• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 274
  • Last Modified:

allow an acess for the inside pc from pix firewall

Dear Experts

I am having a PIX 525 with 7.01 with 3 zones outisde, DMZ and Inside.

I have configured a nat for a NMS server , I am collecting all the logs, netflow statics on the server. Now I am trying to configure netflow export from internet router with an IP 212.x.x.145 to an inside NMS server with an IP 10.0.0.6. I do have a NAT for 10.0.0.6 with 212.x.x.153 in my firewall. Once I create the access list NATing stops working and I am not recieveing any netflow packets from my router. Just let me know where i am wrong. I need to send netflow details to my NMS server in the inside network and also I have created a management portal in my NMS server I need to access this portal from any where using the internet.


static (inside,outside) 212.x.x.153 10.0.0.6 netmask 255.255.255.255

access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq 9996
access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq www
access-group OutsidetoInside in interface inside
0
alkhaleej
Asked:
alkhaleej
  • 6
  • 6
2 Solutions
 
rsivanandanCommented:
Is this ip address assigned on the outside interface ? If so, the config needs to be modified.

Let me know, as well post the complete configuration of the PIX for better understanding.

Cheers,
Rajesh
0
 
alkhaleejAuthor Commented:
OK

Well the IP address above is the NATing IP for 10.0.0.6. My router IP 212.x.x.145, my firewall IP is 212.x.x.146 and the IP where I need to send the net flow is 212.x.x.153 from my router 212.x.x.145. Also I need to access my web portal at 10.0.0.6


Here is my configuration
xyz# sho run
: Saved
:
PIX Version 7.0(6)
!
hostname xyz
domain-name xyz.med.s
enable password
names
dns-guard
!
interface Ethernet0
 description Connected to Outside
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 212.x.x.146 255.255.255.240
!
interface Ethernet1
 description Connected to Inside
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.0.0.3 255.255.248.0
!
interface GigabitEthernet0
 description Connected to DMZ
 nameif dmz
 security-level 10
 ip address 172.16.31.1 255.255.255.0
!
interface GigabitEthernet1
 shutdown
 no nameif
 no security-level
 no ip address
!
x
ftp mode passive
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.157 eq www
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.157 eq ftp
access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq 9996
access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq www
access-list 101 extended permit ip 10.0.0.0 255.255.248.0 192.168.10.0 255.255.255.0
access-list 101 extended permit ip 10.70.0.0 255.255.255.0 192.178.10.0 255.255.255.0
pager lines 24
logging enable
logging host inside 10.0.0.6
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool KFSHVPN 192.168.10.1-192.168.10.25
no failover
asdm image flash:/asdm-506.bin
no asdm history enable
arp timeout 14400
global (outside) 2 212.x.x.152 netmask 255.255.255.240
nat (outside) 1 192.168.10.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 2 10.0.0.0 255.255.255.252
nat (inside) 2 50.0.0.0 255.255.255.250
nat (inside) 2 10.0.0.0 255.255.255.248
nat (inside) 2 10.46.0.0 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 212.x.x.157 172.16.31.10 netmask 255.255.255.255
static (inside,outside) 212.x.x.153 10.0.0.6 netmask 255.255.255.255
access-group OutsidetoInside in interface inside
static (dmz,outside) 212.x.x.158 172.16.31.20 netmask 255.255.255.255
access-group OutsidetoDMZ in interface outside
route outside 0.0.0.0 0.0.0.0 212.x.x.145 1
route inside 10.0.0.0 255.0.0.0 10.0.0.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy KFSHBIO internal
group-policy KFSHBIO attributes
 dns-server value 10.0.1.100 10.0.1.101
 vpn-idle-timeout 20
 split-tunnel-policy tunnelall
group-policy KFSHVPN internal
group-policy KFSHVPN attributes
 dns-server value 10.0.1.100 10.0.1.101
 vpn-idle-timeout 20
 split-tunnel-policy tunnelall
username xyz password xyz encrypted privilege 15
http server enable
http 10.0.0.6 255.255.255.255 inside
snmp-server host inside 10.0.0.2 community xyz
snmp-server location xyz
snmp-server contact xyz
snmp-server community xyz
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group KFSHVPN type ipsec-ra
tunnel-group KFSHVPN general-attributes
 address-pool KFSHVPN
 authentication-server-group none
 authorization-server-group LOCAL
 default-group-policy KFSHVPN
tunnel-group KFSHVPN ipsec-attributes
 pre-shared-key *
tunnel-group KFSHBIO type ipsec-ra
tunnel-group KFSHBIO general-attributes
 authentication-server-group none
 authorization-server-group LOCAL
 default-group-policy KFSHBIO
tunnel-group KFSHBIO ipsec-attributes
 pre-shared-key *
telnet 10.0.0.6 255.255.255.255 inside
telnet 10.0.0.1 255.255.255.255 inside
telnet 10.0.0.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:2ff53f5e31c7b14585f2a110c3590e48
: end
xyz#
0
 
rsivanandanCommented:
>>access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq 9996
access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq www
access-group OutsidetoInside in interface inside

Instead of the above make the following changes;

no access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq 9996
no access-list OutsidetoInside extended permit tcp any host 212.x.x.153 eq www
no access-group OutsidetoInside in interface inside

access-list OutsidetoDMZ extended permit tcp any host 212.x.x.153 eq 9996
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.153 eq www
access-group OutsidetoDMZ in interface outside

Then try connecting.

The first acl you had is applied onto the inside interface where-as the traffic is coming from outside the firewall and is going inside the firewall.

Cheers,
Rajesh
0
Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

 
alkhaleejAuthor Commented:
Hi Rajesh

Sorry its not working and i am not recieving any netflows & even web portal is not working
0
 
rsivanandanCommented:
Can you post the config now ?

