[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 452
  • Last Modified:

pix command line help

I have an older pix without a pdm so I need some help adding in some settings. Right now they have a ip for external and I want to add a second ip to the interface. Then I need to add the acess list info and redirect the second ip via port 80 to owa server in an another location. Thanks.
0
lkuhner
Asked:
lkuhner
  • 16
  • 11
1 Solution
 
lrmooreCommented:
What version PIX OS? Do you have conduits or access-lists?
Can you be more specific about this server "in another location"? Where is that location in relation to this PIX? Inside, through another router, or outside, accessible some other way?

Basic commands are:
access-list <your outside acl> permit tcp any host 1.2.3.4 eq http
static (inside,outside) 1.2.3.4 192.168.100.100 netmask 255.255.255.255
route inside 192.168.100.0 255.255.255.0 192.168.1.12
0
 
lkuhnerAuthor Commented:
access-lists. pix ver 6.3.It is another location that is already setup in the pix. They want to hit from the new ip on the pix to another location. I can already ping this location from within the network.Does that mean I won't need the route inside command?
0
 
lkuhnerAuthor Commented:
It is a different ip range as well.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
lrmooreCommented:
As long as that server is reachable and located on the inside somewhere, then the first two commands are all you need.
If that server is across a VPN tunnel in another location, then you cannot do it. It can be physically located anywhere as long as the connection to it is all on the inside interface.
0
 
lkuhnerAuthor Commented:
It still does not work. I can ping the other external ips but not this one.
0
 
lkuhnerAuthor Commented:
How many external ips can I bind to a pix?
0
 
lrmooreCommented:
Practically as many as you want to. Just make sure you are not using an IP address that is also part of a dynamic global pool.
If you can't ping that IP perhaps you did not permit icmp in the access-list?
If you want to post you complete config we can take a look at it. Only mask the first 2 octets of your public IP, leave private IP's alone and mask any other company-specific information like domain name.
0
 
lkuhnerAuthor Commented:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password WnkH5Ch8t6e.cCgB encrypted
passwd wpiVj/rA8ITa13cO encrypted
hostname LPI-FW
domain-name
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit gre any host 207.x.x.x
access-list acl_out permit tcp any host 207.x.x.x eq pcanywhere-data
access-list acl_out permit udp any host 207.x.x.x eq pcanywhere-status
access-list acl_out permit tcp any host 207.x.x.x eq www
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 207.x.x.x eq 3389
access-list acl_out permit tcp any host 74.x.x.x eq www
access-list acl_out permit tcp any host 74.x.x.x eq ftp
access-list acl_out permit tcp any host 74.x.x.x. eq www
access-list acl_out permit tcp any host 74.x.x.x eq 3389
access-list acl_out permit tcp any host 74.x.x.x eq 3389
access-list acl_out permit tcp 216.82.240.0 255.255.240.0 host 74.x.x.x eq smtp
access-list acl_out permit tcp 193.109.254.0 255.255.254.0 host 74.x.x.x eq smtp
access-list acl_out permit tcp 194.106.220.0 255.255.254.0 host 74.x.x.x eq smtp
access-list acl_out permit tcp 195.245.230.0 255.255.254.0 host 74.x.x.x eq smtp
access-list acl_out permit tcp host 85.158.136.0 host 74.x.x.x eq smtp
access-list acl_out permit tcp 195.216.16.0 255.255.248.0 host 74.x.x.x eq smtp
access-list acl_out permit udp any host 65.x.x.x eq isakmp
access-list acl_out permit udp any host 65.x.x.x eq 10000
access-list acl_out permit esp any any
access-list acl_out permit tcp any host 74.x.x.x eq www This one!!!
access-list acl_in permit icmp any any
access-list nonat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.245
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.246
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.247
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.248
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.249
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.250
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.251
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.252
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.253
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.254
access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list dmz permit icmp any any
access-list dmz permit tcp any any eq ftp
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 74.x.x.x 255.255.255.240
ip address inside 192.168.1.34 255.255.255.0
ip address dmz 10.10.10.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool dealer 10.10.10.1-10.10.10.15
ip local pool test 192.168.1.245-192.168.1.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 74.8.68.3
global (dmz) 1 10.10.10.100-10.10.10.254
nat (inside) 0 access-list nonat
nat (inside) 2 192.168.1.3 255.255.255.255 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (dmz) 1 10.10.10.0 255.255.255.0 dns 0 0
static (inside,outside) tcp 207.x.x.x pcanywhere-data 192.168.1.15 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp 20.x.x.x 7pcanywhere-status 192.168.1.15 pcanywhere-status netmask 255.255.255.255 0 0
static (inside,outside) tcp 207.x.x.x www 192.168.1.15 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 207.x.x.x 3389 192.168.1.16 3389 netmask 255.255.255.255 0 0
static (dmz,inside) tcp 74. .x.x.x www 10.10.10.51 www netmask 255.255.255.255 0 0
static (dmz,outside) tcp 74. .x.x.x www 10.10.10.51 www netmask 255.255.255.255 0 0
static (dmz,outside) tcp 74. .x.x.x ftp 10.10.10.51 ftp netmask 255.255.255.255 0 0
static (dmz,inside) tcp 74f.x.x.x  Ftp 10.10.10.51 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.x.x.x smtp 192.168.1.3 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.x.x.x 3389 192.168.1.60 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.x.x.x 3389 192.168.1.76 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.x.x.x www 192.168.1.3 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.x.x.x www 192.168.2.3 www netmask 255.255.255.255 0 0 This one!!
static (inside,outside) 207.x.x.x 192.168.1.2 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group acl_out in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 207.138.153.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set clientset esp-3des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set clientset
crypto map newmap 20 ipsec-isakmp dynamic cisco
crypto map newmap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local dealer outside
isakmp nat-traversal 20
isakmp policy 98 authentication pre-share
isakmp policy 98 encryption 3des
isakmp policy 98 hash md5
isakmp policy 98 group 2
isakmp policy 98 lifetime 1000
vpngroup remote_access address-pool dealer
vpngroup remote_access dns-server 192.168.1.1
vpngroup remote_access wins-server 192.168.1.1
vpngroup remote_access split-tunnel nonat
vpngroup remote_access idle-time 1800
vpngroup remote_access password ********
vpngroup lpivisvpn address-pool dealer
vpngroup lpivisvpn dns-server 192.168.1.1
vpngroup lpivisvpn wins-server 192.168.1.1
vpngroup lpivisvpn idle-time 1800
vpngroup lpivisvpn password ********
vpngroup remote_test address-pool test
vpngroup remote_test dns-server 192.168.1.1
vpngroup remote_test wins-server 192.168.1.1
vpngroup remote_test idle-time 1800
vpngroup remote_test password ********
telnet 10.10.10.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:04ee14062e573db205bc95a2f543e53e
: end
[OK]
0
 
