Allow traffic from an IP Range in through a Pix firewall

I'm trying to setup a VOIP application on my network and it's not working.  The provider suggested that I add an exception to my PIX firewall (V. 7) for their IP range.  I know how to login to the pix and move around a bit, but that's about all.  I do know that there is already a few entries in an access list for my web and email servers.

Could anyone tell me how to let traffic in from their IP range?  They said just open all ports, but I'd like to try just opening the port their application runs on first if possible.  I'm guessing I just need to add an Access list entry and then save my configuration, but I"m not sure.  Any suggestions would be appreciated.
LVL 1
s_sykesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
These statements will allow you to do what you want...just substitute the appropriate ports for the ones you wish to allow, assuming the following example values:

provider IP range : 1.1.1.0/24
ports allowed : TCP 8000      <----just an example!
internal host you want to allow VOIP traffic to : 192.168.1.1
external public IP address mapped to internal host : 2.2.2.1

------BEGIN COMMANDS-----
access-list acl_outside_in permit tcp 1.1.1.0 255.255.255.0 host 2.2.2.1 eq 8000
static (inside,outside) 2.2.2.1 192.168.1.1 netmask 255.255.255.255
access-group acl_outside_in in interface outside
------END COMMANDS-----

The first command allows TCP 8000 inbound from any host on the 1.1.1.0/24 network to host 2.2.2.1 which is mapped to internal host 192.168.1.1 in the static command.  The last command applies your access list to the outside interface.  You should already have an ACL applied to the interface since you mention that you have web and e-mail traffic already allowed.  You would add another access list statement to that same access list that looks like the above "access-list" statement in my example.

Please let me know if I need to clarify.
0
Alan Huseyin KayahanCommented:
first, lets create an object-group to hold the allowed ips. Enter the command line enable mode. Then...

configure terminal
object-group network Allowedipranges
description These ip ranges are allowed
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 10.5.10.10 255.255.255.255
quit

now the object-group named Allowedipranges holds the ips that we want to be allowed. Now we have to assign acls.
if the ips in object-group resides in outside, you should set the following acl.

access-list voip_allow permit ip object-group Allowedipranges any
access-group voip_allow in interface outside

if the ips in object-group resides in dmz, you should set the following acl.

access-list voip_allow permit ip object-group Allowedipranges any
access-group voip_allow in interface dmz

the "any" word at the end of acl means "allowedipranges" can access any resource they want. If you want to define only one host, you should type     host hostipaddress   instead  any. And if you also want to specify ports you should type   host hostipaddress eq portnumber.
     Please post the running config and i would help much better.
0
batry_boyCommented:
MrHusy, I would hope that you submitted your post before you realized that I had already posted.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

s_sykesAuthor Commented:
batry boy,

I'd like to permit traffic into any IP on my internal network.  Is this possible instead of mapping to a specific address?  Is this dangerous?

Also, since ( I think) I already have an access list applied to the outside interface, do I need to run the last command you mention above?  Do I run the commands from the enable prompt or the config t prompt?  How do I save the change?

Finally, should I backup my current config before I make changes?
0
batry_boyCommented:
Yes, it's possible to allow this traffic to anything on your network, but you will have to have a public IP address for every internal IP address on your network.  For example, if you have 10 internal hosts that you want to allow inbound access to, you would have to have 10 public IP addresses that you could translate the internal hosts to so that you could allow the inbound traffic to them.

As long as you trust the source network specified in your access list (the provider's network in this case), then this isn't necessarily dangerous, but I would make sure that you limit the ports that the provider network can access.

No, you wouldn't have to apply the "access-group" command since you already have it applied.  Some folks think it is a good idea to reapply the access-group command if you make a change to the ACL referenced in it, but I don't think this is absolutely necessary.

You have to run these commands from the "pix(config)#" prompt.  Commands entered take effect immediately, but if you want to save the change so that they will be there upon a reboot of the PIX, you need to do a "write mem".

I always back up my current config before making changes to a firewall in case something happens.  You can just do a "show run" and then select it all and do a copy-paste into notepad for a simple way of saving off the config.
0
s_sykesAuthor Commented:
batry boy,
I have a class C range of public IP's, so each machine on my network does get it's own public IP going out.  So I guess I'm doing NAT as opposed to PAT?  Each machine on the inside of my network has a private address assigned from DHCP.