Cheers,
Rajesh
0
 
rsivanandanCommented:
Regarding the web portal, have you changed the port to work with www on the Netflow ?

Cheers,
Rajesh
0
 
alkhaleejAuthor Commented:
Well I did changed the web portal to work with www, first i must receive the net flow to my NMS server 10.0.0.6 which I am not yet receiving, here is the current config

sho run
: Saved
:
PIX Version 7.0(6)
!
hostname xyz
domain-name xyz
enable password xyz
names
dns-guard
!
interface Ethernet0
 description Connected to Outside
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 212.x.x.146 255.255.255.240
!
interface Ethernet1
 description Connected to Inside
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.0.0.3 255.255.248.0
<--- More --->
             
!
interface GigabitEthernet0
 description Connected to DMZ
 nameif dmz
 security-level 10
 ip address 172.16.31.1 255.255.255.0
!
interface GigabitEthernet1
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.157 eq www
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.157 eq ftp
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.156 eq www
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.156 eq ftp
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.156 eq 8082
access-list 101 extended permit ip 10.0.0.0 255.255.248.0 192.168.10.0 255.255.255.0
access-list 101 extended permit ip 10.70.0.0 255.255.255.0 192.178.10.0 255.255.255.0
access-list ISA extended permit tcp any host 212.x.x.158 eq pptp
access-list ISA extended permit gre any host 212.x.x.158
 
access-list OUT2IN extended permit tcp any host 212.x.x.153

access-list NO_INSIDE_OUTSIDE extended permit tcp any any
access-list YAAS extended permit tcp any host 212.x.x.153 eq 9996
access-list YAAS extended permit tcp any host 212.x.x.153 eq www
pager lines 24
logging enable
logging trap alerts
logging asdm errors
logging from-address yasirirfan@kfsh.med.sa
logging recipient-address yasirirfan@kfsh.med.sa level errors
logging device-id ipaddress inside
logging host inside 10.0.0.6
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool KFSHVPN 192.168.10.1-192.168.10.25
no failover
asdm image flash:/asdm-506.bin
no asdm history enable
arp timeout 14400
global (outside) 2 212.x.x.152 netmask 255.255.255.240
nat (outside) 1 192.168.10.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 2 10.0.0.0 255.255.255.248
 
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 212.x.x.153 10.0.0.6 netmask 255.255.255.255
static (dmz,outside) 212.x.x.156 172.16.31.10 netmask 255.255.255.255
access-group YAAS in interface outside
access-group OutsidetoDMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 212.12.181.145 1
route inside 10.0.0.0 255.0.0.0 10.0.0.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy KFSHBIO internal
group-policy KFSHBIO attributes
 dns-server value 10.0.1.100 10.0.1.101
 vpn-idle-timeout 20
 split-tunnel-policy tunnelall
group-policy KFSHVPN internal
group-policy KFSHVPN attributes
 dns-server value 10.0.1.100 10.0.1.101
 vpn-idle-timeout 20
 split-tunnel-policy tunnelall
username yasir password B4Rq6X4WOBR20dAi encrypted privilege 15
http server enable
<--- More --->
             
http 10.0.0.6 255.255.255.255 inside
snmp-server host inside 10.0.0.1 community
snmp-server host inside 10.0.0.2 community

snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
<--- More --->
             
tunnel-group KFSHVPN type ipsec-ra
tunnel-group KFSHVPN general-attributes
 address-pool KFSHVPN
 authentication-server-group none
 authorization-server-group LOCAL
 default-group-policy KFSHVPN
tunnel-group KFSHVPN ipsec-attributes
 pre-shared-key *
tunnel-group KFSHBIO type ipsec-ra
tunnel-group KFSHBIO general-attributes
 authentication-server-group none
 authorization-server-group LOCAL
 default-group-policy KFSHBIO
tunnel-group KFSHBIO ipsec-attributes
 pre-shared-key *
telnet 10.0.0.6 255.255.255.255 inside
telnet 10.0.0.1 255.255.255.255 inside
telnet 10.0.0.2 255.255.255.255 inside
telnet 172.16.31.8 255.255.255.25 dmz
telnet 172.16.31.10 255.255.255.255 dmz
telnet timeout 5
ssh 10.0.0.6 255.255.255.255 inside
ssh timeout 5
console timeout 0
<--- More --->
             
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:88846dc5db0b4339d73da538f3bdda1d
<--- More --->
             
: end
xyz#                
0
 
rsivanandanCommented:
The config looks okay to me.

Can you enable icmp traffic also in YAAS acl and then see from router the 'ping' works.

Cheers,
Rajesh
0
 
alkhaleejAuthor Commented:
sure  I will do that
0
 
yasirirfanCommented:
Hi Al Khaleej

Netflow uses UDP port where as you are trying with TCP change the access-list with follwing and it should work and configure for web access with port 8080

access-list OutsidetoDMZ extended permit udp any host 212.x.x.153 eq 9996
access-list OutsidetoDMZ extended permit tcp any host 212.x.x.153 eq 8080
access-group OutsidetoDMZ in interface outside

make sure in your internet router you have configured the static route toward ur firewall

ip route 212.x.x.0 255.255.255.240 212.x.x.146

If you need further info do let me know

cheers

Yasir
0
 
alkhaleejAuthor Commented:
So far no luck its not working but i can ping
0
 
alkhaleejAuthor Commented:
Thanks a lot Rajesh and Yasir its working now , Yasir you are right the problem was with tcp it should be udp and 8080 for web access.
0
 
rsivanandanCommented:
Cool.

Cheers,
Rajesh
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now