the outside interface.  You should already have an ACL applied to the interface since you mention that you have web and e-mail traffic already allowed.  You would add another access list statement to that same access list that looks like the above "access-list" statement in my example.

Please let me know if I need to clarify.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18781891
first, lets create an object-group to hold the allowed ips. Enter the command line enable mode. Then...

configure terminal
object-group network Allowedipranges
description These ip ranges are allowed
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 10.5.10.10 255.255.255.255
quit

now the object-group named Allowedipranges holds the ips that we want to be allowed. Now we have to assign acls.
if the ips in object-group resides in outside, you should set the following acl.

access-list voip_allow permit ip object-group Allowedipranges any
access-group voip_allow in interface outside

if the ips in object-group resides in dmz, you should set the following acl.

access-list voip_allow permit ip object-group Allowedipranges any
access-group voip_allow in interface dmz

the "any" word at the end of acl means "allowedipranges" can access any resource they want. If you want to define only one host, you should type     host hostipaddress   instead  any. And if you also want to specify ports you should type   host hostipaddress eq portnumber.
     Please post the running config and i would help much better.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18781950
MrHusy, I would hope that you submitted your post before you realized that I had already posted.
0
 
LVL 1

Author Comment

by:s_sykes
ID: 18781975
batry boy,

I'd like to permit traffic into any IP on my internal network.  Is this possible instead of mapping to a specific address?  Is this dangerous?

Also, since ( I think) I already have an access list applied to the outside interface, do I need to run the last command you mention above?  Do I run the commands from the enable prompt or the config t prompt?  How do I save the change?

Finally, should I backup my current config before I make changes?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18782065
Yes, it's possible to allow this traffic to anything on your network, but you will have to have a public IP address for every internal IP address on your network.  For example, if you have 10 internal hosts that you want to allow inbound access to, you would have to have 10 public IP addresses that you could translate the internal hosts to so that you could allow the inbound traffic to them.

As long as you trust the source network specified in your access list (the provider's network in this case), then this isn't necessarily dangerous, but I would make sure that you limit the ports that the provider network can access.

No, you wouldn't have to apply the "access-group" command since you already have it applied.  Some folks think it is a good idea to reapply the access-group command if you make a change to the ACL referenced in it, but I don't think this is absolutely necessary.

You have to run these commands from the "pix(config)#" prompt.  Commands entered take effect immediately, but if you want to save the change so that they will be there upon a reboot of the PIX, you need to do a "write mem".

I always back up my current config before making changes to a firewall in case something happens.  You can just do a "show run" and then select it all and do a copy-paste into notepad for a simple way of saving off the config.
0
 
LVL 1

Author Comment

by:s_sykes
ID: 18782172
batry boy,
I have a class C range of public IP's, so each machine on my network does get it's own public IP going out.  So I guess I'm doing NAT as opposed to PAT?  Each machine on the inside of my network has a private address assigned from DHCP.

So that being the case, how do I modifiy your commands above to let in their IP range, to the specified port, to any machine on my internal network?

Thanks!
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18782208
Yes, you are doing NAT if each machine gets its own public IP.  If you are using DHCP for your internal hosts, are you using reservations?  If not, then how do you have your NAT set up in the firewall?

Before I suggest how to do what you want, I think I should see your sanitized PIX config...that way I won't mess up anything in your current configuration with my suggested commands!  :)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:s_sykes
ID: 18782285
PIX Version 7.0(1)
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!

access-list outside extended permit tcp any host 1.1.1.1 eq www
access-list outside extended permit tcp any host 1.1.1.1 eq smtp
access-list outside extended permit tcp any host 1.1.1.1 eq www
access-list outside extended permit tcp any host 1.1.1.1 eq ftp
mtu outside 1500
mtu inside 1500
monitor-interface outside
monitor-interface inside
asdm image flash:/pdm
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 1.1.1.100-1.1.1.250 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.1.1.3 192.168.10.8 netmask 255.255.255.255
static (inside,outside) 1.1.1.4 192.168.10.11 netmask 255.255.255.255
static (inside,outside) 1.1.1.5 192.168.10.12 netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

http 192.168.10.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.255 inside
http 192.168.10.175 255.255.255.255 inside

no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set conquest esp-des esp-md5-hmac
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 1000
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5console timeout 0

class-map inspection_default
 match default-inspection-traffic


policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18782444
Assuming your internal clients start at 192.168.10.50 (your DHCP scope is probably different from my example), you'll need to add a statement for every machine on your internal network similar to the following:

static (inside,outside) 1.1.1.50 192.168.10.50 netmask 255.255.255.255
static (inside,outside) 1.1.1.51 192.168.10.51 netmask 255.255.255.255
static (inside,outside) 1.1.1.52 192.168.10.52 netmask 255.255.255.255
...
...

So, if the provider's range of addresses is 20.20.20.0/24 and you want to allow that network to access port TCP 8000 for anything in your internal network, then you will need to add the corresponding ACL statements:

access-list acl_outside_in permit tcp 20.20.20.0 255.255.255.0 host 1.1.1.50 eq 8000
access-list acl_outside_in permit tcp 20.20.20.0 255.255.255.0 host 1.1.1.51 eq 8000
access-list acl_outside_in permit tcp 20.20.20.0 255.255.255.0 host 1.1.1.52 eq 8000
...
...
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18782603
    Batry: No one has replied to that topic yet while i was typing my answer. When i clicked submit, i saw that i was second :)
    Anyway why are you so angry? You have done same before to me :)
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18782634
You mistook my question for anger...I should have put a :) in there!  Sorry!
0
 
LVL 1

Author Comment

by:s_sykes
ID: 18782648
Ewww, that doesn't sound very feasible.  From what you're saying I think I would have to do away with DHCP and assign everything on the network a static internal IP and then map everything to a static public IP.  I don't think that is worth it in this case since I'm not even sure that the firewall is the problem.  I've never had trouble with any other apps.

What about the object group Mr. Husy mentioned?  Could I use that instead?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18782700
The object groups he mentions only cover the filtering portion of this scenario.  You still have to translate your internal hosts to public IP addresses so that your provider can initiate traffic to your internal hosts.

Let me say that allowing inbound traffic from the Internet to every IP address on the internal network is a very non-standard way of doing things.  It's not something I've ever seen anyone do since there are inherent security risks...I was just trying to give you what you asked for.  I would recommend that you determine which internal hosts absolutely have to be accessed by your provider and just set up the translations for those hosts.  This would make your config much simpler to implement, not to mention more secure.
0
 
LVL 1

Author Comment

by:s_sykes
ID: 18782714
True - I'll try one first and see if it works.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 18782755
   Its ok m8 :)
       Sykes, batry is right. My access-lists allow any ip traffic and this is not recommended. As batry said, you should determine which internal hosts have to be accessed by your provider and which port(s).  
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now