So that being the case, how do I modifiy your commands above to let in their IP range, to the specified port, to any machine on my internal network?

Thanks!
0
batry_boyCommented:
Yes, you are doing NAT if each machine gets its own public IP.  If you are using DHCP for your internal hosts, are you using reservations?  If not, then how do you have your NAT set up in the firewall?

Before I suggest how to do what you want, I think I should see your sanitized PIX config...that way I won't mess up anything in your current configuration with my suggested commands!  :)
0
s_sykesAuthor Commented:
PIX Version 7.0(1)
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!

access-list outside extended permit tcp any host 1.1.1.1 eq www
access-list outside extended permit tcp any host 1.1.1.1 eq smtp
access-list outside extended permit tcp any host 1.1.1.1 eq www
access-list outside extended permit tcp any host 1.1.1.1 eq ftp
mtu outside 1500
mtu inside 1500
monitor-interface outside
monitor-interface inside
asdm image flash:/pdm
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 1.1.1.100-1.1.1.250 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.1.1.3 192.168.10.8 netmask 255.255.255.255
static (inside,outside) 1.1.1.4 192.168.10.11 netmask 255.255.255.255
static (inside,outside) 1.1.1.5 192.168.10.12 netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

http 192.168.10.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.255 inside
http 192.168.10.175 255.255.255.255 inside

no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set conquest esp-des esp-md5-hmac
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 1000
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5console timeout 0

class-map inspection_default
 match default-inspection-traffic


policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
0
batry_boyCommented:
Assuming your internal clients start at 192.168.10.50 (your DHCP scope is probably different from my example), you'll need to add a statement for every machine on your internal network similar to the following:

static (inside,outside) 1.1.1.50 192.168.10.50 netmask 255.255.255.255
static (inside,outside) 1.1.1.51 192.168.10.51 netmask 255.255.255.255
static (inside,outside) 1.1.1.52 192.168.10.52 netmask 255.255.255.255
...
...

So, if the provider's range of addresses is 20.20.20.0/24 and you want to allow that network to access port TCP 8000 for anything in your internal network, then you will need to add the corresponding ACL statements:

access-list acl_outside_in permit tcp 20.20.20.0 255.255.255.0 host 1.1.1.50 eq 8000
access-list acl_outside_in permit tcp 20.20.20.0 255.255.255.0 host 1.1.1.51 eq 8000
access-list acl_outside_in permit tcp 20.20.20.0 255.255.255.0 host 1.1.1.52 eq 8000
...
...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan Huseyin KayahanCommented:
    Batry: No one has replied to that topic yet while i was typing my answer. When i clicked submit, i saw that i was second :)
    Anyway why are you so angry? You have done same before to me :)
0
batry_boyCommented:
You mistook my question for anger...I should have put a :) in there!  Sorry!
0
s_sykesAuthor Commented:
Ewww, that doesn't sound very feasible.  From what you're saying I think I would have to do away with DHCP and assign everything on the network a static internal IP and then map everything to a static public IP.  I don't think that is worth it in this case since I'm not even sure that the firewall is the problem.  I've never had trouble with any other apps.

What about the object group Mr. Husy mentioned?  Could I use that instead?
0
batry_boyCommented:
The object groups he mentions only cover the filtering portion of this scenario.  You still have to translate your internal hosts to public IP addresses so that your provider can initiate traffic to your internal hosts.

Let me say that allowing inbound traffic from the Internet to every IP address on the internal network is a very non-standard way of doing things.  It's not something I've ever seen anyone do since there are inherent security risks...I was just trying to give you what you asked for.  I would recommend that you determine which internal hosts absolutely have to be accessed by your provider and just set up the translations for those hosts.  This would make your config much simpler to implement, not to mention more secure.
0
s_sykesAuthor Commented:
True - I'll try one first and see if it works.
0
Alan Huseyin KayahanCommented:
   Its ok m8 :)
       Sykes, batry is right. My access-lists allow any ip traffic and this is not recommended. As batry said, you should determine which internal hosts have to be accessed by your provider and which port(s).  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.