Solved

pix command line help

Posted on 2007-04-08
30
424 Views
Last Modified: 2012-08-13
I have an older pix without a pdm so I need some help adding in some settings. Right now they have a ip for external and I want to add a second ip to the interface. Then I need to add the acess list info and redirect the second ip via port 80 to owa server in an another location. Thanks.
0
Comment
Question by:lkuhner
  • 16
  • 11
30 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 18872727
What version PIX OS? Do you have conduits or access-lists?
Can you be more specific about this server "in another location"? Where is that location in relation to this PIX? Inside, through another router, or outside, accessible some other way?

Basic commands are:
access-list <your outside acl> permit tcp any host 1.2.3.4 eq http
static (inside,outside) 1.2.3.4 192.168.100.100 netmask 255.255.255.255
route inside 192.168.100.0 255.255.255.0 192.168.1.12
0
 

Author Comment

by:lkuhner
ID: 18873023
access-lists. pix ver 6.3.It is another location that is already setup in the pix. They want to hit from the new ip on the pix to another location. I can already ping this location from within the network.Does that mean I won't need the route inside command?
0
 

Author Comment

by:lkuhner
ID: 18873052
It is a different ip range as well.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18873443
As long as that server is reachable and located on the inside somewhere, then the first two commands are all you need.
If that server is across a VPN tunnel in another location, then you cannot do it. It can be physically located anywhere as long as the connection to it is all on the inside interface.
0
 

Author Comment

by:lkuhner
ID: 18876858
It still does not work. I can ping the other external ips but not this one.
0
 

Author Comment

by:lkuhner
ID: 18877064
How many external ips can I bind to a pix?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18877633
Practically as many as you want to. Just make sure you are not using an IP address that is also part of a dynamic global pool.
If you can't ping that IP perhaps you did not permit icmp in the access-list?
If you want to post you complete config we can take a look at it. Only mask the first 2 octets of your public IP, leave private IP's alone and mask any other company-specific information like domain name.
0
 

Author Comment

by:lkuhner
ID: 18878234
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password WnkH5Ch8t6e.cCgB encrypted
passwd wpiVj/rA8ITa13cO encrypted
hostname LPI-FW
domain-name
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit gre any host 207.x.x.x
access-list acl_out permit tcp any host 207.x.x.x eq pcanywhere-data
access-list acl_out permit udp any host 207.x.x.x eq pcanywhere-status
access-list acl_out permit tcp any host 207.x.x.x eq www
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 207.x.x.x eq 3389
access-list acl_out permit tcp any host 74.x.x.x eq www
access-list acl_out permit tcp any host 74.x.x.x eq ftp
access-list acl_out permit tcp any host 74.x.x.x. eq www
access-list acl_out permit tcp any host 74.x.x.x eq 3389
access-list acl_out permit tcp any host 74.x.x.x eq 3389
access-list acl_out permit tcp 216.82.240.0 255.255.240.0 host 74.x.x.x eq smtp
access-list acl_out permit tcp 193.109.254.0 255.255.254.0 host 74.x.x.x eq smtp
access-list acl_out permit tcp 194.106.220.0 255.255.254.0 host 74.x.x.x eq smtp
access-list acl_out permit tcp 195.245.230.0 255.255.254.0 host 74.x.x.x eq smtp
access-list acl_out permit tcp host 85.158.136.0 host 74.x.x.x eq smtp
access-list acl_out permit tcp 195.216.16.0 255.255.248.0 host 74.x.x.x eq smtp
access-list acl_out permit udp any host 65.x.x.x eq isakmp
access-list acl_out permit udp any host 65.x.x.x eq 10000
access-list acl_out permit esp any any
access-list acl_out permit tcp any host 74.x.x.x eq www This one!!!
access-list acl_in permit icmp any any
access-list nonat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.245
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.246
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.247
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.248
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.249
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.250
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.251
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.252
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.253
access-list nonat permit ip 192.168.1.0 255.255.255.0 host 192.168.1.254
access-list 100 permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list dmz permit icmp any any
access-list dmz permit tcp any any eq ftp
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 74.x.x.x 255.255.255.240
ip address inside 192.168.1.34 255.255.255.0
ip address dmz 10.10.10.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool dealer 10.10.10.1-10.10.10.15
ip local pool test 192.168.1.245-192.168.1.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 74.8.68.3
global (dmz) 1 10.10.10.100-10.10.10.254
nat (inside) 0 access-list nonat
nat (inside) 2 192.168.1.3 255.255.255.255 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (dmz) 1 10.10.10.0 255.255.255.0 dns 0 0
static (inside,outside) tcp 207.x.x.x pcanywhere-data 192.168.1.15 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp 20.x.x.x 7pcanywhere-status 192.168.1.15 pcanywhere-status netmask 255.255.255.255 0 0
static (inside,outside) tcp 207.x.x.x www 192.168.1.15 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 207.x.x.x 3389 192.168.1.16 3389 netmask 255.255.255.255 0 0
static (dmz,inside) tcp 74. .x.x.x www 10.10.10.51 www netmask 255.255.255.255 0 0
static (dmz,outside) tcp 74. .x.x.x www 10.10.10.51 www netmask 255.255.255.255 0 0
static (dmz,outside) tcp 74. .x.x.x ftp 10.10.10.51 ftp netmask 255.255.255.255 0 0
static (dmz,inside) tcp 74f.x.x.x  Ftp 10.10.10.51 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.x.x.x smtp 192.168.1.3 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.x.x.x 3389 192.168.1.60 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.x.x.x 3389 192.168.1.76 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.x.x.x www 192.168.1.3 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.x.x.x www 192.168.2.3 www netmask 255.255.255.255 0 0 This one!!
static (inside,outside) 207.x.x.x 192.168.1.2 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group acl_out in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 207.138.153.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set clientset esp-3des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set clientset
crypto map newmap 20 ipsec-isakmp dynamic cisco
crypto map newmap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local dealer outside
isakmp nat-traversal 20
isakmp policy 98 authentication pre-share
isakmp policy 98 encryption 3des
isakmp policy 98 hash md5
isakmp policy 98 group 2
isakmp policy 98 lifetime 1000
vpngroup remote_access address-pool dealer
vpngroup remote_access dns-server 192.168.1.1
vpngroup remote_access wins-server 192.168.1.1
vpngroup remote_access split-tunnel nonat
vpngroup remote_access idle-time 1800
vpngroup remote_access password ********
vpngroup lpivisvpn address-pool dealer
vpngroup lpivisvpn dns-server 192.168.1.1
vpngroup lpivisvpn wins-server 192.168.1.1
vpngroup lpivisvpn idle-time 1800
vpngroup lpivisvpn password ********
vpngroup remote_test address-pool test
vpngroup remote_test dns-server 192.168.1.1
vpngroup remote_test wins-server 192.168.1.1
vpngroup remote_test idle-time 1800
vpngroup remote_test password ********
telnet 10.10.10.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:04ee14062e573db205bc95a2f543e53e
: end
[OK]
0
 