lkuhnerAuthor Commented:
DO I need a route to talk to the 192.168.2.0 subnet?
0
 
lrmooreCommented:
>static (inside,outside) tcp 74.x.x.x www 192.168.2.3 www netmask 255.255.255.255 0 0 This one!!
Yes, you need a route statement to get to 192.168.2.0 network
 route inside 192.168.2.0 255.255.255.0 192.168.1.xx  <== whatever the inside next hop is

You also have to follow the default routing of that server from the 192.168.2.x network. Its default has to end up pointing to your PIX. (i.e. its local default gateway router points to your network router which points to the PIX)
0
 
lkuhnerAuthor Commented:
The next hop would be the internal interface of the 192.168.1.x subnet ?
0
 
lrmooreCommented:
I don't know what the next hop IP is. I'm assuming that it is a router somewhere that is attached to your local LAN?
What is the path taken from your PC to that server?
0
 
lkuhnerAuthor Commented:
Not local, in sinapore.
0
 
lrmooreCommented:
Then you cannot do what you are attempting. You cannot have a packet destined for public ip address 74.x.x.x be mapped to a private IP address that is only accessible from the same outside interface of the PIX.

NO:

74.x.x.x
    \              192.168.2.3
     \                     /
      \                  /
      PIX Outside interface  (Map 74.x.x. to 192.168.2.3 static xlate)
       PIX inside
              |
           Your network

Yes:
   74.x.x.x
      \
       \
     PIX outside  (Map 74.x.x. to 192.168.2.3 static xlate)
       Pix inside
            \                        WAN
            Router ---- Point to point ---- Router (Singapore)
           /                                                           \
     Your network                                          192.168.2.3 server


 
0
 
lkuhnerAuthor Commented:
So I have to put that route statement in to point to the other routers private interface.
0
 
lrmooreCommented:
From your PC, can you traceroute to that server?
 C:\>tracert 192.168.2.3  

Can you post the results?
0
 
lkuhnerAuthor Commented:
Can now ping from within pix to other server. Owa not functioning through redirected port of public ip.
0
 
lrmooreCommented:
You need to follow the default path from the server to the Internet.
From the server, try to traceroute to somewhere on the internet. It should end up going through this PIX.
Otherwise, pinging the server from the pix only results in knowing that the server knows how to get to the PIX inside IP of 192.168.1.34. That is only half the battle.
You can also look at results on the PIX from 'show access-list' and look for hitcounter on the acl.
If routing is OK, and access-list does not show any hitcounters, then try rebooting the PIX or at least re-applying the acl to the interface
  access-group acl_out in interface outside
0
 
lkuhnerAuthor Commented:
static (inside,outside) 1.2.3.4 192.168.100.100 netmask 255.255.255.255 Do I have to put www in this static setting or is this alright?
0
 
lrmooreCommented:
No, you do not have to use port xlate (www) in the static setting as long as "1.2.3.4" is not used anywhere else in your configuration.
Only the access-list entry requires the www port designation:
 >access-list acl_out permit tcp any host 74.x.x.x eq www <==

Do you see any hitcounters on this access-list entry with 'show access-list" ?
0
 
lkuhnerAuthor Commented:
1.2.3.4 is the public ip I want to map ,correct? 74.x.x.x
0
 
lrmooreCommented:
Yes
0
 
lkuhnerAuthor Commented:
I can ping the 74.x.x.x ip from the outside now. Owa is still not working though.
0
 
lkuhnerAuthor Commented:
I just noticed something weird. When I tracert another ip on the router  it stops at the router interface. When I tracert this ip it hits the interface and then continues to singnet.com.sg which is in singapore. It hits many of the same ips and finally times out. They can connect internally to this via http:\\192.168.2.3\exchange. Since the tracert goes through the pix hop and on to singapore what the hell is going on?
0
 
lkuhnerAuthor Commented:
sorry it does not time out it comes back with the same ip that is on the interface. At the front of the pix it shows it. Than it goes to singapore and after than right back to the interface ip. Like it is stuck in a loop.
0
 
lkuhnerAuthor Commented:
You also have to follow the default routing of that server from the 192.168.2.x network. Its default has to end up pointing to your PIX. (i.e. its local default gateway router points to your network router which points to the PIX)  
What do i have to do to make this happen?
0
 
lrmooreCommented:
Suggest delete instead. Not much here that is paq-worthy.
0
 
Keith AlabasterCommented:
OK - will amend.
Thanks Les.
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

  • 16
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now