Author Comment

by:lkuhner
ID: 18878486
DO I need a route to talk to the 192.168.2.0 subnet?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18878743
>static (inside,outside) tcp 74.x.x.x www 192.168.2.3 www netmask 255.255.255.255 0 0 This one!!
Yes, you need a route statement to get to 192.168.2.0 network
 route inside 192.168.2.0 255.255.255.0 192.168.1.xx  <== whatever the inside next hop is

You also have to follow the default routing of that server from the 192.168.2.x network. Its default has to end up pointing to your PIX. (i.e. its local default gateway router points to your network router which points to the PIX)
0
 

Author Comment

by:lkuhner
ID: 18879201
The next hop would be the internal interface of the 192.168.1.x subnet ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18880207
I don't know what the next hop IP is. I'm assuming that it is a router somewhere that is attached to your local LAN?
What is the path taken from your PC to that server?
0
 

Author Comment

by:lkuhner
ID: 18881904
Not local, in sinapore.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18881964
Then you cannot do what you are attempting. You cannot have a packet destined for public ip address 74.x.x.x be mapped to a private IP address that is only accessible from the same outside interface of the PIX.

NO:

74.x.x.x
    \              192.168.2.3
     \                     /
      \                  /
      PIX Outside interface  (Map 74.x.x. to 192.168.2.3 static xlate)
       PIX inside
              |
           Your network

Yes:
   74.x.x.x
      \
       \
     PIX outside  (Map 74.x.x. to 192.168.2.3 static xlate)
       Pix inside
            \                        WAN
            Router ---- Point to point ---- Router (Singapore)
           /                                                           \
     Your network                                          192.168.2.3 server


 
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:lkuhner
ID: 18882402
So I have to put that route statement in to point to the other routers private interface.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18882674
From your PC, can you traceroute to that server?
 C:\>tracert 192.168.2.3  

Can you post the results?
0
 

Author Comment

by:lkuhner
ID: 18884668
Can now ping from within pix to other server. Owa not functioning through redirected port of public ip.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18884749
You need to follow the default path from the server to the Internet.
From the server, try to traceroute to somewhere on the internet. It should end up going through this PIX.
Otherwise, pinging the server from the pix only results in knowing that the server knows how to get to the PIX inside IP of 192.168.1.34. That is only half the battle.
You can also look at results on the PIX from 'show access-list' and look for hitcounter on the acl.
If routing is OK, and access-list does not show any hitcounters, then try rebooting the PIX or at least re-applying the acl to the interface
  access-group acl_out in interface outside
0
 

Author Comment

by:lkuhner
ID: 18885349
static (inside,outside) 1.2.3.4 192.168.100.100 netmask 255.255.255.255 Do I have to put www in this static setting or is this alright?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18885426
No, you do not have to use port xlate (www) in the static setting as long as "1.2.3.4" is not used anywhere else in your configuration.
Only the access-list entry requires the www port designation:
 >access-list acl_out permit tcp any host 74.x.x.x eq www <==

Do you see any hitcounters on this access-list entry with 'show access-list" ?
0
 

Author Comment

by:lkuhner
ID: 18888847
1.2.3.4 is the public ip I want to map ,correct? 74.x.x.x
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18888985
Yes
0
 

Author Comment

by:lkuhner
ID: 18889656
I can ping the 74.x.x.x ip from the outside now. Owa is still not working though.
0
 

Author Comment

by:lkuhner
ID: 18892914
I just noticed something weird. When I tracert another ip on the router  it stops at the router interface. When I tracert this ip it hits the interface and then continues to singnet.com.sg which is in singapore. It hits many of the same ips and finally times out. They can connect internally to this via http:\\192.168.2.3\exchange. Since the tracert goes through the pix hop and on to singapore what the hell is going on?
0
 

Author Comment

by:lkuhner
ID: 18892958
sorry it does not time out it comes back with the same ip that is on the interface. At the front of the pix it shows it. Than it goes to singapore and after than right back to the interface ip. Like it is stuck in a loop.
0
 

Author Comment

by:lkuhner
ID: 18898596
You also have to follow the default routing of that server from the 192.168.2.x network. Its default has to end up pointing to your PIX. (i.e. its local default gateway router points to your network router which points to the PIX)  
What do i have to do to make this happen?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19587990
Suggest delete instead. Not much here that is paq-worthy.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19588150
OK - will amend.
Thanks Les.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now